TITLE
Secret Server: Folder Permissions
URL NAME
Folder-Permissions
ARTICLE
Folder Structure
Using Folders to Control Access (Inherit Permission)
You can apply permissions (View / Edit / Owner) at the Secret level. This allows you to apply very granular permissions on a single Secret if needed. Managing permissions on each Secret is powerful for situations where you need that flexibility, but it tends to be harder to manage over hundreds or thousands of Secrets. Instead, you should consider using Folders to control permissions for most Secrets. This can be done by creating a folder structure that best represents your organization, teams or data being stored; then apply permissions (View / Edit / Owner) on the folders, using inheritance across folders where appropriate. Secrets placed in a folder can then inherit the permissions of the folder.
Deciding on Your Folder Structure
The folder structure creates a hierarchy for organization and permissions. This means that folders near the root level need to break out access in high level terms and then get more specific permissions (typically breaking inheritance) as you move down to the “leaf level” sub-folders.
For example:
An Oracle DBA might have the following permissions on the above folders:
There are settings under ADMIN > Configuration > Folders to control whether inheritance on folders and Secrets should be turned on and also whether users should always see all folders. There are many ways to configure this for your organization. The most common approach is:
Using Folders to Control Access (Inherit Permission)
You can apply permissions (View / Edit / Owner) at the Secret level. This allows you to apply very granular permissions on a single Secret if needed. Managing permissions on each Secret is powerful for situations where you need that flexibility, but it tends to be harder to manage over hundreds or thousands of Secrets. Instead, you should consider using Folders to control permissions for most Secrets. This can be done by creating a folder structure that best represents your organization, teams or data being stored; then apply permissions (View / Edit / Owner) on the folders, using inheritance across folders where appropriate. Secrets placed in a folder can then inherit the permissions of the folder.
Deciding on Your Folder Structure
The folder structure creates a hierarchy for organization and permissions. This means that folders near the root level need to break out access in high level terms and then get more specific permissions (typically breaking inheritance) as you move down to the “leaf level” sub-folders.
For example:
-
Information Technology
-
Technical Services
-
Systems
- Windows
- UNIX
- Network Infrastructure
-
Database
- Oracle
- SQL Server
-
Systems
-
Development Services
- Programmers
-
Technical Services
- Vendors
- Human Resources
- Customers
An Oracle DBA might have the following permissions on the above folders:
-
Information Technology (VIEW)
-
Technical Services (VIEW)
-
Database (VIEW)
- Oracle (VIEW / EDIT / OWNER)
- SQL Server (VIEW / EDIT)
-
Database (VIEW)
-
Technical Services (VIEW)
There are settings under ADMIN > Configuration > Folders to control whether inheritance on folders and Secrets should be turned on and also whether users should always see all folders. There are many ways to configure this for your organization. The most common approach is:
- Use inheritance
- Don’t allow users to see folders unless they explicitly have View permissions
- Require all Secrets to have a Folder