Skip to main content

Secrets, Security, and Permissions

Secrets are credentials saved to Device42. Permissions can be assigned to each Secret for specific Users, Admin Groups, or both.

Navigate to the Secrets list page from Resources > Secrets > All Secrets.

All Secrets list page locationAll Secrets list page location

Global Permissions

Navigate to Tools > Admin Groups, where you can grant Admin Groups global permissions to add, view, change, or delete Secrets. This controls whether users will be able to add new Secrets, view Secrets in the list page, or access the edit and delete buttons. Permissions are controlled granularly for individual Secrets (see below).

Note that you can't assign global permissions directly to a User (Administrator), you'll need to add them to an Admin Group.

Admin Group permissionsAdmin Group permissions

The following Admin Group permissions are available:

  • Add permission allows users to create new Secrets.

  • View / Change permission is needed to view the Secret in the menu, but the permission is controlled granularly for each Secret. So, you can globally assign the view/change permission to a group, but it would not give that group permission to edit specific Secrets. It would only enable the group to see the Secret.

  • Delete permission is required to see the delete button, but individual permission to delete a Secret is controlled by permissions granted on that Secret. If a user can change a Secret, they can also delete that Secret.

Permissions for Individual Secrets

When you add or edit a Secret (under Resources > All Secrets), you can set permissions to view, use, or edit individual Secrets by creating or editing a Secret.

Each permission can be applied to two user categories - individual Users and Admin Groups - for a total of six options:

  • View Users: Users who can view the Secret.

    View User PermissionView User Permission

  • View Groups: Admin Groups who can view the Secret.

    View Group PermissionView Group Permission

  • Use Only Users: Users who can only use the Secret.

  • Use Only Groups: Admin Groups who can only use the Secret.

  • View edit users: Users who can view and change the Secret.

  • View edit groups: Admin Groups who can view and change the Secret.

At least one User or Admin Group should have permission to edit a Secret. Otherwise, a password might become inaccessible.

If no permissions are entered, the User who created the Secret will have view/edit permission by default.

Bulk Permissions Change

  • From the Secrets list page, you can edit the group permissions of many Secrets at once by selecting Change group permissions for selected passwords from the Actions dropdown menu.
Secrets action menuSecrets action menu

  • Use the checkboxes to clear the existing group permissions for viewing and editing Secrets.

    Remove current settingsRemove current settings

  • Select new permission groups using the dropdown menu.

    Change group permissionsChange group permissions

Secret Storage Details

  • Secrets are stored using AES-256-bit encryption.
  • Encryption is gated on a passphrase set up by the user. You need to securely record the passphrase in case you need to restore the backup.
  • Secrets are stored in the database in an encrypted state and go to the backup file in that state. The backup file is also encrypted by a user-entered passphrase. Neither of these passphrases is included in the backup.
  • All change, add, delete, and view operations are logged in an audit trail.
  • After one minute of inactivity on a password page, the session will timeout.
  • A global timeout value controls the overall timeout for any session and is set in the Appliance Manager.
  • Secrets aren't displayed in the Secret list page by default. Click on the eye icon next to the Secret to display it.

See our Centralized Password Management blog post for more details.