Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

Customizing Roles For Your Company

Written by Thycotic Team

May 10th, 2013

Updated August 2020

This blog post was originally written in 2013.  For the most up to date information on Secret Server’s Role Customization capabilities, please visit:

Secret Server Features Page: Our features are among the reasons so many IT Admins and IT Security pros consider Secret Server the best Privileged Access Management software in the market.  Find information on the key features available in each version of Secret Server.

Getting Started Tutorial: Secret Server is a powerful solution with many facets. As such, we have created this guide, which is an introductory tutorial for new users. The tutorial suggests an order to learn topics and points to specific sections for more detail.  This tutorial is oriented toward system administrators and other technical professionals. We recommend that non-technical users start with our End User Guide (link above).

Secret Server uses Roles and Permissions to control access to various capabilities within the system.

How to set up customized roles and permissions to meet your company’s security policy

Roles in Secret Server control what a user is allowed to do in the tool. Secret Server ships with three default Roles:
1. Administrator, which has the ability to perform any task.
2. User, which allows basic functions such as create, edit and viewing of Secrets.
3. Read Only User, which only allows a user to view Secrets and Audit Reports without edit capabilities.
Although Secret Server can be used right out of the box with these default Roles, each company should personalize the Roles to fit individual company needs.


The default Roles can be edited and new Roles can also be created. For example, administration tasks can be delegated to different Administrators without giving them full control of the system (for example: Backup Administrator, Secret Template Administrator, Role Administrator and so on). An Auditor Role can also be created to give a user limited access to the system – such as to view Reports and to check compliance settings without having access to sensitive information.

Auditor Role

How to set up permissions to control access to Secrets and Folders

Now that we’ve covered setting custom Roles inside of Secret Server, let’s discuss the three ways to set Permissions on Secrets within Secret Server.

Roles give a user the ability to perform actions inside Secret Server, whereas Permissions dictate the level of control a user has within Secret Server. There are three Permissions within Secret Server:

  1. View, which allows a user to see a Secret/Folder.
  2. Edit, which allows a user to change Secret/Folder information.
  3. Owner, the highest level of control which grants a user the ability to change advanced security settings for a Secret/Folder.

Permissions can be bulk-assigned by Folder. By default Secrets inherit the Permissions of the Folder where it is created. This set up requires two steps. First, create a folder structure that is separated by Permission level. Typically, this would follow your company’s team structure. For example, you could configure folders in the hierarchy:

  • IT Management Team
    • Server Admins
      • Server Admins
  • Finance Management Team
    • Staff Accountants
      • Book Keepers

Second, assign Permissions to each folder based on the users that need access to that information. Now, when a Secret is created inside a folder it will automatically be assigned the Permissions of that Folder.

Permissions can be individually assigned to specific Secrets. When setting up Permissions in this way, Folders are used primarily as an organization tool and typically are named in a much more general manner, such as:

  • Servers
    • Windows Servers
    • LINUX / UNIX
    • Apache
  • Databases
    • MS SQL
    • MySQL
    • Oracle

When assigning Permissions to individual Secrets, the Secret will not inherit Folder Permissions and can be placed in a Folder alongside Secrets that have different levels of Permissions. To ensure Secrets do not inherit Permissions from the Folder, update your product settings by going to Administration > Configuration and setting the Default Secret Permissions to “Only Creator Has Permissions to New Secrets”.

Permissions can be bulk AND individually assigned. It is also possible to set up Secret Permissions through a combination of the options above. In this case, you would use the Folder to push Permissions to the Secrets through inheritance when a Secret is created. Once this is complete, Secrets do not have to stay within that Folder. Inheritance can be turned off for individual Secrets afterward to allow assignment of custom Permissions.

Privilege Manager

Implementing least privilege needn't be hard.

Privilege Manager makes least privilege adoption easy for users and reduces the workload for IT/desktop support.


Like this post?

Get our top blog posts delivered to your inbox once a month.