In Automation Cloud you can create user accounts and robot accounts.
Use these types of accounts to identify a person. You can assign licenses, roles, and add these accounts to groups.
There are two types of user accounts:
- Local users: These accounts are linked to a UiPath accountUiPath account - A user-owned account that is registered with UiPath and used to log in to Automation Cloud and other UiPath resources such as the UiPath Forum or UiPath Academy. The account is created by either choosing a username and password, or by federating with Microsoft, Google, or LinkedIn. A UiPath account is created for the organization administrator when they first sign up for Automation Cloud and create the organization. When using an invitation-based model, as selected in Authentication Settings for your organization, users also create a UIPath account when they accept an invitation to join an organization.. This type of account is created within Automation Cloud and it is also managed from there by an organization administrator. Users own the account itself, but organization administrators can work with the reference of it to edit, delete, or manage roles and group memberships for it.
- Directory users: These accounts are defined outside of Automation Cloud, in either an on-premises Active Directory, or a cloud active directory, such as Azure Active Directory. You must link the directory to Automation Cloud to use this type of accounts. When linked, Automation Cloud can search for and reference directory users so that you can view them, assign roles to them, or add them to Automation Cloud groups. The benefit is that you do not need to define these identities twice: you define them once in your directory and can use them in Automation Cloud, too.
For more information, see Authority over accounts and groups.
Robot accounts are helpful for when you need to run back-office unattended processes that should not be the responsibility of any particular user. These are our RPA-specific equivalent of service accounts. Similar to the accounts that Windows services run as application identities in the OAuth model, they are a non-user identity to be used to run unattended processes.
Robot accounts behave like user accounts in terms of permissions. In UiPath Orchestrator, you can add robot accounts and configure permissions for them in the same way as for any other account.
The only differences compared to user accounts are:
- robot accounts are not allowed any interactive-related process configuration
- no email address is required to create a robot account.
You can find and work with robot accounts in broadly the same way as you work with user accounts:
- Organization administrators can create and manage robot accounts in Automation Cloud, from the Admin > Accounts and Groups page - except not from the Users tab, but from the dedicated Robot accounts tab.
Robot accounts can also be included in groups and managed as part of the group.
*When assigning roles in Orchestrator, searching for accounts shows users, groups, and also robot accounts for selection.
Groups are used to simplify access administration. They are a collection of accounts which should have similar access, robot configuration, and licensing needs, and which you want to manage together.
For example, you might want to create a group for all of your administrators, or a group for all of your accounting employees because you know their job requires them to use the same UiPath functionality in the same way, so they should have the same licenses, robot configuration, and roles. Whenever changes to licensing or roles are required for that category of user, you update the group and the changes apply for all of its members.
If, by exception, one of the group members requires additional roles, you can also assign roles or licenses to the account individually. In this case, the account benefits from the roles and licenses that were assigned individually, and the ones inherited from the groups it is in.
Groups are natively available in Automation Cloud. If a group was created from the Admin > Accounts and Groups > Groups tab in Automation Cloud, then it is a local group.
If a directory is linked to Automation Cloud and the directory includes groups, you can find and work with those directory groups in Automation Cloud in the same way as you would work with local groups.
When an account becomes a member of a group, it inherits all the roles, licenses, and robot configuration of that group.
If assigned to more than one group, an account gets the union of all permissions and licenses assigned to the groups to which they belong.
Roles inherited through group memberships are only available while the account is connected.
When the various services allow access, they look at different aspects:
- When accessing a service, access is allowed based on the account's group memberships.
- When attempting to access or use resources in a service, the action is allowed based on the roles of the account, which it either inherits from a group or the required roles were granted to the account directly.
Directory accounts and groups
You can include directory accounts in local groups. You can also include directory groups in local groups, even though you cannot include a local group inside of another local group.
This allows the directory administrator to fully onboard an account with the roles, licenses, and robot setup they need, without the need for additional actions in Automation Cloud.
This is achieved by adding a directory group inside a local group that is fully set up in Automation Cloud. The directory administrator then needs to only add the account to their directory group and the account inherits the setup and is ready to work in Automation Cloud.
- Creating or deleting groups, adding or removing group members: An organization administrator can manage groups, as well as add or remove accounts from groups from the Admin > Accounts and Groups > Groups tab in Automation Cloud.
- Assigning licenses to groups: Organization administrators also assign license allocation rules to groups from the Admin > Licenses page.
- Roles for groups: Roles are assigned to groups by the administrators of each individual service from within the service, same as for accounts. For example, learn about users and user groups in the Orchestrator service.
If you don't want to work with user groups, grant the required roles to each account by explicitly assigning service-level roles to each account
Note: If you have a linked directory, make sure to also add your directory accounts to the default group Everyone. All local accounts are automatically added to this group. This way, all accounts are granted the User organization-level role so that they can access Automation Cloud, but no roles for your services - you must assign those to each account.
Default groups are available in any new Automation Cloud organization and are pre-configured with organization-level roles for the Automation Cloud portal and service-level roles for UiPath services.
You cannot remove roles that are assigned to these groups and you cannot delete them.
The default groups are Administrators, Automation Users, Automation Developers, and Everyone. You can assign a fully-functional and complex access schema to users with only one action: adding them to the appropriate group.
See Roles for information about the roles included for each group.
On pages where you manage accounts, groups, or roles, specific icons are displayed for each type to help you recognize the type of account or the type of group.
- UiPath user account: user account that is linked to a UiPath account and signed in using basic authentication
- SSO user account: user account linked to a UiPath account that signed in using SSO; also applies to user accounts that have both a UiPath user account and a directory account
- Directory user account: the account originates from a directory and signed in with Enterprise SSO
- Robot account
- Local group (or plainly, group): the group was created in Automation Cloud.
- Directory group: the group originates in a linked directory.
If an account or group was created from Automation Cloud:
- The organization administrator is responsible for and has the required privileges to manage the accounts and groups that belong to their organization.
- Managing accounts and groups is done within Automation Cloud and includes creating, editing, deleting, licensing of accounts, and adding or removing accounts from groups, as well as adding or removing groups.
- Roles can be assigned by the organization administrator within services, or by a service-level administrator.
If the account or group was created in a directory that is linked to Automation Cloud:
- The directory administrator is responsible for and has the required privileges to manage the accounts and groups that belong to the directory.
- Managing accounts and groups is done within the directory and includes creating, editing, deleting of accounts, and adding or removing accounts from groups, as well as adding or removing groups.
- Directory accounts and groups are licensed from Automation Cloud, either individually, or in bulk through group membership.
- Roles are assigned from within Automation Cloud by either the organization administrator or service-level administrators. Roles can be assigned either individually or in bulk, through group membership.
- You can include directory accounts in local groups. You can also include a directory group inside a local group, which is not possible with local groups.
Updated 19 days ago