订阅

UiPath Automation Suite

UiPath Automation Suite 指南

配置身份验证和安全性

作为组织管理员,您可以为组织选择身份验证和相关的安全设置。某些设置是从主机级别继承的,但如果应为您的组织应用不同的设置,则可以覆盖它们。

配置身份提供程序


Choosing the identity provider for your organization (Admin > Security Settings) affects the way users sign in, and how user and group accounts are created and managed in Automation Suite.

模型

虽然我们提供了多种身份验证设置供您控制对 Automation Suite 实例的访问,但它们均基于两个主要模型:默认模型和 Azure Active Directory (Azure AD) 模型,后者可让您利用更高级的身份验证设置身份管理功能。

Allow any user to sign in using basic authentication (Default model)

With this model, organization administrators create user accounts for employees in Automation Suite so that they can log in.
The accounts that are created may represent a local account in Automation Suite, or a user in the external directory provider configured at the host level (as documented in Host authentication and security settings.)

通过 Microsoft Azure Active Directory 启用企业 SSO(Azure Active Directory 模式)

与 Azure Active Directory (Azure AD) 集成后,可以为您的组织提供可扩展的用户和访问权限管理,从而确保您的员工使用的所有内部应用程序都合规。如果您的组织使用的是 Azure AD 或 Office 365,可以将 Automation Suite 组织直接连接到 Azure AD 租户,以获得以下好处:

通过无缝迁移自动完成用户引导
  • 任何 Automation Suite 服务均可随时使用 Azure AD 中的所有用户和组分配权限,而无需在 Automation Suite 组织目录中邀请和管理 Azure AD 用户。

  • 您可以为公司用户名与电子邮件地址不同的用户提供单点登录,而在基于邀请的模式中则无法实现。

  • 所有拥有 UiPath 用户帐户的现有用户,其权限都将自动迁移到已连接的 Azure AD 帐户。


简化登录体验
  • 用户不必像默认模式那样接受邀请或创建 UiPath 用户帐户即可访问 Automation Suite 组织。通过选择企业 SSO 选项或使用特定于组织的 URL,就可以使用 Azure AD 帐户登录。

    如果用户已登录 Azure AD 或 Office 365,则系统会自动为其登录。

  • UiPath Assistant and Studio versions 20.10.3 and higher can be preconfigured to use a custom Automation Suite URL, which leads to the same seamless connection experience.


使用现有的 Azure AD 组扩展监管和访问权限管理
  • Azure AD 安全组或 Office 365 组(也称为目录组)允许您利用现有的组织结构来大规模管理权限。您不再需要在 Automation Suite 服务中为每个用户配置权限。

  • 如果需要一起管理多个目录组,可以将多个目录组组合到一个 Automation Suite 组中。

  • 审核 Automation Suite 访问权限非常简单。在使用 Azure AD 组配置所有 Automation Suite 服务中的权限后,您可以利用与 Azure AD 组成员身份关联的现有验证流程。


📘

备注:

在使用 Azure AD 模式时,您可以继续使用默认模式的所有功能。但是,为了最大限度地利用这些优势,我们建议您完全使用 Azure AD 的集中式帐户管理功能。

If you would like to use Azure Active Directory as the identity provider for your organization, follow the instructions in Setting up the Azure AD integration.

SAML 模式

This model allows you to connect Automation Suite to your chosen identity provider (IdP) so that:

  • 您的用户可以从单点登录 (SSO) 中受益,
  • you can manage existing accounts from your directory in Automation Suite, without having to re-create identities.

Automation Suite can connect to any external identity provider that uses the SAML 2.0 standard.

收益

Automatic onboarding of users to Automation Suite

All users from your external identity provider are authorized to sign in to Automation Suite with basic rights when the SAML integration is active. What this means is:

  • Users can sign in to your Automation Suite organization via SSO using their existing company account, as defined in the IdP.

  • Without any further setup, they become members of the Everyone user group, which grants them the User organization role by default. To be able to work in Automation Suite, users require roles and licenses, as appropriate for their role.

If you need to restrict access to only some of your users, you can define the set of users who are allowed to access Automation Suite in your identity provider.


用户管理

You can add users by directly assigning them to Automation Suite groups, to do this all you have to do is enter their email address when adding users to the group.

Typically, administrators manage local accounts from Admin > Accounts & Groups > Users tab. But SAML users are directory accounts in Automation Suite, so they are not visible on this page.

After a user has been added to a group or they have signed in at least once (which automatically adds them to the Everyone group), they are available in search in all services across Automation Suite for direct role or license assignment.


属性映射

If you use UiPath Automation Hub, you can define custom attribute mapping to propagate attributes from your identity provider into Automation Suite. For example, when an account is first added to Automation Hub, the first name, last name, email address, job title, and department of the user are already populated.


686686

Setup

Administrators can configure and enable the SAML integration for your entire organization from Admin > Security Settings.
For instructions, see Configuring the SAML integration.

从 Azure AD 集成转换为 SAML 集成

After switching to the SAML integration, the Azure AD integration is disabled. Azure AD group assignments no longer apply, so Automation Suite group membership and the permissions inherited from Azure AD are no longer respected.

 

Allowing or restricting basic authentication

Basic authentication refers to signing in with the username and password of a local account.

If basic authentication is restricted, your users can only log in with their directory account, as defined in the external identity provider. Otherwise, users can log in with both their local accounts, if any, and their directory accounts.

Also see Configuration levels and inheritance for more information about this setting.

在组织级别设置基本身份验证

This setting is only available if an external provider integration is enabled at the host or organization level.

在组织级别设置时,该设置将应用于组织中的所有帐户。
对于例外情况,您也可以在帐户级别设置基本身份验证,以便以不同方式应用此设置。

要允许或限制组织的基本身份验证,请执行以下操作:

  1. Log in to the organization-level Management portal at https://<server>/identity/management as an administrator.
  2. 前往安全性设置
  3. Under External Providers, click the Disable basic authentication for the organizations toggle to restrict or allow sign in using basic authentication:
    • If off (left toggle position, gray toggle), basic authentication is allowed.
    • If on (right toggle position, blue toggle), basic authentication is restricted. While restricted, the Allow basic authentication for the host administrators toggle is available.
  4. At the bottom-right of the External Providers section, click Save to apply your changes.

 

配置安全选项


To configure security options for your organization, go to Admin > Security Settings and edit the options as needed.

密码复杂性

📘

Editing the Password complexity settings does not affect existing passwords.

Field

Description

Special characters

Select to force users to include at least one special character in their password.
By default, this checkbox is not selected.

Lowercase characters

Select to force users to include at least one lowercase character in their password.
By default, this checkbox is selected.

Uppercase characters

Select to force users to include at least one uppercase character in their password.
By default, this checkbox is not selected.

Digits

Select to force users to include at least one digit in their password.
By default, this checkbox is selected.

Minimum password length

Specify the minimum number of characters a password should contain.
By default, it is 8. The length cannot be smaller than 1 or greater than 256 characters.

Days before password expiration

Specify the number of days for which the password is available. After this period, the password expires and needs to be changed.
The minimum accepted value is 0 (the password never expires), and the maximum is 1000 days.

Number of times a password can be reused

The minimum accepted value is 0 (never allow reusing a password), while the maximum is 10.

Change password on the first login

If set to Required, users that log in for the first time must change their password before being allowed to access Automation Suite.
If set to Not required, users can log in and continue to use the admin-defined password until it expires.

Account lockout

Field

Description

Enabled or Disabled toggle

If enabled, locks the account for a specific amount of seconds after a specific amount of failed login attempts. This also applies to the password change feature.

Account lockout duration

The number of seconds a user needs to wait before being allowed to log in again after exceeding the Consecutive login attempts before lockout.
The default value is 5 minutes. The minimum accepted value is 0 (no lockout duration), and the maximum is 2592000 (1 month).

Consecutive login attempts before lockout

The number of failed login attempts allowed before the account is locked.
The default value is 10 attempts. You can set a value between 2 and 10.

Updated 25 days ago


配置身份验证和安全性


作为组织管理员,您可以为组织选择身份验证和相关的安全设置。某些设置是从主机级别继承的,但如果应为您的组织应用不同的设置,则可以覆盖它们。

建议的编辑仅限用于 API 参考页面

您只能建议对 Markdown 正文内容进行编辑,而不能建议对 API 规范进行编辑。