- Getting started
- Best practices
- Tenant
- Actions
- Folders Context
- Automations
- Processes
- Jobs
- Triggers
- Logs
- Monitoring
- Queues
- Assets
- Storage Buckets
- Test Suite - Orchestrator
- Action Catalogs
- Profile
- System Administrator
- Identity Server
- Authentication
- Other Configurations
- Integrations
- Classic Robots
- Troubleshooting
Orchestrator User Guide
About Users
A user is an entity with access-dependent capabilities whose view and control of Orchestrator rely on the assigned roles. Users can be created locally in Orchestrator (Local Users), or they can be created and managed in an external directory (Directory Users, Directory Groups).
-
Read about AD Integration for a better understanding of directory integration.
-
User types are described here.
-
Learn about Orchestrator's access-control model.
User management is done primarily from the Users page (Tenant context > Users). This page displays all available users, enables you to add or remove them and edit their details.
An active directory referenced in Orchestrator makes its members potential Orchestrator users. The access for a directory is configured in Orchestrator, either at the group level (Directory Group) or at the user level (Directory User).
- The
WindowsAuth.Enabled
parameter is set totrue
. - The
WindowsAuth.Domain
parameter is filled in with a valid domain. All domains and subdomains from forests 2-way trusted with the domain specified in theWindowsAuth.Domain
parameter are available when adding users/groups. - The machine on which Orchestrator is installed is joined to the domain set in the
WindowsAuth.Domain
parameter. To check whether the device is joined to the domain, run thedsregcmd /status
from the Command Prompt, and navigate to the Device State section. - The identity under which the Orchestrator ApplicationPool is running needs to be a part of the Windows Authorization Access group (WAA).
- Adding an AD group creates a user entity in Orchestrator called Directory Group, for which you configure access rights as desired. This entry serves as a reference to the group as found in AD.
- When logging in, Orchestrator checks your group membership against the AD database. If confirmed, it automatically provisions your user as a Directory User, and then associates it to the access rights inherited from the Directory Group (step 1). Inherited rights are only kept for the duration of the user session.
- Auto-provisioning takes place the first time you log in. An auto-provisioned user doesn't get deleted at log out as you might need the entry for audit purposes.
-
Changes made to AD group membership are synced with Orchestrator at every log-in or once every hour for active user sessions. This value can be changed using the WindowsAuth.GroupMembershipCacheExpireHours. If you are a member of X group, what happens is this:
- You log in, Orchestrator checks your group membership, then confirms your identity against the AD database. You are then granted access rights according to your Orchestrator configuration. If your system administrator changes your group membership from group X to group Y while you have an active session, the changes are interrogated by Orchestrator once every hour or the next time you log in.
- The only way to configure access rights that persist between sessions, regardless of how group membership changes, is to set them up explicitly per user in Orchestrator. We refer to them as explicit access-rights.
- AD users whose inherited access-rights cannot be determined, behave like local users, meaning they rely solely on explicitly-set access-rights.
- Groups in AD sync with Orchestrator, but not the way around. Changes made to Orchestrator do not affect user configuration in AD.
- Due to various networking or configuration issues, there is a chance that not all domains displayed in the Domain Name drop-down are accessible.
- Changes made to AD user/group names are not propagated to Orchestrator.
- It can take up to an hour to update the domain list with newly added two-way trusted domains.
- The
GetOrganizationUnits(Id)
andGetRoles(Id)
requests only return folders and roles explicitly set for an auto-provisioned user. The ones inherited from the group configuration can be retrieved through the/api/DirectoryService/GetDirectoryPermissions?userId={userId}
endpoint. - Same goes for the user interface, where only explicitly-set folders and roles are displayed on the Users page. In contrast, inherited ones have a new dedicated location, the User Permissions window (Users > More Actions > Check Permissions).
- Auto-provisioned users do not inherit alert subscription settings from the parent group, nor do they receive any alerts by default. To have access to alerts, you are required to grant the corresponding permissions to the user explicitly.
- Removing a directory group does not remove the license of an associated directory user, even if the group removal unassigns the user from any folder. The only way to release the license is to close the Robot tray.
- On certain browsers, logging in to Orchestrator using your AD credentials only requires your username. There is no need to also specify the domain. Hence, if the domain\username syntax does not work, try filling in the username only.
- User membership: User [username] was assigned to the following Directory Groups [Directory Groups the user inherits access rights from in the current session].
- Auto-Provisioning: User [username] was automatically provisioned from the following Directory groups [Directory Groups the user inherits access rights from in the current session].
Optimizing resource consumption and maximizing execution capacity in modern folders involves little to no control over how users are allocated to jobs. For scenarios where a credential cannot be used more than once at a time (e.g., SAP), we've introduced the possibility to limit concurrent unattended execution. This helps modulate the job allocation algorithm by restricting a user from simultaneously executing multiple jobs.
Orchestrator comes with one predefined user only: admin. Its username cannot be changed, and it cannot be deleted. It has the Administrator role, but you can add other roles to it, and even deactivate it. Note that you can not deactivate the user you are currently logged in with.
Users with the Administrator role can activate, deactivate, and remove other users as well as edit information, including the password. You cannot delete users that have the Administrator role.
To perform various operations on the Users and Profile pages, you need to be granted the corresponding permissions:
- View on Users - Displaying the Users and Profile pages.
- Edit on Users - Editing user details and settings on the Profile page, and activating/deactivating users on the Users page. Configuring the Alerts section on the Profile page requires the corresponding View permissions per alert category.
- View on Users, View on Roles - Displaying user permissions on the User Permissions window.
- Edit on Users, View on Roles - Editing user details and settings on the Users page.
- Create on Users, View on Roles - Creating a user.
- View on Users, Edit on Roles - Managing user roles on the Manage Users window, in the Roles page.
- Delete on Users - Removing a user.
Read more about roles.
By default, Orchestrator does not allow user access via basic authentication. This functionality can be enabled with the Auth.RestrictBasicAuthentication parameter. This enables you to create local users that can access Orchestrator using their basic authentication credentials, allowing you to maintain existing integrations that relied upon basic authentication when calling the Orchestrator API.
Enabling basic authentication can be done when creating and editing users.
After 10 failed login attempts, you are locked out for 5 minutes. These are the default Account Lockout settings which can be changed on the Security tab.
Logging in with the same user on a different machine disconnects the user from the first machine.