Update secrets with Delinea/Thycotic api

I have 2000 secrets that are not in folders. That breaks every design principle of Delinea. Secrets should Always be in folders and all permissions and polices should be applied to folders not directly to secrets.

So the plan is to move all 2000 secrets into a designated folder.  When a secret is moved to a folder, all permissions are cleared and replaced with only this permission – the Owner of the folder becomes the Owner of the secret. I want to re-apply all the previous permissions after the folder move. I plan to use the Delinea api.


  1. Using the Delinea reporting system I can get all active secrets that have no folder.
  2. The Delinea api no longer needs “secretserver” after your secret server FQDN, that changed from version 10, most docs out there have not been updated. If you include the secretserver text after the url you will get html instead of json response. Generally when you are getting html response, your url is wrong. E.g its “https://myserver.mydomain.local/” not “https://myserver.mydomain.local/secretserver
  3. In Delinea use DomainName\username not username

Script logic 

Using PowerShell and Invoke-RestMethod

  1. Read the secrets from file. For Each secret
  2. Store the secretid in a variable
  3. Get the bearer token
  4. Get the secret info with Get-Server
  5. Store the following attributes in variable. You will need them for the update payload
  • Name
  • Items – ConvertTo-Json
  • Siteid
  1. Get the secret Permissions using Get-secret-permissions
  2. Store the following in variables
  • Records – Store it in an array
  1. Update the secret using Update-Secret, build the body, the following are required
  • Secretid
  • Name
  • Items
  • Siteid
  1. Add the following
  • Folderid of the folder you want to move the secrets to
  • EnableInheritPermissions = False
  1. After you run the Update-secret the secret will be moved but the EnableInheritPermissions will be set to true. That is standard  and so you have to run the Update-secret again to set it to false. It has to be false to allow you to edit and re-apply the permissions.
  2. Loop through the Records variable, check if the Owner of the new folder is in the groupname attribute, if it isn’t then use the Create secret-permissions command
  3. Build the body using parameters from the record
  • domainName: string
  • groupId: integer (int32)
  • groupName: string
  • secretAccessRoleName: string
  • secretId: integer (int32)
  • userId: integer (int32)
  • userName: string