SECRET SERVER FEATURE: Access Control
Gain control over web apps and cloud management platforms
Overview of Access Control:
Virtually all compliance mandates and security best practice frameworks require some form of role-based access control (RBAC). Access control provides a mechanism for system administrators to manage user roles and permissions efficiently and sustainably. Policies set rules which apply to all users, so you don’t need to make on-the-fly decisions about who should be able to access what, why, and how.
Access Control and Least Privilege
Access control makes it possible to implement and manage a least privilege policy in which users have only the access they require to get their jobs done. When systematically applied, controls reduce the risk that a user will be granted too much access. For example, administrators can ensure that users can’t accidentally or intentionally change administrative settings they shouldn’t have rights to. Just as important as implementing least privilege is maintaining appropriate access over time, and effectively avoiding privilege creep whereby a user retains access to resources they no longer require.
Access Control and Separation of Duties
There are two main types of Separation of Duty policies—Static (SSoD) and Dynamic SoD (DSoD). Mutually exclusive role constraints are used to enforce static separation of duty policies, while dynamic separation of duty policies are intended to limit the permissions that are available to a user.
Access Control and Active Directory
Implementing access control via a hub and spoke model, in which Active Directory is the hub, allows for a unified view and centralized, consistent control. For organizations already managing permissions via Active Directory (AD), user groups often map naturally to user roles.
For a more in-depth look at RBAC, please read our glossary entry for Role-Based Access Control
Role-Based Access Control (RBAC)
Role-Based Access Control for Active Directory (RBAC AD) allows IT admins to control what users can do within Secret Server on an individual or group basis. RBAC simplifies common IT admin tasks like onboarding a new user, moving someone to a different department or division, or, most importantly, off-boarding a user. You can quickly modify permissions in bulk – for all users with a particular role – either to grant them additional access, tweak their permissions based on new or obsolete resources, or lock down their permissions, especially important in the event of a breach. Users themselves are never directly given a permission. Permission only comes along as part of their role. This prevents permission creep.
Secret Server ships with out-of-the-box roles to solve common configurations that get you going quickly. Each user and group is assigned to one or more roles that define what they can do in the system. If an out-of-the-box role doesn’t suit you it can be modified or you can simply create a new one to correspond to your organization’s structure.
Web Password Filler
Users often have many different logins to sites for software downloads, support, or hosted environment consoles. They are often tempted to store passwords in browsers for web applications or tools with web interfaces, which increases the risk of password theft. Web Password Filler allows users to log into a website automatically without relying on browser-stored passwords.
Watch a brief video to see how easy it is to use Web Password Filler
RDP / PuTTY support
Delinea Secret Server provides a proxy capability that can ensure the only way to access your Windows servers is via the secure vault. The RDP proxying feature allows RDP connections, established using a launcher, to be routed through Secret Server. Direct access can be prevented at your firewall level, which forces administrators to use Delinea Secret Server to store their domain admin credentials and use the proxy to access servers.
The RDP proxy can be used in conjunction with the session recording and monitoring to provide a full audit log of all activities related to the target server.
With Secret Server privileged users can access the accounts and systems they need without ever seeing a password because credentials are automatically injected. Users don’t have to remember complex passwords and they avoid the temptation to write them down or share them.
Learn more about access control in Secret Server
Remote Access Service
Remote Access Service extends the capabilities of Delinea Secret Server to enable secure remote access with the simplicity of a web browser.
With Remote Access Service, third parties can establish secure connections to servers via RDP and SSH for troubleshooting and development. Remote IT users can maintain privileged access to applications when working from home.