- 入门指南
- 数据安全性与合规性
- 组织
- 身份验证和安全性
- 许可
- 租户和服务
- 帐户和角色
- Ai Trust Layer
- 外部应用程序
- 通知
- 日志记录
- 故障排除
- 迁移到 Automation Cloud
Automation Cloud 管理员指南
管理访问权限
角色是权限的集合,是管理用户访问时更细化的一层,遵循通过组维护访问的更广泛的选项。您可以将角色添加到任一组中,以便所有成员帐户都继承这些角色,也可以添加到个人帐户中。
帐户和组通常具有组织级别的角色和一个或多个服务级别的角色。
-
The built-in role is a predefined role that has specific permissions set by the platform. These roles can be used to grant users or groups the necessary permissions to perform certain operations.
-
The custom role is a role that an organization administrator creates to meet the specific needs of their organization. This is particularly useful role for when none of the available built-in roles perfectly match the access a user or group should have.
A scope is a specific level in the organizational hierarchy that serves as a boundary for certain actions, permissions, and objects. A scope can be an organization, a tenant, a service, or a folder, each with its own set of role assignments.
The Manage access menu is available within all possible scopes, descending from the organization level down to the project level.
A role is defined by multiple permissions. Permissions can be specific to a certain scope.
The organization administrator role is a special role that grants access to all scopes: organization, tenant, service, and folder.
The following types roles are based on scopes and permissions:
-
The organization level role is a type of role you create at organization scope. This role type consists of permissions that apply exclusively within the organization scope.
-
The global tenant role is a type of role you create at organization scope. You can apply this role type to all tenants within the organization.
-
The cross-service role is a type of role you create at tenant scope. This role type contains permissions from multiple services simultaneously.
-
The service role is a type of role you create at service scope. This role type contains permissions from certain services.
-
The project or folder role is a type of role you create at service scope that you exclusively assign at project or folder scope.
The following table classifies scopes, role types based on scopes and permissions, and examples of roles:
|
范围 |
Types of roles based on scopes and permissions |
Examples of roles |
|---|---|---|
|
组织 |
Organization level roles |
Insights Dashboard Viewer 组织管理员 |
|
Global tenant roles |
Note: A global tenant role can be created using the custom role functionality.
| |
|
租户 |
Cross-service roles |
Tenant Administrator |
|
服务 |
Service roles |
Orchestrator Administrator |
|
Folder or project roles |
Folder Administrator |
在下表中,您可以查看将帐户添加到组时分配给这些帐户的角色。例如,将帐户添加到Administrators默认组后,系统将向其授予组织的Organization Administrator角色和服务中的Administrator角色。此用户可以通过“管理员”然后选择“帐户和组”管理组织级别的角色,以及服务级别的角色。
|
组成员身份 |
组织级别的角色 |
Orchestrator 的服务级别角色 |
|---|---|---|
|
管理员 |
组织管理员 | |
|
自动化用户 |
用户 |
在文件夹级别 1 为 Automation User 在租户级别为 Allow to be Automation User |
|
自动化开发者 |
用户 |
在文件夹级别 1 为 Automation User 在文件夹级别 1 为 Folder Administrator 在租户级别为 Allow to be Automation User |
|
所有人 |
用户 |
无角色。 |
|
Automation Express |
用户 |
在租户级别为 Allow to be Automation User |
|
[自定义组] |
用户 |
默认情况下没有角色,但您可以根据需要向组中添加角色。 |
1这些角色将分配给共享新式文件夹(如果存在)。
The organization level represents the highest level of scope.
At organization level, the Organization Administrator, User, and Insights Dashboard Viewer roles are available. You cannot change these roles or add new roles at the organization level.
Organization administrators have permission to modify organization-level settings, such as security, Single Sign-On (SSO), and licensing settings. Therefore, the number of organization-level roles is limited. Additionally, organization administrators can grant organization-level permissions, as well as cascade down to tenant-, service-, and folder-level permissions.
Organization-level roles also include organization-level service permissions for services such as Apps and AutomationOps.
Organization Administrator 角色
此角色授予对组织内每个组织级别和服务级别功能的访问权限。拥有此角色的帐户可以为组织执行所有管理操作,例如创建或更新租户、管理帐户、查看组织审核日志等。可以有多个帐户具有此角色。
The organization administrator and the Tenant Admin roles are the only roles that allow access to the Admin section.
创建组织后,系统会为给定组织指定第一位 Organization Administrator。
要向其他用户授予此角色,组织管理员可以将用户帐户添加到 Administrators 组中,该组是默认组之一。
The organization administrator role includes the following organization-level permissions, which cannot be changed, as described in the following table:
| Areas subject to permissions | 视图 | 编辑 | 创建 | 删除 |
|---|---|---|---|---|
|
使用情况图表 |
|
|
|
|
|
租户 |
|
|
|
|
|
帐户和组 |
|
|
|
|
|
安全性设置 |
|
|
|
|
|
外部应用程序 |
|
|
|
|
|
许可证 |
|
|
|
|
|
API 密钥 |
|
|
|
|
|
资源中心(帮助) |
|
|
|
|
|
审核日志 |
|
|
|
|
|
组织设置 |
|
|
|
|
用户角色
这是 UiPath 生态系统内的基本访问级别。本地用户帐户将自动成为“Everyone”组的成员,这将为本地用户帐户授予“User”角色。
系统将向默认组“Everyone” 、 “Automation Users”和“Automation Developer”中的所有帐户授予此角色。
此角色提供对页面的只读访问权限,例如“主页”、“资源中心”(如果可用)。
The users can view and access the provisioned services for their current tenant. However, the content they can view and the actions they can perform within each service depends on the service-level roles assigned to their account.
To grant access to everyone to a specific service, the users need to have the Everyone group mapped at service level. For example, if you want to grant all users access to view ideas in Automation Hub, you can assign the Everyone group to a role in Automation Hub.
The available services that currently incorporate this mapping into roles and grant minimal rights within them are:
- Studio Web
- Apps
- Test Cloud
[Preview] Insights dashboard viewer role
The Insights Dashboard Viewer role is a built-in role that grants access to organization-level dashboards in Insights and is assigned by the organization administrator.
在分配Insights 仪表板查看者角色之前,您必须确保用户可以访问组织任何租户内的 Insights 服务。
要分配Insights 仪表板查看者角色,请执行以下步骤:
-
确保用户有权在组织内的任何给定租户上访问 Insights。
-
导航到管理员,然后选择“在组织级别管理访问权限” 。
-
在“角色分配” 选项卡上,选择“分配角色” 。
-
在“名称”字段中,搜索要向其分配角色的用户。
-
在“角色”字段中,选中“Insights 仪表板查看者”框。
-
选择“分配”按钮分配角色。
关于租户级别的角色
租户级别的角色控制帐户在租户设置和配置区域中的访问权限。 它还定义了给定租户的每个 UiPath 服务中允许的操作。
平台中的大多数租户级别角色都是跨服务角色,因为它们会跨特定租户内的多项服务授予权限。
Currently, Tenant Administrator is the only built-in role available at the tenant level.
Tenant Administrator 角色
Tenant Administrator角色允许您有效地委派职责。 该角色授予管理租户中所有资源的访问权限,从而允许执行角色分配、许可管理和服务配置等操作。
可以将Tenant Administrator角色分配给多个帐户。
已知限制
租户级别的角色当前受以下已知限制的影响:
- Only the following services support the Tenant Administrator role:
- Orchestrator (includes Actions, Processes, Integration Service)
- Data Service
- Document Understanding
- Task Mining
- Test Manager.
-
Tenant Administrator无法从该界面访问组织级别的菜单。
-
在“管理员” > “租户” > “服务”屏幕上, Tenant Administrator可以查看已启用的服务,但无法添加或移除服务。
-
在“管理员” > “租户” > “管理访问权限” 屏幕上,租户管理员可以查看不受其管理的租户。 但是,如果他们访问这些租户,则无法执行任何操作。
服务级别角色控制每个 UiPath 服务(例如 Orchestrator 服务或 Data Service)中的访问权限和允许的操作。 每个服务的权限都在服务本身内进行管理,而不是通过组织“管理员” 页面进行管理。
To grant permissions for a service to accounts, you can perform the following actions:
- In the selected service, assign service-level roles to a group to grant those roles to all member accounts.
- Add accounts to a group that already has the required service-level roles by navigating to Admin, then select Accounts and Groups.
-
In the selected service, assign roles to an account.
For the following services, you can create and manage some services-level roles that are external to the service, at platform level:
-
Apps
-
AutomationOps
-
Document Understanding
-
智能提取处理 (IXP)
The folder or project is a scope you manage at service level.
Folder- and project-level roles define the set of permissions assigned to users, determining their ability to access, manage, and interact with specific resources and functionalities within automation workflows.
Depending on the service you use, you can assign folder- or project-level roles, as follows:
- Folder roles:
- Orchestrator
- Project roles:
- Document Understanding
- 智能提取处理 (IXP)
- Test Manager
- Task Mining
Custom service roles
Custom service roles are user-defined permission sets that allow you to tailor access controls to your specific needs, offering more granular control than default roles.
To create custom roles at service level, navigate to Manage access at service level, where you can define roles, and select your preferred scope and permissions.
Currently, you can create custom service roles for the following services:
-
Apps
-
Document Understanding
-
智能提取处理 (IXP)
Custom cross-service roles
Custom cross-service roles are user-defined roles that grant tailored permissions across multiple UiPath services, allowing you to enforce consistent, fine-grained access control platform-wide.
To create custom roles at tenant level, navigate to Manage access at tenant level, where you can define roles, and select your preferred scope and permissions.
You can manage and assign service-level roles from within each service as long as you have the appropriate permissions in the service.
例如,在 Orchestrator 中具有 Administrator 角色的用户可以创建、编辑并向现有帐户分配角色。
The Manage access user interface (UI) keeps a consistent appearance across all scopes.
The following table illustrates how the Manage access UI looks like for each scope:
|
范围 |
Manage access UI |
|---|---|
|
组织 |
|
|
租户 |
|
|
服务 |
|
|
项目 |
|
As an organization administrators, you can navigate to Manage access at organization level to assign tenant-level roles.
To view the role definition and the permissions granted, take the following steps:
- Navigate to Manage access.
- In the Roles tab, select the View button next to the role.
You can assign an organization-level role to a user, group, robot account, or external application. To assign a role, take the following steps:
- Navigate to Manage access, then
- in the Role assignments tab, search for the account you want to assign the role to and choose the appropriate role.
- 选择“分配” 。
Tenant-level roles can be assigned at tenant level and can have granted permissions up to the service level.
Organization Administrators or other Tenant Administrators can view the Manage access screen.
- Navigate to Manage access.
- In the Roles tab, select the View button next to the role.
- Navigate to Manage access.
- In the Role assignments tab, search for the account you want to assign the role to and choose the appropriate role.
- 选择“分配” 。
Tenant Administrator 角色在服务级别的可见性
Tenant Administrator角色分配在“租户” 和单个服务级别均可见。 在服务级别, Tenant Administrator角色具有以下属性:
-
该容器与平台角色标签一起显示。
-
它是不可变的,这意味着您无法在服务级别删除分配。
-
在某些服务(例如 Orchestrator)中,角色旁边有一个链接,可以将您重定向到平台级别的“管理访问权限”页面,您可以在其中更改租户级别的角色分配。
You can manage and assign service-level roles from within the services. You can assign roles to groups (recommended), or to accounts that have already been added.
For information and instructions, refer to the applicable documentation and centralized access management availability per service, as described in the following table:
- 可用
- 不可用
- Planned
N/A - Not Applicable
|
服务 |
详细信息 |
|---|---|
|
从 Orchestrator 管理。 了解有关角色的更多信息。 |
|
从 Orchestrator 管理。
|
|
从 Orchestrator 管理。
|
|
从 Automation Hub 管理。 For more information about which roles are required and instructions for assigning them, refer to Role description and matrix. |
|
Managed from AutomationOps. For more information, refer to AutomationOps user roles. |
|
从 Orchestrator 管理。 有关使用 AI Center 所需角色的信息,请参阅AI Center 访问控制。 |
|
从 Orchestrator 管理。 For more information, refer to Orchestrator permissions. |
|
从 Data Service 管理。
|
|
从 Document Understanding 管理。 For more information about which roles are required and instructions for assigning them, refer to Role-based access control. |
|
Managed from Insights. For more information, refer to Granting permissions. |
|
Managed from IXP. For more information, refer to Roles and their underlying permissions. |
|
通过 Process Mining 管理。 For more information, refer to User management in Process Mining. |
|
Managed from Studio Web. For more information, refer to Managing access to Studio Web. |
|
使用Automation Cloud TM组织级别的角色进行管理。 有关组织级别的角色在 Task Mining 中授予的权限的信息,请参阅 Task Mining 文档中的管理访问权限和角色。 |
|
Managed from Test Cloud. For more information, refer to Managing access. |
|
从 Test Manager 管理。 有关信息和说明,请参阅用户和组访问权限管理。 |
向帐户分配角色
如果您想更精细地控制某个帐户在服务中的访问权限,但又不想向整个组添加新角色,则可以将帐户显式添加到服务中,并分配一个或多个服务:级别角色。
有关可用角色和说明的信息,请参阅目标服务文档如前所述。
Depending on the service you use, you can assign:
-
folder roles from Orchestrator.
- project roles from:
- Document Understanding
- 智能提取处理 (IXP)
- Test Manager
- Task Mining
For more information, refer to the table in Assigning and managing service-level roles.
- 角色
- Types of roles
- Scopes and categories
- Types of roles based on scopes and permissions
- 组和角色
- 组织级别的角色
- 租户级别角色
- 服务级别的角色
- Folder- or project-level roles
- [Preview] Custom roles
- 角色分配
- [Preview] Manage access user interface based on scope
- 分配组织级别的角色
- 分配租户级别的角色
- Assigning and managing service-level roles
- [Preview] Assigning folder- or project-level roles
- [Preview] Exporting role assignments
