Secret Server - Managing Secrets

Overview

In the context of Secret Server, a Secret is a set of information that is used to authenticate an individual's identity when accessing a system, application, or network. This information typically includes a username or user ID, as well as a password or other form of authentication such as a fingerprint or security token. Secrets can also be protected items of information like financial account numbers or confidential files. The most common example of a secret is a username and password used to log into a website or a computer.

Secret Server provides users with multiple ways to create, modify, and share secrets created in the system. This guide will demonstrate these basic abilities.

 

In This Article:

 

Creating A Secret

Back to Top

A common way to create a secret is by clicking on the Create Secret button on the right-hand side of the page. This will bring up a menu for selecting the folder to place the secret and the template to use. Selecting certain folders will limit the available templates that can be used.
"Create New Secret" window displaying a dropdown of secret templates available for choosing

After the template is selected, the view will change to several text boxes where the secret's information can be entered. If the secret contains a Password field, a Generate button is presented next to the text box to automatically generate a password that abides by the template's password requirements.
"Create New Secret" window showing text boxes of fields in the secret template "NU Active Directory Account" including secret name, domain, username, password, notes, and risk classification.

Things to note:

  • Secret names should be unique. Duplicate names can be used, but are not recommended as that may cause confusion when selecting a secret to use.
  • Fields that contain an asterisk (*) are required fields. They cannot be left blank. Required fields may change depending on the secret template that is used.
  • Auto Change Enabled will activate Remote Password Changing, which automatically resets a password when it has passed an expiration date.
    • Under most circumstances, this option should be left OFF.

Entering text into the password field will automatically bring up the password requirements for that template. A checkmark will appear for each requirement that is satisfied. The colored bar below the text box indicates the password's security score, a measure of how resilient the password may be against a brute-force attack.
An example secret's password requirements. Password should include: at least 15 characters, at least 1 number, at least 1 symbol, at most consecutively 1 symbol. Password should exclude: dictionary words, sequences of consecutive characters like "abc", spatial patterns like "123", and username.

Editing A Secret

Back to Top

Fields of a secret can be edited from the specific secret's page.

  1. The person icon will display a tooltip of that value's phonetic spelling, in accordance to the NATO phonetic alphabet. This is available for the password field, but only if the password field has already been revealed to the user on that screen.
  2. The clock icon will display a recent history of that field's value.
  3. The overlapping squares icon will copy that row's value to the clipboard, allowing for quick copying & pasting of secret values.
  4. The pencil icon on the right-side of the field's row will edit that row.

Secret details view of the item "Example Secret" displaying the secrets fields. On the right side of the row, there is 1, a person icon. 2, a clock icon. 3, overlapping squares icon. And 4, a pencil icon.

If a user does not have access to view the secret in plain text (indicated by the eyeball icon next to the hidden password field), the user will not be able to perform a copy of the password value or view the phonetic spelling.

From the secret details view, the Options button on the upper right-side will display additional commands that can be performed on a secret. These include:

  • Expire: A secret will typically have a 365-day timer for the password field. When this timer reaches zero, secrets with Remote Password Changing will automatically generate a new password, and secrets without this feature will report as "expired". The Expire Password button immediately brings the secret's timer to zero and triggers these events to take place.
  • Duplicate: Creates a new secret using the field values populated in the current item.
  • Deactivate: Removes all sharing permissions on the secret and hides it from view.
  • Launch: Runs available application launchers or opens URLs associated with the secret.
  • Heartbeat: Performs a "heartbeat" check using the secret's credentials. This authenticates the secret against any associated hosts to verify if the secret is usable. (if applicable)
  • Change Password Now: Triggers the Remote Password Changing feature, generating a new password for the secret and resetting the password expiration timer to the maximum value. (if applicable)

If a secret has been deactivated, it will be unusable by all parties, including any attached dependencies. Users with the Team Administrator role can view deactivated secrets and can re-activate secrets that are in their team's shared folders.

 

Warning:
Users may have permission to deactivate certain secrets, but may not have permission to view/reactivate them once deactivated.

 

Sharing A Secret

Back to Top

Secrets contained within a Shared folder will be shared to all users who have access to that folder by default. Users that have Owner permissions on a secret are able to modify who has access to that secret and what level of access that person has. This includes secrets located within a Personal folder.

  1. Enter the Sharing tab on a specific secret
  2. Select the downward arrow next to the Edit button
  3. Click Add. This will display a list of users who do not have the secret assigned to them.
  4. Enter a username into the search box on the top-left of the user list
  5. Click the checkbox on the desired user
  6. Select the appropriate role for the user to have on that secret
  7. Click Save.

A secret's sharing tab with numbers above each area detailed in the aforementioned instructions.

A secret's sharing tab with numbers above each area detailed in the aforementioned instructions.

The desired user will have the secret made available to them in their "Shared With Me" folder.
Revoking access to a secret is the same process as sharing the secret, but in reverse.

 

Secret Permissions

There are four permission levels when sharing secrets with another user or group:

  • Owner: User may change all attributes of a secret. Allows users to move the secret to another folder without enforcing the "Inherit Permissions" rule. Deactivated secrets can be re-activated.
  • Edit: User may edit the secret data. Also allows users to move the secret to another folder unless the Inherit Permissions from Folder setting is turned on, in which case the user needs Owner permissions to move the secret.
  • View: User may see all secret data, such as username and password, and metadata, such as permissions, auditing, history, and security settings.
  • List: User may see the secret in a list, such as a list returned by running a search, but not to view any more details about a secret or edit it.

Additional information can be found on the Secret Server Documentation website.

 

Print Article

Related Articles (4)

Secret Server - Receive Notifications on Individual Secrets
This guide instructs users on activating notifications on a single secret.
Secret Server - Secret Template Compendium
The Secret Template Compendium gives a comprehensive view of all secret templates available for use within Delinea Secret Server.
Secret Server - Shared Folders
Folders in Secret Server allow you to organize your secrets into logical groups and control access through permissions assigned to the folders. This article gives an overview of how shared folders are created and used.
Secret Server – Understanding Roles and Permissions
For shared folders within Secret Server, permissions are delegated between two user roles. Team User and Team Administrator. This guide will detail the permissions and responsibilities that are associated with each role.