# Delinea

SureCloud connects to Delinea Secret Server (formerly Thycotic) to retrieve secret vault inventory, privileged account access records, access policy configuration, and session monitoring data. This allows SureCloud to verify that privileged credentials are stored and governed through Delinea's vaulting controls, and that access to secrets is being logged and monitored.

## Authentication and setup

Delinea Secret Server authenticates API requests using OAuth 2.0 with the password grant for service accounts. SureCloud uses a dedicated service account with read-only access.

{% stepper %}
{% step %}

### Create a read-only service account

Log in to Delinea Secret Server. Navigate to **Admin → Users** and create a new local user (e.g. `surecloud-api`). Assign the **Auditor** role, which provides read access to secrets metadata, folders, and audit logs without the ability to view secret values.
{% endstep %}

{% step %}

### Enable API access for the account

Navigate to **Admin → Configuration → Application Settings** and confirm the REST API is enabled. Ensure the `surecloud-api` account is permitted to authenticate via the API (not restricted by IP or authentication policy in a way that blocks API access).
{% endstep %}

{% step %}

### Enter the credentials in SureCloud

Navigate to **SureCloud → Integrations → Delinea → Connect**. Enter your Secret Server URL (e.g. `https://secretserver.yourcompany.com/SecretServer`), the service account username, and the password. Click **Save** and then **Test Connection**.
{% endstep %}
{% endstepper %}

{% hint style="warning" %}
SureCloud stores the service account password encrypted at rest. Rotate it every 90 days in Secret Server under **Admin → Users → surecloud-api** and update it in **SureCloud → Integrations → Delinea → Edit Connection**.
{% endhint %}

## Endpoints

| API Call              | Use Case                                                                       |
| --------------------- | ------------------------------------------------------------------------------ |
| `POST /oauth2/token`  | Authenticate and obtain a bearer token                                         |
| `GET /api/v1/secrets` | Enumerate secret records including folder, template type, and last access date |
| `GET /api/v1/folders` | Retrieve folder hierarchy for secrets governance evidence                      |
| `GET /api/v1/audit`   | Retrieve audit log entries for secret access and administrative activity       |
| `GET /api/v1/users`   | Enumerate Secret Server users and their role assignments                       |
| `GET /api/v1/groups`  | Retrieve group definitions for access scope evidence                           |

## Pagination

`GET /api/v1/secrets` and `GET /api/v1/audit` use `skip` and `take` pagination. SureCloud increments `skip` by `take` until the returned count falls below the page size.

```json
GET /api/v1/secrets?take=100&skip=100
```

## Required permissions

SureCloud requires a Delinea Secret Server user with the **Auditor** role, providing:

* View metadata for all secrets in accessible folders
* Read audit log records
* Enumerate users, groups, and folders

No secret value retrieval, checkout, or configuration-change permissions are required.

## Polling frequency

| Data Type                     | Interval       |
| ----------------------------- | -------------- |
| Secret inventory and metadata | Every 24 hours |
| Audit log events              | Every 6 hours  |
| User and group assignments    | Every 24 hours |

## Troubleshooting

<details>

<summary>Authentication fails with "invalid_grant"</summary>

The username or password is incorrect, or the account has been locked. Navigate to **Secret Server → Admin → Users → surecloud-api**, confirm the account is active and unlocked, and reset the password if necessary. Update the credentials in **SureCloud → Integrations → Delinea → Edit Connection**.

</details>

<details>

<summary>Secret list returns fewer records than expected</summary>

The **Auditor** role only provides access to secrets in folders the account has been granted access to. By default, the Auditor role has access to all folders, but custom folder permissions may restrict visibility. Confirm that the `surecloud-api` account has view access to all relevant folders in **Secret Server → Admin → Folders**.

</details>

<details>

<summary>Secret Server is unreachable from SureCloud</summary>

Delinea Secret Server is typically deployed on-premises. Confirm the Secret Server URL is accessible from the SureCloud collector network over HTTPS. Contact SureCloud Support for firewall and connectivity requirements.

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/delinea.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.