- Getting started
- Host administration
- Organizations
- Tenants and services
- Authentication and security
- Licensing
- Accounts and roles
- External applications
- Testing in your organization
- AI Trust Layer
- Notifications
- Logging
- Troubleshooting
Automation Suite admin guide
Roles
Roles are a collection of permissions and represent a more granular layer for managing user access, following the broader option of maintaining access through groups. You can add roles to either groups so that all member accounts inherit them, or to individual accounts.
Accounts and groups typically have an organization-level role and one or more service-level roles.
Types of roles
The following types of roles can include several permissions at either organization level, or at service level:
- The built-in role is a predefined role that has specific permissions set by the platform. These roles can be used to grant users or groups the necessary permissions to perform certain operations.
- The custom role is a role that an organization administrator creates to meet the specific needs of their organization. This is particularly useful role for when none of the available built-in roles perfectly match the access a user or group should have.
Scopes and categories
A scope is a specific level in the organizational hierarchy that serves as a boundary for certain actions, permissions, and objects. A scope can be an organization, a tenant, a service, or a folder, each with its own set of role assignments.
The Manage access menu is available within all possible scopes, descending from the organization level down to the project level.
A category is a parameter for a custom role that you define for each scope, determining whether you apply the role within the same scope, or within a lower-level scope.
Types of roles based on scopes and permissions
A role is defined by multiple permissions. Permissions can be specific to a certain scope.
The organization administrator role is a special role that grants access to all scopes: organization, tenant, service, and folder.
The following types roles are based on scopes and permissions:
- The organization level role is a type of role you create at organization scope. This role type consists of permissions that apply exclusively within the organization scope.
- The global tenant role is a type of role you create at organization scope. You can apply this role type to all tenants within the organization.
- The cross-service role is a type of role you create at tenant scope. This role type contains permissions from multiple services simultaneously.
- The service role is a type of role you create at service scope. This role type contains permissions from certain services.
- The project or folder role is a type of role you create at service scope that you exclusively assign at project or folder scope.
The following table classifies scopes, role types based on scopes and permissions, and examples of roles:
| Scope | Types of roles based on scopes and permissions | Examples of roles |
|---|---|---|
| Organization | Organization level roles | Insights Dashboard Viewer Organization Administrator |
| Global tenant roles |
Note: A global tenant role can be created using the custom role functionality. | |
| Tenant | Cross-service roles | Tenant Administrator |
| Service | Service roles | Orchestrator Administrator |
| Folder or project roles | Folder Administrator |
Groups and roles
In the following table you can view the roles that are assigned to accounts when they are added to a group. For example, adding an account to the Administrators default group grants them the Organization Administrator role for the organization and the Administrator role within your services. This user can manage both organization-level roles from Admin, then select Accounts and Groups, as well as service-level roles.
| Group membership | Organization-level role | Service-level roles for Orchestrator |
|---|---|---|
| Administrators | Organization Administrator | Administrator |
| Automation Users | User | Automation User at folder level 1 Allow to be Automation User at tenant level |
| Automation Developers | User | Automation User at folder level 1 Folder Administrator at folder level 1 Allow to be Automation User at tenant level Allow to be Folder Administrator at tenant level |
| Everyone | User | No roles. |
| Automation Express | User | Allow to be Automation User at tenant level |
| [Custom group] | User | No roles by default, but you can add roles to the group as needed. |
1 The roles are assigned to the Shared modern folder, if it exists.
For information about roles across UiPath services, refer to Role management.
Organization-level roles
The organization level represents the highest level of scope.
At organization level, the Organization Administrator, User, and Insights Dashboard Viewer roles are available. You cannot change these roles.
Organization administrators have permission to modify organization-level settings, such as security, Single Sign-On (SSO), and licensing settings. Therefore, the number of organization-level roles is limited. Additionally, organization administrators can grant organization-level permissions, as well as cascade down to tenant-, service-, and folder-level permissions.
Organization-level roles also include organization-level service permissions for services such as Apps and AutomationOps.
Organization administrator role
This role grants access to every organization- and service-level feature within the organization. An account with this role can perform all administrative actions for the organization, such as creating or updating tenants, managing accounts, viewing organization audit logs, and so on. There can be multiple accounts with this role.
The organization administrator and the Tenant Admin roles are the only roles that allow access to the Admin section.
The first organization administrator for any given organization is appointed when the organization is created.
The organization administrator role is not an assignable role. To have this role assigned to you, you need to be part of the Administrators group.
To grant this role to others, the organization administrator can add user accounts to the Administrators group, which is one of the default groups.
The organization administrator role includes the following organization-level permissions, which cannot be changed, as described in the following table:
| Areas subject to permissions | View | Edit | Create | Delete |
|---|---|---|---|---|
| Usage charts and graphs | ✅ | ❌ | ❌ | ❌ |
| Tenants | ✅ | ✅ | ✅ | ✅ |
| Accounts and groups | ✅ | ✅ | ✅ | ✅ |
| Security settings | ✅ | ✅ | ❌ | ❌ |
| External applications | ✅ | ✅ | ✅ | ✅ |
| Licenses | ✅ | ✅ | ❌ | ❌ |
| API keys | ✅ | ❌ | ✅ | ❌ |
| Resource center (Help) | ✅ | ❌ | ❌ | ❌ |
| Audit logs | ✅ | ❌ | ❌ | ❌ |
| Organization settings | ✅ | ✅ | ❌ | ❌ |
User role
This is the basic level of access within the UiPath ecosystem. Local user accounts automatically become members of the Everyone group, which grants them the User role.
This role is granted to all accounts that are in the default groups Everyone, Automation Users, or Automation Developers.
This role provides read-only access to pages, such as the Home page, Resource Center (if available).
The users can view and access the provisioned services for their current tenant. However, the content they can view and the actions they can perform within each service depends on the service-level roles assigned to their account.
All platform users are part of the Everyone group by default, regardless if they are local or directory users.
To grant access to everyone to a specific service, the users need to have the Everyone group mapped at service level. For example, if you want to grant all users access to view ideas in Automation Hub, you can assign the Everyone group to a role in Automation Hub.
The available services that currently incorporate this mapping into roles and grant minimal rights within them are:
- Studio Web
- Apps
- Test Manager
Tenant-level roles
Tenant-level roles control the access rights of accounts within the tenant settings and configuration area. They also define the permitted actions within each of the UiPath services in a given tenant.
Most of the tenant-level roles in the platform are cross-service roles as they grant permissions across multiple services within a particular tenant.
Currently, Tenant Administrator is the only built-in role available at the tenant level.
Tenant Administrator role
The Tenant Administrator role allows you to effectively delegate responsibilities. The role grants access to manage all resources1 in the tenant, allowing operations such as role assignment, licensing management, and service provisioning.
The Tenant Administrator role can be assigned to multiple accounts.
1The following services support the Tenant Administrator role:
- Orchestrator (includes Actions, Processes, Integration Service)
- Data Service
- Document Understanding
- Test Manager
Tenant Administrator role permissions
The following tables describe the Tenant Administrator role permissions:
| Resource | Permissions | Description | |||||
|---|---|---|---|---|---|---|---|
| View | Create | Delete | Read | Update | |||
| Centralized Access | Administration page | ✅ | ❌ | ❌ | ❌ | ❌ | Grants permissions to centralized access, roles and role assignments. |
| Role | ❌ | ✅ | ✅ | ✅ | ✅ | ||
| Role assignments | ❌ | ✅ | ✅ | ✅ | ✅ | ||
| Resource | Permissions | Description | |||||||
|---|---|---|---|---|---|---|---|---|---|
| View | Create | Delete | Read | Update | Edit | Manage | |||
| Data Fabric | Permission | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | Grants administrator permissions and is equivalent to the Data Fabric Administrator role. |
| Resource | Permissions | Description | ||||
|---|---|---|---|---|---|---|
| Create | Delete | Read | Update | |||
| Document Understanding | Classifier | ✅ | ✅ | ✅ | ✅ | Grants administrator permissions and is equivalent to the Document Understanding Administrator role. |
| Data Set Export | ✅ | ✅ | ✅ | ❌ | ||
| Documents | ❌ | ✅ | ❌ | ❌ | ||
| Document Type | ✅ | ✅ | ✅ | ✅ | ||
| Extractor | ✅ | ✅ | ✅ | ✅ | ||
| Monitor Processed Documents | ❌ | ❌ | ✅ | ❌ | ||
| Monitor Processed Documents Detail | ❌ | ❌ | ✅ | ❌ | ||
| Monitor Project Performance | ❌ | ❌ | ✅ | ❌ | ||
| Project | ✅ | ✅ | ✅ | ✅ | ||
| Project Version | ✅ | ✅ | ✅ | ✅ | ||
| Project Version Label | ✅ | ✅ | ✅ | ✅ | ||
| Tenant Settings | ✅ | ❌ | ✅ | ✅ | ||
| Resource | Permissions | Description | |||||||
|---|---|---|---|---|---|---|---|---|---|
| View | Create | Delete | Read | Update | Edit | Manage | |||
| Licensing | Quota | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | Grants permissions to manage quotas. |
| Resource | Permissions | Description | ||||
|---|---|---|---|---|---|---|
| View | Create | Delete | Edit | |||
| Orchestrator | Action Design | ✅ | ✅ | ✅ | ✅ | Grants administrator permissions and is equivalent to the Orchestrator Administrator role. |
| Alerts | ✅ | ✅ | ✅ | ✅ | ||
| App Versions | ✅ | ✅ | ✅ | ✅ | ||
| Audit | ✅ | ✅ | ✅ | ✅ | ||
| Background Tasks | ✅ | ❌ | ❌ | ❌ | ||
| Libraries | ✅ | ✅ | ✅ | ✅ | ||
| License | ✅ | ✅ | ✅ | ✅ | ||
| Machines | ✅ | ✅ | ✅ | ✅ | ||
| Packages | ✅ | ✅ | ✅ | ✅ | ||
| Robots | ✅ | ✅ | ✅ | ✅ | ||
| Roles | ✅ | ✅ | ✅ | ✅ | ||
| Settings | ✅ | ✅ | ✅ | ✅ | ||
| Solution Deployments | ✅ | ✅ | ✅ | ✅ | ||
| Solution Packages | ✅ | ✅ | ✅ | ✅ | ||
| Tags | ✅ | ✅ | ✅ | ✅ | ||
| Units | ✅ | ✅ | ✅ | ✅ | ||
| Users | ✅ | ✅ | ✅ | ✅ | ||
| Webhooks | ✅ | ✅ | ✅ | ✅ | ||
| Resource | Permissions | Description | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| View | Create | Delete | Read | Update | Edit | Assign | Toggle | AutomatedExecution | CreateAndUnlinkDefects | ExecutePerformanceTest | ManualExecution | OverrideTestResult | SmartTestGeneration | TestExecutionAssignment | |||
| Test Manager | Performance Scenarios | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Grants administrator permissions and is equivalent to the Test Manager administrator role. |
| Project | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ||
| Project Settings | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ||
| Prompt | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ||
| Requirement | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ||
| Role | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ||
| Task Permissions | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ||
| Test Case | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ||
| Test Execution | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ||
| Test Set | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ||
To view the available Tenant Administrator role permissions, take the following steps:
-
Navigate to Admin.
-
Select Manage access at organization level.
-
Select the Roles tab.
-
In the Role Name column, select the Tenant Administrator role. You can now view the Tenant Administrator role permissions in the expanded panel.
Known limitations
The following known limitations affect the tenant-level roles:
- The rest of the tenant-level services are currently not supported, and users that only hold the Tenant Administrator role cannot access these services.
- The Tenant Administrator cannot access organization-level menus from the interface.
- On the Admin > Tenants > Services screen, the Tenant Administrator can view enabled services, but cannot add or remove services.
- On the Admin > Tenants > Manage access screen, the Tenant Administrator can view tenants they do not administer. However, if they access these tenants, they cannot perform any actions.
Service-level roles
Service-level roles control access rights and permitted actions within each of your UiPath services, such as the Orchestrator service, or Data Service. The permissions for each service are managed within the service itself, not from the organization Admin page.
To grant permissions for a service to accounts, you can perform the following actions:
- In the selected service, assign service-level roles to a group to grant those roles to all member accounts.
- Add accounts to a group that already has the required service-level roles by navigating to Admin, then select Accounts and Groups.
- In the selected service, assign roles to an account.
For the following services, you can create and manage some services-level roles that are external to the service, at platform level:
- Apps
- Automation Ops
- Document Understanding
Folder- or project-level roles
The folder or project is a scope you manage at service level.
Folder- and project-level roles define the set of permissions assigned to users, determining their ability to access, manage, and interact with specific resources and functionalities within automation workflows.
Depending on the service you use, you can assign folder- or project-level roles, as follows:
- Folder roles:
- Orchestrator
- Project roles:
- Document Understanding
- Test Manager
Custom roles
Custom service roles
Custom service roles are user-defined permission sets that allow you to tailor access controls to your specific needs, offering more granular control than default roles.
To create custom roles at service level, navigate to Manage access at service level, where you can define roles, and select your preferred scope and permissions.
Currently, you can create custom service roles for the following services:
- Apps
- Document Understanding
Custom cross-service roles
Custom cross-service roles are user-defined roles that grant tailored permissions across multiple UiPath services, allowing you to enforce consistent, fine-grained access control platform-wide.
To create custom roles at tenant level, navigate to Manage access at tenant level, where you can define roles, and select your preferred scope and permissions.
- Types of roles
- Scopes and categories
- Types of roles based on scopes and permissions
- Groups and roles
- Organization-level roles
- Organization administrator role
- User role
- Tenant-level roles
- Tenant Administrator role
- Known limitations
- Service-level roles
- Folder- or project-level roles
- Custom roles
- Custom service roles
- Custom cross-service roles