orchestrator

latest

false

Getting started
- Introduction
- Robots
  - Robot Settings
- Auto Updating Client Components
- Time-to-live Periods
- Orchestrator Outbound IP Addresses
- Notifications
Best practices
- Organization Modeling in Orchestrator
- Automation Best Practices
- Optimizing Unattended Infrastructure Using Machine Templates
- Unattended automation
- Organizing Resources With Tags
- Orchestrator Read-only Replica
- Exporting grids in the background
Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Robots
- Folders
- Monitoring
- Access control
  - Account types
  - Default roles
  - Migrating from break inheritance to union of privileges
  - Managing custom roles
  - Configuring access for accounts
- Configuring automation capabilities
- Machines
- Solutions
- Packages
- Audit
- Credential Stores
- Webhooks
  - Types of Events
  - Managing Webhooks
- Licensing
  - Managing Your Licenses
- Settings
Cloud robots
- Elastic Robot Orchestration
- Automation Cloud™ Robots - VM
- Automation Cloud™ Robots - Serverless
- Configuring VPN for cloud robots
- Configuring an ExpressRoute connection
- Live streaming and remote control
- My notifications
Folders Context
- About the Folders Context
- Home
Automations
- About Automations
Processes
- About Processes
- Managing Processes
- Managing Package Requirements
- Recording
- Live streaming and remote control
  - Live streaming and remote control via RealVNC
    - Error scenarios
  - Live streaming and remote control via TightVNC
    - Error scenarios
Jobs
- About Jobs
- Managing Jobs
- Job States
- Working with long-running workflows
- Running Personal Remote Automations
- Process Data Retention Policy
Apps
- About Apps
- Publishing an App to a Tenant
- Managing Apps
- Running a Deployed App from a Folder
Triggers
- About triggers
- Managing triggers
- Managing Non-Working Days
- Using Cron Expressions
  - Triggering jobs on the last day of the month
Logs
- About Logs
- Managing Logs in Orchestrator
- Logging Levels
Monitoring
- About Monitoring
- Machines
- Agents
- Processes
- Queues
- Indexes
- Queues SLA
Queues
- About Queues and Transactions
- Bulk uploading Queue Items using a CSV file
- Managing Queues in Orchestrator
- Managing Queues in Studio
- Managing Transactions
  - Editing Transactions
  - Field Descriptions for the Transactions .csv File
- Review Requests
Assets
- About Assets
- Managing Assets in Orchestrator
- Managing Assets in Studio
- Storing Assets in Azure Key Vault (read only)
- Storing Assets in HashiCorp Vault (read only)
- Storing Assets in AWS Secrets Manager (read only)
Business Rules
- About Business Rules
  - Permissions for Business Rules
- Managing Business Rules
  - Creating a business rule
Storage Buckets
- About Storage Buckets
  - CORS/CSP Configuration
- Managing Storage Buckets
Indexes
- About indexes
- Managing indexes
Orchestrator testing
- FAQ - Deprecating the testing module
- Test Automation
- Test Cases
  - Field Descriptions for the Test Cases Page
- Test Sets
  - Field Descriptions for the Test Sets Page
- Test Executions
  - Field Descriptions for the Test Executions Page
- Test Schedules
  - Field Descriptions for the Test Schedules Page
- Test Data Queues
- Testing Data Retention Policy
Resource Catalog Service
- About Resource Catalog Service
Integrations
- About Input and Output Arguments
  - Example of Using Input and Output Arguments
Troubleshooting
- About Troubleshooting
- Alerts troubleshooting
- General troubleshooting
- Frequently Encountered Orchestrator Errors

Orchestrator user guide

DELIVERY:

Last updated May 14, 2025

Configuring access for accounts

As an administrator, you can configure fine-grained tenant or folder permissions for objects that already exist at the organization level (i.e. groups, users, robot accounts, external apps), via Orchestrator, by assigning them to tenants or folders in Orchestrator. An object gets the permissions required to perform particular operations in a tenant or folder through one or more roles.

You can use groups to simplify access control, as groups allow you to manage objects with similar needs together.

Note:

When you rename a local group at the organization level, it is also renamed in Orchestrator. If you rename it several times in a short timeframe, only the last change is captured in the Orchestrator audit logs. If you want to see all such changes, you can check the organization-level audit.
Since the username of a robot account is permanent, and cannot be changed after it is set, the Username column under Manage Access also remains unchanged. For example, if you rename the robot from Test to Test1, only the Name column updates with the new value, leaving the Username unchanged. For more information, refer to Adding robot accounts.

To make use of all available types of identities, groups, users, robot accounts, and external apps are split into separate pages for groups, users, robot accounts, and external apps. You can find these under dedicated tabs, on the Manage Access page.

As an overview of the tabs, the All tab includes all objects that have been assigned access at the tenant level. The Groups, Users, Robot accounts, and External apps tabs include the local and directory groups, local and directory users, robot accounts, and external apps that have been assigned access at the tenant level.

Tenant-level access control

The Manage access page allows you to control access for all objects (i.e.groups, users, robot accounts, external apps). This means that you can:

assign to a tenant any objects that already exist at the organization level
configure permissions for objects in Orchestrator
remove tenant access from the existing objects

Group configuration (roles, web login, robot settings) is passed on to any user that belongs to that group and is later added or auto-provisioned.

Assigning groups to a tenant

In a tenant, when assigning groups and adding roles to it, note that these are inherited by all users and robot accounts that are part of that group.

Groups are created and maintained by organization administrators from the Admin > Accounts and Groups page.

In the search field, type an existing user group to which you want to prove tenant access.

Should a new group be required, click Manage Accounts to arrive at the organiation level, where all new objects are added.
Click the Roles field and select the checkbox for each role you want to assign to the selected group.

If needed, you can define a new role by clicking New role.
Under Account Settings, you can choose if the group members can to log in to the Orchestrator UI.

Important: If the UI access setting is enabled for at least one of the groups to which an account belongs (including the Everyone group), then disabling it at the account level or for other groups has no effect for that particular account, only for other group members that are not in the same situation.
If you want to also create an attended robot for group members, click Next.

Otherwise, click Skip and assign to apply your settings.

Assigning accounts to a tenant

We recommend that you manage user access by assigning roles to groups and then adequately assigning users to the right groups to grant them the necessary roles.

However, if you need to perform a one-time role assignment for a particular user, you can directly provide access to the user, as follows:

In the search field, type the user to whom you want to assign access to the tenant.

Should a new user be required, click Manage Accounts to arrive at the organiation level, where all new objects are added.
Click the Roles field and then select the check box for each role you want to assign to the selected user.

If needed, you can define a new role by clicking New role.
Under Account Settings, you can choose if the user can log in to the Orchestrator UI.
If this account is a member of any groups that have UI access enabled, changing this setting for individual accounts has no effect because the group-level setting is inherited by all accounts. To control UI access for individual accounts, you must either remove the account from groups with a conflicting setting, or remove the group with the conflicting setting from Orchestrator.
(Optional) Under Update policy settings, choose the release level to which you want this user to be required to update UiPath applications on their workstation. If you select a policy, the user will not be able to use UiPath® Robot, Studio, or Assistant until they upgrade these applications to the version required by the policy. This setting can help you make sure that all your users are using the same versions.
If you want to also create an attended or unattended robot for this user, click Next.

Otherwise, click Skip and assign to apply your settings.

Assigning robot accounts to a tenant

We recommend that you manage robot access by assigning roles to groups and then adequately assigning robot accounts to the right groups to grant them the necessary roles.

However, if you need to perform a one-time role assignment for a particular robot account, you can directly grant access to the robot, as follows:

In the search field, type the robot account to which you want to grant access to the tenant.

Should a new robot be required, click Manage Accounts to arrive at the organiation level, where all new objects are added.
Click the Roles field and then select the checkbox for each role you want to assign to the selected robot.

If needed, you can define a new role by clicking New role.
If you want to also create an unattended robot for this user, click Next.

Otherwise, click Skip and assign to apply your settings.

Assigning external apps to a tenant

As an administrator, you can configure fine-grained tenant or folder permissions for confidential apps, by assigning them to folders or tenants in Orchestrator. An external app gets the permissions required to perform particular operations in a folder or tenant through one or more roles.

Go to Tenant > Manage Access. The Manage Access page is displayed.
Click Assign roles > External app. The Assign roles to an external app window is displayed.
In the search field, type the name of the external app you want to add.
Under Roles, select the role(s) for this object.
Click Assign.

Assigning multiple accounts

Go to Tenant > Manage access and click the Roles tab.
On the Roles page, select a role from the list and click More Actions > Manage Users.

The Manage Users window is displayed and all users, groups, and robots are listed. If a checkbox is selected, that means the objects have this role assigned to them.
Select or clear the checkboxes as needed so that only those who should have this role are selected.
Click Update to apply your changes.

Changes to roles apply immediately when a user logs in, or automatically within one hour.

Checking assigned roles

You can see what roles are assigned to an object (user, group, robot account, external app) from the following tenant-level locations:

Manage access > Assign roles tab > select the object from the list > More Actions > Check roles & permissions
Manage access > Assign roles > three-dots icon > Check roles & permissions
Robots > select the account from the list > More Actions > Check roles & permissions
Monitoring > User sessions > select the account from the list > Check roles & permissionsicon

These options display the View permissions window, which is split between the Tenant access and Folder access sections. In turn, each section is made up of:

The roles pane - includes the name of the role and its type (i.e. explicitly assigned or inherited).
The permissions pane - lists the permissions included in the selected roles.

Tenant access

This section displays the roles and permissions granted at the tenant level. You can choose between these options:

All roles in this tenant - the permissions pane displays all permissions corresponding to all roles granted to the selected entity at the tenant level.
Specific role - the permissions pane only displays permissions corresponding to the selected role, as granted to the selected entity at the tenant level.

Folder access

This section displays the roles and permissions granted at the folder level.

You can use the selection box to choose the particular folder for which to display the roles and their permissions. The list only contains folders where the selected entity is assigned.

If the selected entity has more than one role for the chosen folder, you can choose between these options:

All roles in this tenant - the permissions pane displays all permissions corresponding to all roles granted to the selected entity at the folder level.
Specific role - the permissions pane only displays permissions corresponding to the selected role, as granted to the selected entity at the folder level.

Removing a user or group

Removing a user or group from Orchestrator does not delete the account from your organization.

Go to Tenant > Manage access > Assign roles tab.
Select the user or group, click More Actions , and select Remove.

If the user whose role you want to delete has a robot that is currently busy, you are informed that any running jobs will be deleted, and are asked whether you want to proceed with the deletion or cancel the operation.
Confirm the operation.

The user or group is removed from Orchestrator and all roles are revoked.

Alternatively, select one or multiple users, and click the Remove button.

Important:

You cannot remove a user having the Administrator role.
You cannot remove or unassign users part of mappings that are employed in triggers from the folder the trigger resides in. Make sure the user is not set as an execution target in a trigger so you can delete them.
Removing a directory group does not remove the license of an associated directory user, even if the group removal unassigns the user from any folder. The only way to release the license is to close UiPath Assistant.

Recommended role-to-group mapping

The right combination of group and role allows you to correctly separate permissions, and give granular control to the appropriate people. To achieve this, we recommend the following role-group pairing:

Group	Has access to the Orchestrator interface	Has access to all folders/personal workspace only	Has API access	Tenant role	Folder role
Automation Users	No	Personal workspace Important: If a user is assigned to other folders via API, they also have access to those in addition to the personal workspace.	Yes	Allow to be Automation User	Automation User
Automation Developers	Yes	All folders	Yes	Allow to be Automation Developer	Automation Developer
Administrators	Yes	All folders	Yes	Orchestrator Administrator	Folder Administrator
Automation Express	Yes	All folders	Yes	Allow to be Automation User	Automation User

Troubleshooting

The Not Found error

If an account was removed from the organization, when attempting to edit, enable/disable, or remove the account from Orchestrator (Tenant > Manage Access), a Not found (#1002) error is displayed.

In this case, the account in fact no longer exists and no longer has access to the UiPath products.

Folder-level access control

In the tenant, access can also be controlled at folder-level from the Folders tab, used for managing folders and objects, and from the folder context, in the sidebar menu.

Assigning objects to a folder

Go to Tenant > Folders tab, choose the folder, and click Accounts & Groups. Next, click Assign and select the object to be added to the folder.

Note: You can also filter objects by category (all, user, group, robot account, external app).

In order to assign the object, you are required to add a role to it. Once this is done, click Assign, and the object becomes visible in the list.

Another method to assign objects to a folder is to go to the folder context from the sidebar menu and click Users > Assign. In the search field, type the name of the object you want to add to the folder, select the roles it needs, and click Assign to finish the configuration.

Editing access

To give specific folder access to assigned objects (groups, users, robot accounts, external apps), open a folder from the sidebar menu and go to Users. Next to the object for which you want to edit the folder access, click More Actions > Edit role in this folder. This brings up the assign page, where you can add or remove any roles for the selected object.

The same steps can be applied when going to Tenant > Folder tab > Accounts & Groups > More Actions next to the object you want to modify > Edit role in this folder. Now you can add or remove any roles for the selected object.

Removing folder access

Go to Tenant > Folders tab, choose the folder, and click Accounts & Groups. Next to the object you would like to remove, click More Actions > Unassign. Once this is performed, the object no longer has access to that folder.

Important: Accounts part of account-machine mappings that are employed in triggers cannot be deleted or unassigned from the folder in which the trigger resides. Make sure the account is not set as an execution target in a trigger to be able to delete it.

Subfolder access

A folder hierarchy can be established with up to 7 levels. This structure includes the top-level folder and allows for 6 additional layers of subfolders beneath it. In terms of user access, it is inherited from the parent folders. This means if you are assigned access to a folder, you automatically gain access to all of its subfolders.

Important: Performance degradation and possible errors occur when loading the Folder selection menu for an account assigned to more than 1,000 folders.

Personal Workspace access control

When configuring attended robots for a group or a single user, you also have the option to create a personal workspace for it.

To enable this option, go to Tenant > Manage Access > select the user or group > More Actions > Edit > Next > check the option Enable this user to run automations > check the option Create a personal workspace for this user. Once this is done, a new folder, My Workspace, is visible in the sidebar menu, next to the other folders.

Personal Workspaces permissions

Tenant-level permissions required to manage the workspaces of other users:

Settings - View and Settings - Edit to allow the use of personal workspaces in the tenant from the Tenant > Settings page.
Users - View and Users - Edit to enable a personal workspace for a user or group by editing it from the Manage Access page.

Folder-level permissions required to use a personal workspace:

Alerts - View to see alerts generated for the personal workspace.
Actions - View,Actions - Edit,Actions - Create, and Actions - Delete to enable long-running workflow execution in the personal workspace.
Action Catalogs - View,Action Catalogs - Edit,Action Catalogs - Create,Action Catalogs - Delete to allow the user to manage action catalogs in the personal workspace.

Checking assigned roles

You can see what roles are assigned to an object (user, group, robot account, external app) from the following tenant-level locations:

Manage access > Assign roles tab > select the object from the list > More Actions > Check roles & permissions
Manage access > Assign roles > three-dots icon > Check roles & permissions
Robots > select the account from the list > More Actions > Check roles & permissions
Monitoring > User sessions > select the account from the list > Check roles & permissionsicon

These options display the View permissions window, which is split between the Tenant access and Folder access sections. In turn, each section is made up of:

The roles pane - includes the name of the role and its type (i.e. explicitly assigned or inherited).
The permissions pane - lists the permissions included in the selected roles.

Tenant access

This section displays the roles and permissions granted at the tenant level. You can choose between these options:

All roles in this tenant - the permissions pane displays all permissions corresponding to all roles granted to the selected entity at the tenant level.
Specific role - the permissions pane only displays permissions corresponding to the selected role, as granted to the selected entity at the tenant level.

Folder access

This section displays the roles and permissions granted at the folder level.

You can use the selection box to choose the particular folder for which to display the roles and their permissions. The list only contains folders where the selected entity is assigned.

If the selected entity has more than one role for the chosen folder, you can choose between these options:

All roles in this tenant - the permissions pane displays all permissions corresponding to all roles granted to the selected entity at the folder level.
Specific role - the permissions pane only displays permissions corresponding to the selected role, as granted to the selected entity at the folder level.

Recommended role-to-group mapping

Group	Has access to the Orchestrator interface	Has access to all folders/personal workspace only	Has API access	Tenant role	Folder role
Automation Users	No	Personal workspace Important: If a user is assigned to other folders via API, they also have access to those in addition to the personal workspace.	Yes	Allow to be Automation User	Automation User
Automation Developers	Yes	All folders	Yes	Allow to be Automation Developer	Automation Developer
Administrators	Yes	All folders	Yes	Orchestrator Administrator	Folder Administrator
Automation Express	Yes	All folders	Yes	Allow to be Automation User	Automation User

On this page

Tenant-level access control
Assigning groups to a tenant
Assigning accounts to a tenant
Assigning robot accounts to a tenant
Assigning external apps to a tenant
Assigning multiple accounts
Checking assigned roles
Removing a user or group
Recommended role-to-group mapping
Troubleshooting
Folder-level access control
Assigning objects to a folder
Editing access
Removing folder access
Subfolder access
Personal Workspace access control
Checking assigned roles

Was this page helpful?

PREVIOUSManaging custom roles

NEXTConfiguring automation capabilities

Support and Services

Get The Help You Need

UiPath Academy

Learning RPA - Automation Courses

UiPath Forum

UiPath Community Forum

Trust and Security

Cookies Policy