Body
Overview
In the context of Secret Server, a Secret is a set of information that is used to authenticate an individual's identity when accessing a system, application, or network. This information typically includes a username or user ID, as well as a password or other form of authentication such as a fingerprint or security token. Secrets can also be protected items of information like financial account numbers or confidential files. The most common example of a secret is a username and password used to log into a website or a computer.
Secret Server provides users with multiple ways to create, modify, and share secrets created in the system. This guide will demonstrate these basic abilities.
In This Article:
Creating A Secret
Back to Top
A common way to create a secret is by clicking on the Create Secret button on the right-hand side of the page. This will bring up a menu for selecting the folder to place the secret and the template to use. Selecting certain folders will limit the available templates that can be used.
After the template is selected, the view will change to several text boxes where the secret's information can be entered. If the secret contains a Password field, a Generate button is presented next to the text box to automatically generate a password that abides by the template's password requirements.
Things to note:
- Secret names should be unique. Duplicate names can be used, but are not recommended as that may cause confusion when selecting a secret to use.
- Fields that contain an asterisk (*) are required fields. They cannot be left blank. Required fields may change depending on the secret template that is used.
- Auto Change Enabled will activate Remote Password Changing, which automatically resets a password when it has passed an expiration date.
- Under most circumstances, this option should be left OFF.
Entering text into the password field will automatically bring up the password requirements for that template. A checkmark will appear for each requirement that is satisfied. The colored bar below the text box indicates the password's security score, a measure of how resilient the password may be against a brute-force attack.
Editing A Secret
Back to Top
Fields of a secret can be edited from the specific secret's page.
- The person icon will display a tooltip of that value's phonetic spelling, in accordance to the NATO phonetic alphabet. This is available for the password field, but only if the password field has already been revealed to the user on that screen.
- The clock icon will display a recent history of that field's value.
- The overlapping squares icon will copy that row's value to the clipboard, allowing for quick copying & pasting of secret values.
- The pencil icon on the right-side of the field's row will edit that row.
If a user does not have access to view the secret in plain text (indicated by the eyeball icon next to the hidden password field), the user will not be able to perform a copy of the password value or view the phonetic spelling.
From the secret details view, the Options button on the upper right-side will display additional commands that can be performed on a secret. These include:
- Expire: A secret will typically have a 365-day timer for the password field. When this timer reaches zero, secrets with Remote Password Changing will automatically generate a new password, and secrets without this feature will report as "expired". The Expire Password button immediately brings the secret's timer to zero and triggers these events to take place.
- Duplicate: Creates a new secret using the field values populated in the current item.
- Deactivate: Removes all sharing permissions on the secret and hides it from view.
- Launch: Runs available application launchers or opens URLs associated with the secret.
- Heartbeat: Performs a "heartbeat" check using the secret's credentials. This authenticates the secret against any associated hosts to verify if the secret is usable. (if applicable)
- Change Password Now: Triggers the Remote Password Changing feature, generating a new password for the secret and resetting the password expiration timer to the maximum value. (if applicable)
If a secret has been deactivated, it will be unusable by all parties, including any attached dependencies. Users with the Team Administrator role can view deactivated secrets and can re-activate secrets that are in their team's shared folders.
Warning:
Users may have permission to deactivate certain secrets, but may not have permission to view/reactivate them once deactivated.
Sharing A Secret
Back to Top
Secrets contained within a Shared folder will be shared to all users who have access to that folder by default. Users that have Owner permissions on a secret are able to modify who has access to that secret and what level of access that person has. This includes secrets located within a Personal folder.
- Enter the Sharing tab on a specific secret
- Select the downward arrow next to the Edit button
- Click Add. This will display a list of users who do not have the secret assigned to them.
- Enter a username into the search box on the top-left of the user list
- Click the checkbox on the desired user
- Select the appropriate role for the user to have on that secret
- Click Save.
The desired user will have the secret made available to them in their "Shared With Me" folder.
Revoking access to a secret is the same process as sharing the secret, but in reverse.
Secret Permissions
There are four permission levels when sharing secrets with another user or group:
- Owner: User may change all attributes of a secret. Allows users to move the secret to another folder without enforcing the "Inherit Permissions" rule. Deactivated secrets can be re-activated.
- Edit: User may edit the secret data. Also allows users to move the secret to another folder unless the Inherit Permissions from Folder setting is turned on, in which case the user needs Owner permissions to move the secret.
- View: User may see all secret data, such as username and password, and metadata, such as permissions, auditing, history, and security settings.
- List: User may see the secret in a list, such as a list returned by running a search, but not to view any more details about a secret or edit it.
Additional information can be found on the Secret Server Documentation website.