订阅

UiPath Orchestrator

UiPath Orchestrator 指南

帐户和角色

On the Manage Access page you can define and assign roles. In Orchestrator, you use roles to control the level of access an account should have.
On this page we go over the notions you need to understand to effectively plan and implement your access control strategy.

使用两个元素控制用户可以执行的访问级别和操作:

  • 帐户,用于建立用户身份并用于登录到 UiPath 应用程序
  • 角色,这些角色被分配给帐户,以便在 UiPath 生态系统中向其授予某些权限。

帐户不在 Orchestrator 中创建或管理,仅在角色及其分配中创建或管理。

About accounts in Orchestrator


An account is a UiPath platform entity with access-dependent capabilities and whose view and control of Orchestrator rely on the assigned roles.

帐户可以是:

  • 从以下位置在本地创建和管理(本地帐户):
  • created and managed in an external directory (directory accounts and directory groups). See the section AD Integration for a better understanding of directory integration.

更多信息:
Learn more about the types of accounts.
Learn about Orchestrator's access-control model, which relies on role assignations.

Accounts are only available within the one organization.
Once an account has been successfully added, there are two ways of granting them rights to Orchestrator:

  • by adding the account to a group so that it inherits the roles of the group or
  • by assigning roles to the account at the service level.

You can use both methods for granular control over the access an account has in your organization.

Directory integration

Orchestrator 中引用的活动目录 (AD) 使其成员成为潜在的 Orchestrator 用户。在 Orchestrator 中,可以在组级别(目录组)或用户级别(目录用户)配置目录帐户的访问权限级别。

您可以集成:

📘

Using a directory integration together with attended robots auto-provisioning and hierarchical folders allow for effortlessly setting up large deployments. See Managing large deployments for details.

先决条件

  • The authentication option through which you connect to the external directory is enabled.
  • A valid domain was specified during authentication configuration. All domains and subdomains from forests 2-way trusted with the specified domain are available when adding users/groups.
  • The machine on which Orchestrator is installed is joined to the specified domain. To check whether the device is joined to the domain, run dsregcmd /status from the Command Prompt, and navigate to the Device State section.
  • 运行 Orchestrator 应用程序池的身份必须属于 Windows 授权访问组 (WAA)。

行为

  • Adding a directory group creates an entity in Orchestrator called a directory group, for which you configure access rights as desired. This entry serves as a reference to the group as found in AD.
  • When logging in, Orchestrator checks your group membership against the AD database and UiPath Identity Server. If confirmed, it automatically provisions your user as a directory user, and then associates it to the access rights inherited from the Directory Group (step 1). Inherited rights are only kept for the duration of the user session.
  • Auto-provisioning takes place the first time a user logs in. An auto-provisioned user account doesn't get deleted at log out as you might need the entry for audit purposes.
  • Changes made to group membership in the directory are synced with Orchestrator at every log-in or once every hour for active user sessions. This value can be changed using the WindowsAuth.GroupMembershipCacheExpireHours. If you are a member of X group, what happens is this:
    You log in, Orchestrator checks your group membership, then confirms your identity against the AD database and Identity Server. You are then granted access rights according to your Orchestrator configuration. If your system administrator changes your group membership from group X to group Y while you have an active session, the changes are interrogated by Orchestrator once every hour or the next time you log in.
  • The only way to configure access rights that persist between sessions, regardless of how group membership changes, is to assign a role to the user account directly and not through group membership.
  • 无法确定继承的访问权限(从组成员身份)的 AD 用户的行为类似于本地用户,这意味着它们仅依赖于分配给用户帐户的角色。
  • AD 中的组会与 Orchestrator 同步,但在 Orchestrator 中所做的更改不会影响 AD 中的用户配置。

已知问题

  • 由于各种网络或配置问题,可能并非“域名”下拉列表中显示的所有域都可访问。
  • 在 AD 中对用户名或组名所做的更改不会传播到 Orchestrator。
  • 使用新添加的双向信任域更新域列表最多可能需要一个小时。
  • GetOrganizationUnits(Id)GetRoles(Id) 请求仅返回为自动配置的用户显式设置的文件夹和角色。从组配置继承的文件夹和角色可通过 /api/DirectoryService/GetDirectoryPermissions?userId={userId} 端点检索。
  • 用户界面也是如此,“用户”页面上仅显示显式设置的文件夹和角色。相反,继承的文件夹和角色具有新的专用位置,即“用户权限”窗口(“用户”>“更多操作”>“查看权限”)。
  • 默认情况下,用户不会从父组继承警示订阅设置,也不会接收任何警示。要访问警示,您需要显式授予用户相应的权限。
  • 删除目录组并不会删除相关目录用户的许可证,即使删除组后取消了从任何文件夹中分配用户。释放许可证的唯一方法是关闭机器人托盘。
  • 在某些浏览器上,使用您的 AD 凭据登录 Orchestrator 时仅需要用户名。无需同时指定域。因此,如果 domain\username 语法不起作用,请尝试仅填写用户名。

审核注意事项

  • 用户成员身份:用户 [用户名] 已分配到以下目录组 [用户在当前会话中继承访问权限的目录组]。
  • 自动配置:从以下目录组 [用户在当前会话中继承访问权限的目录组] 自动配置用户 [用户名]。

禁用并发执行


Optimizing resource consumption and maximizing execution capacity in modern folders involves little to no control over how users are allocated to jobs. For scenarios where a credential cannot be used more than once at a time (for example, with SAP), you can limit concurrent execution for unattended processes. This helps modulate the job allocation algorithm by restricting a user from simultaneously executing multiple jobs.

1157

用户权限


要能够在“用户”和“个人资料”页面上执行各种操作,需要获得相应的权限:

  • 用户 - 查看 - 显示“用户”和“个人资料”页面。
  • 用户 - 编辑 - 在“配置文件”页面上编辑用户详细信息和设置,并在“用户”页面上激活/停用用户。
  • Users - View and Roles - View - Displaying user permissions in the User Permissions window.
  • 用户 - 编辑角色 - 查看 - 在“管理访问权限” > “分配角色”页面上,编辑角色分配。
  • 用户 - 创建角色 - 查看 - 创建用户。
  • 用户 - 查看角色 - 编辑 - 从“管理访问权限” > “角色”页面打开的“管理用户”窗口中管理角色。
  • 用户 - 删除 - 从 Orchestrator 中删除用户。

阅读有关角色的更多信息。

未生效的权限


尽管您可以为任何权限选择所有可用权限(查看编辑创建删除),但以下权限对所列权限无效:

PermissionCategory
Edit Audit
Execution Media
Logs
Create Audit
License
Settings
Monitoring
Delete Alerts
Audit
Settings
Logs
Monitoring

例如,这是因为无法编辑系统生成的日志。

安全注意事项


基本身份验证

By default, Orchestrator does not allow user access via basic authentication. This functionality can be enabled by adding and configuring the Auth.RestrictBasicAuthentication setting. This enables you to create local accounts that can access Orchestrator using their basic authentication credentials, allowing you to maintain existing integrations that relied on basic authentication when calling Orchestrator API.

Enabling basic authentication can be done when creating and editing accounts.

帐户锁定

默认情况下,在 10 次登录尝试失败后,您将被锁定 5 分钟。

System administrators can customize the Account Lockout settings from the host Management portal.

Logging in with the same account on a different machine disconnects the user from the first machine.

8 个月前更新


帐户和角色


On the Manage Access page you can define and assign roles. In Orchestrator, you use roles to control the level of access an account should have.
On this page we go over the notions you need to understand to effectively plan and implement your access control strategy.

建议的编辑仅限用于 API 参考页面

您只能建议对 Markdown 正文内容进行编辑,而不能建议对 API 规范进行编辑。