User are added in Automation Cloud from Cloud Portal's Users page. You cannot add users to an Orchestrator service from the service itself. See here details on how to manage users in the portal.
You can manage user permissions directly in each Orchestrator service. See here details on how to manage user roles in Cloud Orchestrator. You can also make use of the permissions granted by the out of the box user groups defined in Automation Cloud.
A user is an entity with access-dependent capabilities whose view and control of Automation Cloud rely on the assigned access rights. Users can be created by inviting them to join an organization. To accept an invite, a person must click the link within the received email and sign up with the same email address and a password or with a Google, Microsoft, or LinkedIn account. Once signed up, the user has access to the features within Automation Cloud's Portal and services according to its assigned role.
Organization level roles enable you to control user access within the Cloud Portal. Based on their roles, users can or cannot perform actions or view information within the portal.
All invited users have access to all the services within an organization. However, the level of access for each user is determined by their roles within each specific service. See Service Level Roles for more information.
The following 2 roles are available for the users at organization level:
This role grants access to every organization or service level feature. A user with this role can perform all administrative actions at organization level, like creating or updating tenants, managing users, viewing audit logs, and so on. There can be multiple users with this role. All users within the Administrator group are granted this role. Click here for information about user groups.
It has the following permissions, which cannot be changed.
Usage Charts & Graphs
This is the default role assigned to people invited to join the organization. This role grants read-only access to some Cloud Portal functionalities, such as Resource Center, Licenses, Users or Tenants. All users within the Everyone group are granted this role. Click here for information about user groups.
The role has the following permissions which cannot be changed.
Usage Charts & Graphs
Service level roles control access rights within each service. The permissions for each service are managed within the service itself, and not in Cloud Portal. You can explicitly assign a role for every user or you can use user groups.
User Groups are user containers with specific permission sets that can be configured with specific permissions in services within Automation Cloud. Permissions for groups can be configured within each service by selecting the group and associating desired permissions, in the service-specific permissions management pages. Users get the union of all permissions assigned to the groups they are members in. Click here for details about user groups in Orchestrator services.
User Groups are suitable both for small and large deployments, enabling you to easily grant a set of predetermined permissions at Automation Cloud organization and services levels.
When you assign users to a group within Cloud Portal, you grant them access to all the services which have permissions configured for that specific user group. The level of access to the service is determined by the roles assigned to that group at service level.
Service Level Roles
Orchestrator > Management Menu > Users Page
Click here for details on how to add a user to a service and assign it a specific role.
Folder Level Roles
Orchestrator > Management Menu > Folders Page
Click here for details on how to add a user to a folder and assign it a specific role.
Cloud Portal has 4 user groups that at service level have a default set of roles each. These groups are automatically created in newly created Automation Cloud services, and they are configured with a set of default permissions. Note that, for services created before the user groups feature was launched, the permissions are not changed. Service administrators can configure permissions for these groups as they desire, in order to take advantage of user groups.
The default configuration of the service level roles can be changed at the service level by users with corresponding permissions. For example, users with the Administrator role can create additional roles within an Orchestrator service if needed.
Read more about Orchestrator level roles here.
Please consult the following table for the mapping between group memberships, organization level roles, and service level roles:
Cloud Portal Group Membership
Organization Level Role
Orchestrator Service Role
No default role.
1 Note that the roles are assigned at Shared modern folder level, if it exists.
If you want to granularly control the access a user has in a certain service, say without adding the entire group to the service, you can add them explicitly.
Read here how to add a user in an Orchestrator service.
If you don't want to work with user groups and preserve past behavior, assign your users to the vanilla Everyone group. This way, they are granted User role within Cloud Portal, and no role whatsoever within each of your services. To grant them service level roles, assign them explicitly the desired roles within each service.
Updated 3 months ago