orchestrator

2022.4

false

Getting started
- Introduction
- User Options
- Resetting Your Password
- My Profile
- Robots
  - Robot Statuses
  - Robot Settings
- Auto Updating Client Components
- Orchestrator Configuration Checklist
Best practices
- Organization Modeling in Orchestrator
- Managing Large Deployments
- Automation Best Practices
- Optimizing Unattended Infrastructure Using Machine Templates
- Organizing Resources With Tags
Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Robots
  - Managing Robots
  - Connecting Robots to Orchestrator
  - Setup Samples
  - Storing Robot Credentials in CyberArk
  - Setting up Attended Robots
  - Setting up Unattended Robots
  - Storing Unattended Robot Passwords in Azure Key Vault (read-only)
  - Storing Unattended Robot Credentials in HashiCorp Vault (read-only)
  - Deleting Disconnected and Unresponsive Unattended Sessions
  - Robot Authentication
  - Robot Authentication With Client Credentials
  - SmartCard Authentication
- Folders
  - Managing Folders
  - Classic Folders Vs Modern Folders
  - Migrating From Classic Folders to Modern Folders
  - Administration of Modern Folders
  - Personal Workspaces
  - Managing Personal Workspaces
- Monitoring
  - Unattended Sessions
  - User Sessions
  - License
- Managing Access and Automation Capabilities
  - Assigning Roles
  - Managing Roles
  - Default Roles
  - FAQ
- Machines
  - Managing Machines
  - Assigning Machine Objects to Folders
  - Configuring Account-machine Mappings
- Packages
  - Managing Packages
  - About Libraries
  - Managing Libraries
- Audit
- Credential Stores
  - Managing Credential Stores
  - CyberArk® CCP Integration
  - Azure Key Vault Integration
  - HashiCorp Vault Integration
  - BeyondTrust Integration
- Webhooks
  - Types of Events
  - Managing Webhooks
- Licensing
  - Managing Your Licenses
- Alerts
  - Setting Up Alert Emails
- Settings
  - General Tab
  - Deployment Tab
  - Robot Security Tab
  - Scalability Tab
  - Non-Working Days Tab
Resource Catalog Service
- About Resource Catalog Service
Folders Context
- About the Folders Context
- Home
Automations
- About Automations
Processes
- About Processes
- Managing Processes
- Managing Package Requirements
- About Recording
Jobs
- About Jobs
- Managing Jobs
- Job States
- Working with long-running workflows
Triggers
- About Triggers
- Managing Triggers
- Using Cron Expressions
Logs
- About Logs
- Managing Logs in Orchestrator
- Logging Levels
Monitoring
- About Monitoring
- Machines
- Processes
- Queues
- Queues SLA
- Exporting usage data
Queues
- About Queues and Transactions
  - Queue Item Statuses
  - Business Exception Vs Application Exception
  - Studio Activities Used With Queues
- Bulk Uploading Queue Items Using a CSV File
- Managing Queues in Orchestrator
- Managing Queues in Studio
- Managing Transactions
  - Editing Transactions
  - Field Descriptions for the Transactions .csv File
- Review Requests
Assets
- About Assets
- Managing Assets in Orchestrator
- Managing Assets in Studio
- Storing Assets in Azure Key Vault (read-only)
- Storing Assets in HashiCorp Vault (read-only)
Storage Buckets
- About Storage Buckets
  - CORS/CSP Configuration
- Managing Storage Buckets
- Moving Bucket Data Between Storage Providers
Orchestrator testing
- Test Automation
- Test Cases
  - Field Descriptions for the Test Cases Page
- Test Sets
  - Field Descriptions for the Test Sets Page
- Test Executions
  - Field Descriptions for the Test Executions Page
- Test Schedules
  - Field Descriptions for the Test Schedules Page
- Test Data Queues
  - Managing Test Data Queues in Orchestrator
  - Managing Test Data Queues in Studio
  - Field Descriptions for the Test Data Queues Page
  - Test Data Queue Activities
Integrations
- About Input and Output Arguments
  - Example of Using Input and Output Arguments
Classic Robots
- Robots
  - Managing Robots
  - Robot Statuses
  - Setup Samples
- Environments
  - Managing Environments
- Jobs
- Triggers
- Monitoring
  - Robots
- Resources
Troubleshooting
- About Troubleshooting
- Frequently Encountered Orchestrator Errors

OUT OF SUPPORT

Orchestrator user guide

DELIVERY:

Last updated Dec 16, 2025

Managing Roles

About Roles

Orchestrator uses an access-control mechanism based on roles and permissions. Roles are collections of permissions meaning that the permissions needed to use certain Orchestrator features are included in roles.

For example, here's a custom role where you can see some of the permissions it includes:

Creating a Role

When creating a role, you can start from scratch and create a custom role, or you have the option to import a role.

Creating a Custom Role

Go to Tenant > Manage access and select the Roles tab.
Click Add a new role and select if you want to add a new tenant or folder role.

A form opens with all the permissions available for the type of role you selected.
Make sure that the Add new option is selected at the top.

The Import option is for when you want to import a role and use it as a base to create your new role.
In the Name field, type a representative name for the role, such as Action Center Superuser.
Select the check boxes for the permissions you want to include in the new role:

Note: The checkboxes for permissions that have no effect cannot be selected.
Click Create.

The role is now available and you can add one or multiple users who need the set of permissions that this role provides by following the instructions below.

Importing a Role

You can base a new role on a role you already have, even if the base role is in a different organization or tenant. If you export the base role, you can import it to any tenant and, if needed, customize it.

Go to Tenant > Manage access and select the Roles tab.
If not already done, export the role that you want to use as a base.

Note if the exported role is a tenant or a folder role.
Click Add a new role and select if you want to add a new tenant or folder role.

Make sure you choose the correct type, according to the type of the role you want to import.
At the top of the page, select the Import option:
Upload the CSV file obtained from exporting the base role.

Note: If the base role included permissions without effect that were selected, the message Uploaded role contains unapplicable permissions. Only applicable permissions are selected. appears along the top. This indicates that, although selected in the base role, these permissions have been deselected following import because we no longer allow selecting these types of permissions.

The information of the imported role is displayed on the page. All permissions that the exported role included are selected.
Optional:
- edit the name to use for the new role being created and
- select or deselect checkboxes to make changes to the permissions.
When finished, click Create.
If the role includes elevated permissions (for example, Users - Create), a notification appears. Click OK to create the new role.

The new role is now available on the Roles page and you can assign it to accounts or groups as needed.

Assigning a Role to Multiple Accounts

Note:

These instructions are for assigning tenant roles.

If you need to assign a folder role, you can:

go to Tenant > Folders and then select the folder where you want to assign the role
select the folder in the left pane to switch to folder context and then go to the Settings page for that folder.

Go to Tenant > Manage access and select the Roles tab.
On the Roles page, click More Actions at the right end of the row and select Manage Users.

The Manage Users window is displayed and all users, groups, and robots are listed. If the checkbox on the left is selected, that means they have this role assigned to them.
Select or clear the checkboxes as needed so that only those who should have this role are selected.
Click Update to apply your changes.

Changes to roles apply immediately when a user logs in, or automatically within one hour.

Editing a Role

Go to Tenant > Manage access and select the Roles tab.
Click More Actions at the right end of the row and select Edit.

Note: You cannot edit default roles, so there is no Edit option for these. If you need a custom version of a default role, select Duplicate & Customize instead (not available for mixed roles).
Change the permissions as needed.
Click Update.

Changes to roles apply immediately when a user logs in, or within one hour if the user is already logged in.

Removing a Role

You cannot remove any of the default roles, you can only remove custom roles.

Important: Removing a role also removes it from any user that had it assigned. Users with no roles assigned cannot access any resource.

Go to Tenant > Manage access and select the Roles tab.
Click More Actions at the right end of the row and select Manage Users.
Review the users who has this role assigned and make sure you reassign them to a different or similar role if needed before deleting the role.
Click More Actions at the right end of the row and select Remove.

Exporting a Role

If you want to recreate a particular role in a different organization or tenant, you can export the role as a CSV file and then import it in the target Orchestrator tenant.

To export a role as a CSV file:

Go to Tenant > Manage access and select the Roles tab.
Click More Actions at the right end of the row and select Export.

Note: You cannot export mixed roles because we do not allow creating new mixed roles.

A download begins for a CSV file which contains the role definition.
Save the file locally.

You can now use this file to import the role into any Orchestrator tenant.

Important:

The CSV file is intended to be used strictly for importing back into Orchestrator in the form in which it was exported. Editing the file in any way can result in import errors.

If you need to make changes to the exported role, you have the option to do so during the import process.

On this page

About Roles
Creating a Role
Creating a Custom Role
Importing a Role
Assigning a Role to Multiple Accounts
Editing a Role
Removing a Role
Exporting a Role

Was this page helpful?

PREVIOUSAssigning Roles

NEXTDefault Roles