Subscribe

UiPath Automation Cloud

The UiPath Automation Cloud Guide

Check the current status of Automation Cloud here.

About Users

To access your UiPath cloud environment, an Automation Cloud organization administrator must add your employees as users in the Cloud Portal. Then organization administrators can grant them the required permissions to access Automation Cloud services by adding them to user groups or, if needed, by explicitly assigning individual roles.

You can add users easily by sending an invitation link to their email address and having them sign up for a user-owned UiPath account. Or, if you have a Microsoft Azure or Office 365 subscription, you can also integrate Azure with Automation Cloud to use your Azure Active Directory.

Your organization can use one of the following models to create users in the Cloud Portal:

  • The invitation-based model requires that you send an email invitation to users and they in turn create a UiPath accountUiPath account - A user-owned account that is registered with UiPath and used to log in to Automation Cloud and other UiPath resources such as the UiPath Forum or UiPath Academy. The account is created by either choosing a username and password, or by federating with Microsoft, Google, or LinkedIn. A UiPath account is created for the organization administrator when they first sign up for Automation Cloud and create the organization. When using an invitation-based model, as selected in Authentication Settings for your organization, users also create a UIPath account when they accept an invitation to join an organization. to accept the invite and sign in to Automation Cloud.
  • The Azure Active Directory model lets you use your existing directory of users and also lets you benefit from the user management capabilities of Azure.
More about cloud identity and authentication

The identity of your users is verified in Automation Cloud, more precisely by the Cloud Portal, based on your organization directory. From here, based on user permissions assigned through roles and groups, they can access all your UiPath cloud services with only one set of credentials.

The below diagram describes the two identity models, how they work with the various user identities, and how federation can be achieved.
In the invitation-based model, identity management is performed on a user reference in the organization directory, while users remain in control of their accounts. But if integrated with Azure Active Directory (Azure AD), it's as simple as looking at the contents of your tenant directory in Azure AD, depicted below with an orange arrow. You can read more about each model in the following sections.


Choosing the Authentication Model for Your Organization


Organization administrators can chose the model to use for your organization by going to Admin > Users and Groups > Authentication Settings:

📘

Info:

The invitation-based model (selected in the image above) is set by default for any new organization.

Switching to Another Model

Enforcing Sign In with Google or Microsoft

The invitation-based model allows you to enforce sign in with a chosen provider. For more information about this model, see Invitation-based Model with Enforced Sign In Option.

To switch to this model, go to Admin > Users and Groups > Authentication Settings, select one of the Enforce Sign In with... options, and then click Save.

After saving, users can only see the sign in option for the provider you selected. If they are already signed in using a different provider, they are asked to sign out and sign back in using the chosen provider.

📘

Note:

If you have authorized external applications for your organization, tokens generated while using other providers remain valid, but any new tokens follow the enforced sign in policy.

Using Your Azure Active Directory

To switch to the Azure AD model, see Setting Up the Azure AD Integration for instructions.

📘

Note:

The API Access option (Admin > Tenants) is not available when using the Azure AD model.
If you have processes in place that use the information from the API Access window to authenticate API calls to UiPath services, you must register external applications to switch to using OAuth for authorization, in which case the information from API Access is no longer required.

To switch from the Azure AD model back to the invitation-based model...
  1. Log in as an organization administrator using a UiPath account. The options are not active otherwise.
  2. If you removed UiPath user accounts when you moved to the Azure AD model, invite all users to the organization so that users are created again for their UiPath accounts.
  3. Assign users to groups and, if needed, assign individual roles.
  4. Go to **Admin** > **Users and Groups** > **Authentication Settings** and select one of the other options.
  5. Click **Save**.

After saving, users must sign in with the UiPath account (new or existing) that they used to accept the invitation.


Which Model to Choose?

Here are some factors you might want to consider when choosing the authentication setting for your Automation Cloud organization:

Factor

Invitation-based Model

Invitation-based with Enforced Sign In Option

Azure AD Model

Community license

Enterprise license

Users do not require a UiPath account

User account management rights

Automation Cloud
org admin

Automation Cloud
org admin

Azure AD admin

User access management

Automation Cloud
org admin

Automation Cloud
org admin

Automation Cloud user management can be delegated entirely to the Azure AD admin

Single sign-on (SSO)


(with Google, Microsoft, and LinkedIn)


(with Google or Microsoft)


(with Azure AD account)

Enforce a complex password policy

1

Multi-factor authentication

1

Already using Google Workspace as your identity provider?

users need a UiPath accountUiPath account - A user-owned account that is registered with UiPath and used to log in to Automation Cloud and other UiPath resources such as the UiPath Forum or UiPath Academy. The account is created by either choosing a username and password, or by federating with Microsoft, Google, or LinkedIn. A UiPath account is created for the organization administrator when they first sign up for Automation Cloud and create the organization. When using an invitation-based model, as selected in Authentication Settings for your organization, users also create a UIPath account when they accept an invitation to join an organization., but SSO is also possible

users need a UiPath account, but enforced SSO with Google is possible

N/A

Already using Office 365 with your identity provider (Okta, Ping, OneLogin)?

users need a UiPath account

users need a UiPath account

you can grant access to Automation Cloud to existing Azure AD accounts

Already using Azure AD as your identity provider?

users need a UiPath account

users need a UiPath account

you can grant access to Automation Cloud to existing Azure AD accounts

Large-scale user onboarding


(only for account creation)


(only for account creation)


(full account provisioning)

Access for collaborators from outside your company


(through invitation)


(through invitation for account on enforced provider)

Only allow access from inside corpnet

1

1

Only allow access from trusted devices

1 to the extent that the selected identity provider enforces it

 

Creating or Removing Users


Depending on the model you are using, you create and remove users differently:

  • invitation-based model: To add users to your organization, you invite users. You can manage their details and group memberships from the Cloud Portal, and remove them, if needed.
  • Azure AD model: If integrated, Automation Cloud and your other cloud services can use the existing users and groups from Azure AD. But creating and deleting these users and groups should be done in Azure AD by your Azure administrator, not from the Cloud Portal.

User and group icons shown in Automation Cloud and in other services can help you figure out the type so you know how to manage a particular user or group.

📘

Note:

Whichever model you choose, you can still manage user permissions for your UiPath cloud platform from the Cloud Portal and the UiPath services.

About the Available Models


Invitation-based Model

The process for creating a user is as follows:

  1. Organization administrators must obtain the email addresses of users and use them to invite each user to join their organization. They can do this in bulk.

  2. Each invited employee accepts the invitation by navigating to the link provided in the invitation email and creates a UiPath accountUiPath account - A user-owned account that is registered with UiPath and used to log in to Automation Cloud and other UiPath resources such as the UiPath Forum or UiPath Academy. The account is created by either choosing a username and password, or by federating with Microsoft, Google, or LinkedIn. A UiPath account is created for the organization administrator when they first sign up for Automation Cloud and create the organization. When using an invitation-based model, as selected in Authentication Settings for your organization, users also create a UIPath account when they accept an invitation to join an organization.. They can:

    • Use the invited email as a username and create a password.
      If users already have a UiPath accountUiPath account - A user-owned account that is registered with UiPath and used to log in to Automation Cloud and other UiPath resources such as the UiPath Forum or UiPath Academy. The account is created by either choosing a username and password, or by federating with Microsoft, Google, or LinkedIn. A UiPath account is created for the organization administrator when they first sign up for Automation Cloud and create the organization. When using an invitation-based model, as selected in Authentication Settings for your organization, users also create a UIPath account when they accept an invitation to join an organization., they can sign in using their existing account, as long as the invitation was sent to the associated email address.
    • Use an existing account they have with Microsoft (personal, Azure AD-linked account, or Office 365 account), Google (personal or Google Workspace account), or their personal LinkedIn account to sign in to (or federate in to) their UiPath user account.

    The ability to use one of the providers mentioned above is convenient for users who do not have to remember additional passwords. And using organization-owned accounts in Azure AD or Google Workspace lets you enforce organization sign-in policies.

  1. Organization administrators can now add users to groups and grant service-level roles as needed so that users have the required access.

Invitation-based Model with Enforced Sign In Option

In this model you create users in the same way as in the invitation-based model: you issue an invitation to their email address and your users must create a UiPath accountUiPath account - A user-owned account that is registered with UiPath and used to log in to Automation Cloud and other UiPath resources such as the UiPath Forum or UiPath Academy. The account is created by either choosing a username and password, or by federating with Microsoft, Google, or LinkedIn. A UiPath account is created for the organization administrator when they first sign up for Automation Cloud and create the organization. When using an invitation-based model, as selected in Authentication Settings for your organization, users also create a UIPath account when they accept an invitation to join an organization.. The difference is that you can choose to enforce sign in using either Google or Microsoft.

So instead of seeing all sign in options, your users see only the one you selected. For example, here's what your users would see if you chose to enforce sign in with Microsoft:

They still use their UiPath account to sign in because the email address must match the one where the invitation was sent.

Azure Active Directory Model

The integration with Azure Active Directory (Azure AD) can offer scalable user and access management for your organization, allowing for compliance across all the internal applications used by your employees. If your organization is using Azure AD or Office 365, you can connect your Automation Cloud organization directly to your Azure AD tenant to obtain the following benefits:

Automatic user onboarding with seamless migration
  • All users and groups from Azure AD are readily available for any Automation Cloud service to assign permissions, without the need to invite and manage Azure AD users in the Automation Cloud organization directory.

  • You can provide Single Sign-On for users whose corporate username differs from their email address, which is not possible with the invitation-based model.

  • All existing users with UiPath user accounts have their permissions automatically migrated to their connected Azure AD account.


Simplified sign-in experience
  • Users do not have to accept an invitation or create a UiPath user account to access the Automation Cloud organization. They sign in with their Azure AD account by selecting the Enterprise SSO option or using their organization-specific URL.

    If the user is already signed in to Azure AD or Office 365, they are automatically signed in.

  • UiPath Assistant and Studio versions 20.10.3 and higher can be preconfigured to use a custom Orchestrator URL, which leads to the same seamless connection experience.


Scalable governance and access management with existing Azure AD groups
  • Azure AD security groups or Office 365 groups, also known as directory groups, allow you to leverage your existing organizational structure to manage permissions at scale. You no longer need to configure permissions in Automation Cloud services for each user.

  • You can combine multiple directory groups into one Automation Cloud group if you need to manage them together.

  • Auditing Automation Cloud access is simple. After you've configured permissions in all Automation Cloud services using Azure AD groups, you utilize your existing validation processes associated with Azure AD group membership.


📘

Note:

While on the Azure AD model, you can continue to use all the features of the invitation-based model. But to maximize the benefits, we recommend relying exclusively on centralized account management from Azure.

Organization Level Roles


Organization level roles enable you to control user access within the Cloud Portal. Based on their roles, users can or cannot perform actions or view information within the portal.

🚧

Important!

All invited users have access to all the services within an organization. However, the level of access for each user is determined by their roles within each specific service. See Service Level Roles for more information.

The following 2 roles are available for the users at organization level:

Organization Administrator

This role grants access to every organization or service level feature. A user with this role can perform all administrative actions at organization level, like creating or updating tenants, managing users, viewing audit logs, and so on. There can be multiple users with this role. All users within the Administrator group are granted this role. Click here for information about user groups.

It includes the following permissions, which cannot be changed.

View

Edit

Create

Delete

Usage Charts & Graphs

Tenants

Users

Authentication Settings

External Applications

Licenses

API Keys

Resource Center

Audit Logs

Organization Settings

User

This is the default role assigned to people invited to join the organization. This role grants read-only access to some Cloud Portal functionalities, such as Resource Center, Licenses, Users or Tenants. All users in the Automation Users, Automation Developers and Everyone groups are granted this role. Click here for information about user groups.

The role includes the following permissions which cannot be changed.

View

Edit

Create

Delete

Usage Charts & Graphs

Tenants

Users

Authentication Settings

External Applications

Licenses

API Keys

Resource Center

Audit Logs

Organization Settings

Service Level Roles


Service level roles control access rights within each service. The permissions for each service are managed within the service itself, and not in Cloud Portal. You can explicitly assign a role for every user or you can use user groups.

User Groups

User groups are used to simplify access administration. Access rights assigned to a group are automatically inherited by all users in that group. A user gets the union of all permissions assigned to the groups they are a member of.
The group membership of a user is managed in Cloud Portal. User group permissions are configured in each individual service. For example, learn about users and user groups in Orchestrator services.

  Overview

Adding users to a group grants them access to all services which reference that group. The level of access to a service/folder is determined by the roles assigned to that group in the service.

  • When a user tries to access certain services, the system makes an access-permit decision depending on the user's membership.
  • When a user tries to access or use certain resources in a service, the system makes an access-permit decision based on the roles of the user, which can be either inherited from the group or granted explicitly.

Tenant Level Roles

Folder Level Roles

Orchestrator > Tenant Context > Users Page
Learn how to add a user to a service and assign it a specific role.

Orchestrator > Tenant Context > Folders Page
Learn how to add a user to a folder and assign it a specific role.

  Default User Groups

Default groups reduce the need to specify explicit access rights by providing predefined permissions for typical scenarios.
UiPath provides 4 default user groups that come with a default set of roles each at the service level: Administrators, Automation Users, Automation Developers, Everyone. These groups are automatically referenced in newly created Automation Cloud services, and they are configured with a set of default permissions. Note that, for services created before the user groups feature was launched, the permissions are not changed. Service administrators can configure permissions for these groups as they desire.

  Custom User Groups

If you need more than the 4 access levels provided by default by UiPath, you can create and tailor your own user groups. Unlike default user groups, custom groups need to be added manually in the service to ensure the correct mapping between the group membership of a user and the corresponding role in the service.

  Roles

User roles can be changed at the service level by users with corresponding permissions.

For example, users with the Orchestrator Administrator role can create additional roles or modify existing ones if needed.
Read more about Orchestrator roles here. The following table has the mapping between group memberships, organization level roles, and Orchestrator service level roles:

Group Membership

Organization Level Role

Orchestrator Service Role

Administrators

Organization Administrator

Administrator

Automation Users

User

Automation User at folder level 1
Allow to be Automation User at tenant level

Automation Developers

User

Automation User at folder level 1
Folder Administrator at folder level 1
Allow to be Automation User at tenant level
Allow to be Folder Administrator at tenant level

Everyone

User

No default role.

[Custom_Group]

User

No default role.

1 Note that the roles are assigned at Shared modern folder level if it exists.

 

Without User Groups

By default, all invited users are part of the Everyone user group, which grants them the User organization-level role. You cannot revoke this assignation.
Groups let you manage permissions for your users in bulk, but you don't have to work with user groups if you don't want to. You can instead manage permissions for each user individually by explicitly assigning service roles to users.

Explicit Role Assignment

If you want to granularly control the access a user has in a certain service, say without adding the entire group to the service, you can add them explicitly.
Read here how to add a user in an Orchestrator service.

 

User and Group Icons


If you are using the Azure AD model, user and group icons are available in the Automation Cloud and Orchestrator pages where you manage users, groups, or roles to help you recognize the type of user account and the type of group.

User icons

UiPath_userUiPath_user - user tied to a UiPath account who signed in using basic authentication
UiPath_SSO_userUiPath_SSO_user - user tied to a UiPath account who signed in using SSO; also applies to users who have both a UiPath user account and an Azure AD account.
Azure_AD_userAzure_AD_user - user tied to an enterprise account who signed in using Enterprise SSO using the organization-specific URL.

Group icons

local_grouplocal_group - the group was created from Automation Cloud
AAD_groupAAD_group - the group originates in Azure AD.

Updated 10 days ago



About Users


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.