In Automation Suite you can create user accounts or robot accounts, both of which can be either local accounts or directory accounts.
By their origin, there are two types of accounts:
- Local accounts are accounts that originate from Automation Suite. They are created and managed from Automation Suite by the organization administrator.
- Directory accounts are accounts that originate from a linked directory, such as Azure Active Directory, for example. Directory accounts are created and managed by the directory administrator. When the directory is linked to Automation Suite, directory accounts can be used in Automation Suite in the same way as local accounts.
For more information, see Authority over accounts and groups.
Use these types of accounts to identify a person. You can assign licenses, roles, and add these accounts to groups.
There are two types of user accounts:
- Local users: These accounts are linked to a UiPath account, which is a representation of their account within UiPath services. This type of account is created within Automation Suite and it is also managed from there by an organization administrator. Users own the account itself, but organization administrators can work with the reference of it to edit, delete, or manage roles and group memberships for it.
- Directory users: These accounts are defined outside of Automation Suite, in either an on-premises Active Directory, or a cloud active directory, such as Azure Active Directory. You must link the directory to Automation Suite to use this type of accounts. When linked, Automation Suite can search for and reference directory users so that you can view them, assign roles to them, or add them to Automation Suite groups. The benefit is that you do not need to define these identities twice: you define them once in your directory and can use them in Automation Suite, too.
Robot accounts are helpful for when you need to run back-office unattended processes that should not be the responsibility of any particular user. These are our RPA-specific equivalent of service accounts. Similar to the accounts that Windows services run as application identities in the OAuth model, they are a non-user identity to be used to run unattended processes.
Robot accounts behave like user accounts in terms of permissions. In UiPath Orchestrator, you can add robot accounts and configure permissions for them in the same way as for any other account.
The only exception is that robot accounts are not allowed any interactive-related process configuration.
You can find and work with robot accounts in broadly the same way as you work with user accounts:
- Organization administrators can create and manage robot accounts in Automation Suite, from the Admin > Accounts and Groups page - except not from the Users tab, but from the dedicated Robot accounts tab.
Robot accounts can also be included in groups and managed as part of the group.
- For example, when assigning roles in Orchestrator, searching for accounts shows users, groups, and also robot accounts for selection.
Groups are used to simplify access administration. They are a collection of accounts which should have similar access, robot configuration, and licensing needs, and which you want to manage together.
For example, you might want to create a group for all of your administrators, or a group for all of your accounting employees because you know their job requires them to use the same UiPath functionality in the same way, so they should have the same licenses, robot configuration, and roles. Whenever changes to licensing or roles are required for that category of user, you update the group and the changes apply for all of its members.
If, by exception, one of the group members requires additional roles, you can also assign roles or licenses to the account individually. In this case, the account benefits from the roles and licenses that were assigned individually, and the ones inherited from the groups it is in.
Groups are natively available in Automation Suite. If a group was created from the Admin > Accounts and Groups > Groups tab in Automation Suite, then it is a local group.
If a directory is linked to Automation Suite and the directory includes groups, you can find and work with those directory groups in Automation Suite in the same way as you would work with local groups.
When an account becomes a member of a group, it inherits all the roles, licenses, and robot configuration of that group.
If assigned to more than one group, an account gets the union of all permissions and licenses assigned to the groups to which they belong.
Roles inherited through group memberships are only available while the account is connected.
When the various services allow access, they look at different aspects:
- When accessing a service, access is allowed based on the account's group memberships.
- When attempting to access or use resources in a service, the action is allowed based on the roles of the account, which it either inherits from a group or the required roles were granted to the account directly.
Directory accounts and groups
You can include directory accounts in local groups. You can also include directory groups in local groups, even though you cannot include a local group inside of another local group.
This allows the directory administrator to fully onboard an account with the roles, licenses, and robot setup they need, without the need for additional actions in Automation Suite.
This is achieved by adding a directory group inside a local group that is fully set up in Automation Suite. The directory administrator then needs to only add the account to their directory group and the account inherits the setup and is ready to work in Automation Suite.
- Creating or deleting groups, adding or removing group members: An organization administrator can manage groups, as well as add or remove accounts from groups from the Admin > Accounts and Groups > Groups tab in Automation Suite.
- Assigning licenses to groups: Organization administrators can also assign license allocation rules to groups from the Admin > Licenses page.
- Roles for groups: Roles are assigned to groups by the administrators of each individual service from within the service, same as for accounts. For example, learn about users and user groups in the Orchestrator service.
If you don't want to work with user groups, grant the required roles to each account by explicitly assigning service-level roles to each account
Note: If you have a linked directory, make sure to also add your directory accounts to the default group Everyone. All local accounts are automatically added to this group. This way, all accounts are granted the User organization-level role so that they can access Automation Suite, but no roles for your services - you must assign those to each account.
Default groups are available in any new Automation Suite instance and are pre-configured with organization-level roles for the Automation Suite portal and service-level roles for UiPath services.
You cannot remove roles that are assigned to these groups and you cannot delete them.
The default groups are Administrators, Automation Users, Automation Developers, and Everyone. You can assign a fully-functional and complex access schema to users with only one action: adding them to the appropriate group.
See Roles for information about the roles included for each group.
On pages where you manage accounts, groups, or roles, specific icons are displayed for each type to help you recognize the type of account or the type of group.
- UiPath user account: user account that is linked to a UiPath account and signed in using basic authentication
- SSO user account: user account linked to a UiPath account that signed in using SSO; also applies to user accounts that have both a UiPath user account and a directory account
- Directory user account: the account originates from a directory and signed in with Enterprise SSO
- Robot account
- Local group (or plainly, group): the group was created in Automation Suite
- Directory group: the group originates in a linked directory.
If an account or group was created from Automation Suite:
- The organization administrator is responsible for and has the required privileges to manage the accounts and groups that belong to their organization.
- Managing accounts and groups is done within Automation Suite and includes creating, editing, deleting, licensing of accounts, and adding or removing accounts from groups, as well as adding or removing groups.
- Roles can be assigned by the organization administrator within services, or by a service-level administrator.
If the account or group was created in a directory that is linked to Automation Suite:
- The directory administrator is responsible for and has the required privileges to manage the accounts and groups that belong to the directory.
- Managing accounts and groups is done within the directory and includes creating, editing, deleting of accounts, and adding or removing accounts from groups, as well as adding or removing groups.
- Directory accounts and groups are licensed from Automation Suite, either individually, or in bulk through group membership.
- Roles are assigned from within Automation Suite by either the organization administrator or service-level administrators. Roles can be assigned either individually or in bulk, through group membership.
- You can include directory accounts in local groups. You can also include a directory group inside a local group, which is not possible with local groups.
Updated 9 months ago