Subscribe

UiPath Automation Suite

The UiPath Automation Suite Guide

Managing access

This page describes how to control the functionality and products that an account can access. Predefined groups and roles exist for easy setup, but you can also create custom ones if you want to apply a layered and flexible access scheme.

Roles


Roles are a collection of permissions and represent a more granular layer for managing user access, following the broader option of maintaining access through groups. You can add roles to either groups so that all member accounts inherit them, or to individual accounts.

Roles can include several permissions at either the organization level, or at the service level, so there are:

  • organization-level roles: these roles control the permissions that accounts have on organization-wide options; they are available in the Automation Suite portal by default and you cannot change them, nor can you add new ones;
  • service-level roles: these roles control the access rights and actions that accounts can perform in each UiPath service you own; they are managed from within each service and can include default roles which you cannot change, as well as custom roles that you create and manage in the service.

Accounts and groups typically have an organization-level role and one or more service-level roles.

Groups and roles

In the following table you can see the roles that are assigned to accounts when they are added to a group. For example, adding an account to the Administrators default group grants them the Organization Administrator role for the organization and the Administrator role in the Orchestrator service. So this user can manage both organization-level roles from Admin > Accounts and Groups, as well as service-level roles in Orchestrator.

Group Membership

Organization-level Role

Service-level Roles for Orchestrator

Administrators

Organization Administrator

Administrator

Automation Users

User

Automation User at folder level 1
Allow to be Automation User at tenant level

Automation Developers

User

Automation User at folder level 1
Folder Administrator at folder level 1
Allow to be Automation User at tenant level
Allow to be Folder Administrator at tenant level

Everyone

User

No roles.

[Custom group]

User

No roles by default, but you can add roles to the group as needed.

1 The roles are assigned for the Shared modern folder, if it exists.

For information about roles across UiPath services, see Role management.

Organization-level roles

Accounts can have only one organization-level role. This role controls the access that the account has to options within the portal areas of Automation Suite, such as the tabs they can see on the Admin page or the options available to them on the Home and Admin pages.

At organization level, the roles Organization Administrator and User are available.
You cannot change these roles or add new roles at the organization level.

Organization administrator

This role grants access to every organization- and service-level feature within the organization. An account with this role can perform all administrative actions for the organization, such as creating or updating tenants, managing accounts, viewing organization audit logs, and so on. There can be multiple accounts with this role.

The first organization administrator for any given organization is appointed when the organization is created.
To grant this role to others, the organization administrator can add user accounts to the Administrators group, which is one of the default groups.

The organization administrator role includes the following organization-level permissions, which cannot be changed:

View

Edit

Create

Delete

Admin option in left rail

Usage charts and graphs

Tenants

Accounts and groups

Authentication settings

External applications

Licenses

API keys

Resource center (Help)

Audit logs

Organization settings

 

User

This is the basic level of access within the UiPath ecosystem and allows users to log in and access the Home page.

Local user accounts automatically become members of the Everyone group, which grants them the User role. This role is also granted to all accounts that are in the default groups Automation Users and Automation Developers.

For directory accounts, you must manually add them to the Everyone, Automation Users, or Automation Developers group to assign this role and grant them access.
You can also add a directory group to one of these default groups to grant the User role (and any service-level roles defined for the default group) to all members of that group.

Service-level roles

Service-level roles control access rights and permitted actions within each of your UiPath services, such as the Orchestrator service, Data Service, or AI Center. The permissions for each service are managed within the service itself, not from the Automation Suite Admin page.

To grant permissions for a service to accounts, you can:

  • assign service-level roles to a group to grant those roles to all member accounts - you do this in the service;
  • add accounts to a group that already has the required service-level roles - you do this from Admin > Accounts and Groups;
  • assign roles to an account - you do this in the service.

Role management


You can manage and assign service-level roles from within each service and you need the appropriate permissions in the service. For example, users with the Administrator role in Orchestrator can create, edit, and assign roles.

Assigning organization-level roles

Organization-level roles are predefined and cannot be changed.

Organization administrators can assign organization-level roles to individual accounts from Admin > Accounts and Groups by adding accounts to a default or custom group.
See Groups and roles for more information about the organization-level roles tied to each type of group.

📘

Assigning organization-level roles to directory groups

If you have linked your Automation Suite organization to a directory, such as Azure Active Directory (Azure AD), then it is possible to also assign organization-level roles to directory groups by adding them to groups, same as with accounts. This is not possible with local groups.
Types of groups

Managing service-level roles

You manage and assign service-level roles from within the services. You can assign roles to groups (recommended), or to accounts that have already been added in Automation Suite.

For information and instructions, see the applicable documentation:

Service

Details

Orchestrator

Managed from Orchestrator.

For more information and instructions, see About Roles in the Orchestrator documentation.

Actions

Managed from Orchestrator.

For the list of permissions required, see Roles and Permissions in the Action Center documentation.
For instructions on assigning roles, see About Roles in the Orchestrator documentation.

Processes

Managed from Orchestrator.

For the list of permissions required, see Roles and Permissions in the Action Center documentation.
For instructions on assigning roles, see About Roles in the Orchestrator documentation.

Automation Hub

Managed from Automation Hub.

For more information about which roles are required and instructions for assigning them, see Role Description and Matrix in the Automation Hub documentation.

Automation Store

Managed from Automation Hub.

For more information about which roles are required and instructions for assigning them, see Role Description and Matrix in the Automation Hub documentation.

AI Center

Managed from Orchestrator.

For information about the roles required to use AI Center, see Permissions in the AI Center documentation.

Data Service

Managed from Data Service.

For more information and instructions, see User Management in the Data Service documentation.
For instructions on assigning roles, see About Roles in the Orchestrator documentation.

Task Mining

Managed using Automation Suite organization-level roles.

For information about the rights that organization-level roles grant in Task Mining, see Set Up the Users in the Task Mining documentation.
For instructions on how to assign organization-level roles, see Managing accounts and groups in the Automation Suite documentation.

Assigning roles to an account

If you want to granularly control the access a certain account has in a service, but you don't want to add new roles to an entire group, you can explicitly add the account to the service and assign one or more service-level roles to it directly. For example, you can add an account to the Orchestrator service.

For information about the available roles and instructions, see the documentation for the target service, as described above.

Updated 7 months ago


Managing access


This page describes how to control the functionality and products that an account can access. Predefined groups and roles exist for easy setup, but you can also create custom ones if you want to apply a layered and flexible access scheme.

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.