Orchestrator User Guide
Automation CloudAutomation Cloud Public SectorAutomation SuiteStandalone
Last updated Jul 19, 2024

Managing Roles

About Roles

Orchestrator uses an access-control mechanism based on roles and permissions. Roles are collections of permissions meaning that the permissions needed to use certain Orchestrator features are included in roles.

For example, here's a custom role where you can see some of the permissions it includes:

For more information about roles, see Managing access and automation capabilities.

Deciding which permissions to include

Each role is a combination of permissions which control the program areas and actions that accounts with the role can access.

Example: A role called Infra, which is intended for the person managing the VMs you use for automation, may include permissions such as Machines - View, Machines - Edit, Machines - Create, and Machines - Delete, as well as other permissions that are relevant for their job.

When creating or editing a role, you must review the list of available permissions and decide which ones to include or not. Here are some approaches that you can try:

  • Start from our default roles: Orchestrator comes with default roles for the most common automation user types, such as the Administrator role, Automation User, and more. You can either use these roles, or duplicate the one that is closest to what you need, and then customize it.
  • Create a custom role: When creating a role, you are presented with a list of all available permissions for the tenant or folder level, depending on the role type, and you must decide which ones to include or not.

Viewing permission information

While creating or editing a role, you can hover over the checkbox of a permission to see to which Orchestrator pages the permission allows access. The information can help you broadly decide if to include the permission or not.

  • The functions of permissions can be more complex than only access to and abilities within the context of a page. When in doubt about what permissions are necessary for a task, check the documentation for that task for detailed permission requirements.For advanced users, you can also check the Orchestrator API Swagger, which includes information about the required permissions for each operation. For instructions see Accessing the Swagger file.
  • The information that is displayed for each permission only covers Orchestrator pages. It does not cover pages or actions in other UiPath services.

    For example, you may see that no pages are blocked by the ML Skills permissions, meaning that the permission has no effect in terms of access to Orchestrator pages. But granting permissions for ML Skills is necessary for using UiPath AI CenterTM. In this case, you must check the AI Center documentation for more information about the ML Skills permissions.

Creating a role

When creating a role, you can start from scratch and create a custom role, or you have the option to import a role.

Creating a Custom Role

  1. Go to Tenant > Manage access and select the Roles tab.
  2. Click Add a new role and select if you want to add a new tenant or folder role.

    A form opens with all the permissions available for the type of role you selected.

  3. Make sure that the Add new option is selected at the top.
  4. In the Name field, type a representative name for the role, such as Action Center Superuser.
  5. Select the check boxes for the permissions you want to include in the new role:

    The checkboxes for permissions that have no effect cannot be selected


  6. Click Create.

The role is now available and you can add one or multiple users who need the set of permissions that this role provides by following the instructions below.

Importing a Role

You can base a new role on a role you already have, even if the base role is in a different organization or tenant. If you export the base role, you can import it to any tenant and, if needed, customize it.

  1. Go to Tenant > Manage access and select the Roles tab.
  2. If not already done, export the role that you want to use as a base.

    Note if the exported role is a tenant or a folder role.

  3. Click Add a new role and select if you want to add a new tenant or folder role.

    Make sure you choose the correct type, according to the type of the role you want to import.

  4. At the top of the page, select the Import option:

  5. Upload the CSV file obtained from exporting the base role.
    If the base role included permissions without effect that were selected, the message Uploaded role contains unapplicable permissions. Only applicable permissions are selected. appears along the top. This indicates that, although selected in the base role, these permissions have been deselected following import because we no longer allow selecting these types of permissions.

    The information of the imported role is displayed on the page. All permissions that the exported role included are selected.

  6. Optional:
    • edit the name to use for the new role being created and
    • select or deselect checkboxes to make changes to the permissions.
  7. When finished, click Create.
  8. If the role includes elevated permissions (for example, Users - Create), a notification appears. Click OK to create the new role.

The new role is now available on the Roles page and you can assign it to accounts or groups as needed.

Editing a role

  1. Go to Tenant > Manage access and select the Roles tab.
  2. Click More Actionsdocs image at the right end of the row and select Edit.

    If the user whose role you want to edit has a robot that is currently busy, you are informed that any running jobs might fail, and are asked whether you want to proceed with saving your edits or cancel the operation.

    You cannot edit default roles, so there is no Edit option for these. If you need a custom version of a default role, select Duplicate & Customize instead (not available for mixed roles).

  3. Change the permissions as needed.
  4. Click Update.

Changes to roles apply immediately when a user logs in, or within one hour if the user is already logged in.

Removing a role

You cannot remove any of the default roles, you can only remove custom roles.

Important: Removing a role also removes it from any user that had it assigned. Users with no roles assigned cannot access any resource.
  1. Go to Tenant > Manage access and select the Roles tab.
  2. Click More Actions docs image at the right end of the row and select Manage Users.
  3. Review the users who has this role assigned and make sure you reassign them to a different or similar role if needed before deleting the role.
  4. Click More Actions docs image at the right end of the row and select Remove.

Exporting a role

If you want to recreate a particular role in a different organization or tenant, you can export the role as a CSV file and then import it in the target Orchestrator tenant.

To export a role as a CSV file:

  1. Go to Tenant > Manage access and select the Roles tab.
  2. Click More Actionsdocs image at the right end of the row and select Export.
    Note: You cannot export mixed roles because we do not allow creating new mixed roles.

    A download begins for a CSV file which contains the role definition.

  3. Save the file locally.

You can now use this file to import the role into any Orchestrator tenant.


The CSV file is intended to be used strictly for importing back into Orchestrator in the form in which it was exported. Editing the file in any way can result in import errors.

If you need to make changes to the exported role, you have the option to do so during the import process.

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2024 UiPath. All rights reserved.