Orchestrator release notes

We fixed an issue where the entry point could be cleared when creating or updating a release through an API request that did not include the entry point in the payload.

The entry point is now resolved automatically when it is not provided.

We added support for Delinea Secret Server (read only) as a credential store in Orchestrator.

This new integration is the successor to the existing Thycotic Secret Server store and is suitable for organizations that have migrated to the latest Delinea platform version. Both integrations share the same underlying SDK and the same rule-based onboarding mechanism, making it easy to migrate existing Thycotic credential stores to the new Delinea store.

We highly encourage you to migrate existing Thycotic credential stores to the new Delinea integration.

For more information, check the Delinea Secret Server integration section from the Integrating credential stores page in the Orchestrator user guide.

The AddQueueItem and BulkAddQueueItem endpoints now return the underlying JSON schema validation details when an item is rejected due to a schema mismatch.

Previously, these endpoints returned a generic error, which made it harder to identify which field violated the queue's schema. The detailed response now includes the specific validation output, helping you correct invalid payloads faster.

When a user or machine is deleted from a tenant, the references to that user or machine are now automatically removed from the tenant-level Default Execution Identity configuration.

Previously, deleted users or machines remained as dangling entries in the configuration. The references were skipped at apply time, but they produced repeated warning logs and made the configuration harder to inspect. With this change, the configuration stays in sync with the actual users and machines in the tenant.

The Personal Workspace Administrator built-in folder role now includes Create, Edit, and Delete permissions for Subfolders.

Previously, this role only granted View on subfolders, which meant users could not delete subfolders inside their Personal Workspace, including the automatically generated Debug folder, unless a tenant administrator explicitly granted the Subfolders Delete permission at the tenant level.

For more information about default folder roles, check the Personal Workspace Administrator role section from the Orchestrator user guide.

Binding overwrites now properly support tenant-level resources, which are handled separately from folder-level resources.

Previously, all resources involved in a binding overwrite were treated as folder-level. As a result, a tenant-level entity could be displayed as Unknown in the Orchestrator UI even when the entity existed, and updating a tenant-level entity with another tenant-level resource returned a Folders not found (#2829) error. With tenant-level resources now handled accordingly, these scenarios work as expected.

You can now add an additional layer of encryption to Orchestrator storage buckets by enabling the Store in encrypted format option during bucket creation.

By default, all storage buckets are protected using service-side encryption. When this option is enabled, each file stored in the bucket is additionally encrypted with a unique per-file encryption key, which is itself encrypted using your customer-managed key (CMK).

The option is available only for organizations that have access to customer-managed keys.

You can now add static IPs to the allowlist for Automation Cloud Robots - Serverless and not open your network to all external IPs in United Kingdom and India regions. To use static IPs, you must explicitly enable this option in your serverless robot template. After enabling them, you can add the corresponding IPs to your allowlist. For the list of static IPs, check the Static IP configuration page from the Automation Cloud admin guide.

When deploying a solution, a Default Serverless template is now automatically attached to ensure automations can run without additional setup.

This removes the need to manually configure machine templates and helps avoid common deployment issues where processes fail due to missing runtimes.

Scheduled agentic jobs now correctly display their source as Trigger instead of Manual in Job Events and Maestro.

This ensures better visibility into how processes are started, helping users distinguish between manually triggered and scheduled executions.

You can now filter resources by entity sub-type directly from the Resources tab in the cross-folder Registry page, leading to more precise and relevant search results.

Restarting a failed job now correctly retains its input arguments, even when they were stored as an InputFile.

Previously, jobs with large inputs could lose their configuration on restart, requiring users to manually re-enter arguments. This update ensures a smoother restart experience by automatically restoring the original inputs.

A new IXP Models permission is now available at the folder level, giving you more control over access to IXP models.

You can also assign this permission in custom folder-level roles to fit your access control needs.

You can now control whether asset values can be accessed outside of automations using the new Access Scope setting.

When creating or editing an asset, choose one of the following options:

This gives you more flexibility while maintaining control over sensitive data.

Existing assets are not affected. By default, they remain set to Automations only unless explicitly changed.

You can now retrieve a specific asset by its name using the GetAssetByName endpoint.

This is useful when you already know the asset name and want to fetch its value outside of an automation workflow.

For more information, check the Retrieving a specific asset by name section from the Assets requests page in the Orchestrator API guide.

You can now sort resources by Type in the Resources tab of the cross-folder Registry page, making it easier to organize and find specific entries.

We updated the default Orchestrator landing experience so that navigating to the main Orchestrator route now opens the Tenant Overview page instead of the folder-level homepage.

If needed, you can manually save the folder-level homepage URL as a browser bookmark for direct access.

For more information about the improved Tenant Overview experience, including additional enhancements such as cross-folder jobs visibility, check the Tenant section from the Orchestrator user guide.