Orchestrator

2022.10

false

Getting started
- Introduction
- User Options
- Logging in to Orchestrator
- Resetting Your Password
- My Profile
- Robots
  - Robot Statuses
  - Robot Settings
- Auto Updating Client Components
- Orchestrator Configuration Checklist
Best practices
- Organization Modeling in Orchestrator
- Managing Large Deployments
- Automation Best Practices
- Optimizing Unattended Infrastructure Using Machine Templates
- Organizing Resources With Tags
- Orchestrator Read-only Replica
Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Robots
- Folders
- Monitoring
- Managing Access and Automation Capabilities
- Machines
- Packages
- Audit
- Credential Stores
- Webhooks
  - Types of Events
  - Managing Webhooks
- Alerts
- Settings
Resource Catalog Service
- About Resource Catalog Service
Folders Context
- About the Folders Context
- Home
Automations
- About Automations
Processes
- About Processes
- Managing Processes
- Managing Package Requirements
- About Recording
Jobs
- About Jobs
- Managing Jobs
- Job States
- Working With Long-running Workflows
- Running Personal Remote Automations
- Troubleshooting Jobs
Triggers
- About Triggers
- Managing Triggers
- Using Cron Expressions
Logs
- About Logs
- Managing Logs in Orchestrator
- Logging Levels
- Orchestrator Logs
Monitoring
- About Monitoring
- Machines
- Processes
- Queues
- Queues SLA
Queues
- About Queues and Transactions
- Bulk Uploading Queue Items Using a CSV File
- Managing Queues in Orchestrator
- Managing Queues in Studio
- Managing Transactions
  - Editing Transactions
  - Field Descriptions for the Transactions .csv File
- Review Requests
Assets
- About Assets
- Managing Assets in Orchestrator
- Managing Assets in Studio
- Storing Assets in Azure Key Vault (read-only)
- Storing Assets in HashiCorp Vault (read-only)
Storage Buckets
- About Storage Buckets
  - CORS/CSP Configuration
- Managing Storage Buckets
- Moving Bucket Data Between Storage Providers
Test Suite - Orchestrator
- Test Automation
- Test Cases
  - Field Descriptions for the Test Cases Page
- Test Sets
  - Field Descriptions for the Test Sets Page
- Test Executions
  - Field Descriptions for the Test Executions Page
- Test Schedules
  - Field Descriptions for the Test Schedules Page
- Test Data Queues
Host administration
- Host Administration Portals
- Configuring System Email Notifications
- Managing System Administrators
- Managing Your Host License
  - Allocating Host Licenses to Tenants
  - Managing Your Licenses
- Orchestrator Host Settings
  - Tenant Settings - Host Level
  - Managing Tenants
- Host Authentication Settings
  - Re-configuring Authentication After Upgrade
- Host Audit Logs
- Customizing the Login Page
- Maintenance Mode
Identity Server
- About the UiPath Identity Server
Authentication
- Configuring the Active Directory Integration
- Configuring SSO: SAML 2.0
- Configuring SSO: Google
- Configuring SSO: Azure Active Directory
- SmartCard Authentication
Organization administration
- About Licensing
  - Activating Your License
- Accounts and Groups
- Authorizing external applications
  - Managing external applications
- Audit Logs
- Overriding Authentication and Security
  - Setting up the Azure AD Integration
  - Configuring the SAML Integration
- Overriding System Email Settings
Other Configurations
- Increasing the Size Limit of Package Files
- Setting up Encryption Key Per Tenant
- GZIP Compression
Integrations
- About Input and Output Arguments
  - Example of Using Input and Output Arguments
Classic Robots
- Robots
- Environments
  - Managing Environments
- Jobs
- Triggers
- Monitoring
  - Robots
- Resources
Troubleshooting
- About Troubleshooting

Orchestrator User Guide

Last updated Apr 19, 2024

Assigning Roles

Overview

The Assign roles tab of the Manage access page lets you search for users and groups that already exist at the organization level and configure permissions for them in Orchestrator.

Note: Group configuration (roles, web login, robot settings) is passed on to any user that belongs to that group and is later added or auto-provisioned.

To assign roles

Go to Tenant > Manage access.
Above the table, on the right, click Assign roles and select User,Robot account, or Group.

The Assign roles window opens.
Follow the applicable instructions, available below:
1. Assigning roles to a group
2. Assigning roles to a user
3. Assigning roles to a robot account

Assigning Roles to a Group

If you assign roles to a group, those assigned roles are inherited by all users who are part of that group.

Note: Groups are created and maintained by organization administrators from the Admin > Accounts and Groups page.

1) General Details

In the Select a group field, type to search for an existing user group to which you want to assign roles.

If needed, you can create a new group by clicking Add new to the right of the field.
Click the Roles field and then select the check box for each role you want to assign to the selected group.

If needed, you can define a new role by clicking New role to the right of the field.

If classic folders are inactive for your tenant, you can only assign Tenant roles and Mixed roles. If you want to also assign Folder roles to this group, you must do so from the Folders page or from the folder's Settings page.
Under Web Access, click the toggle to select if the group members can log in to the Orchestrator UI.

Note: If this setting is enabled in at least one of the groups to which an account belongs (including the Everyone group), then setting it to disabled at the account level or for other groups has no effect for that particular account, only for other group members that are not in the same situation.
Under UI Profile, select the user interface profile for the members of this group.
If you want to also create an attended robot for group members, click Next.

Otherwise, click Skip and assign to apply your settings. Skip the rest of the instructions in this section.

2) Robot Setup

Under Attended Robot, set the first toggle to Enabled if you want to automatically create an attended robot for each group member.

Note: For groups, the default robot settings apply. If you want to customize robot settings, you have to make the adjustments explicitly for each user after you finish this process.

Note: Make sure that you also assign an attended user license - either at the group level, or to individual accounts - so that they can use the attended robot.
Click the second toggle Automatically create Personal Workspaces for members of this group to set it to off (left position) if you do not want each user to have a Personal Workspace.
Click Assign.

The group is now visible on the Assign roles tab of the Manage access page and the members of the group benefit from the changes as soon as they log in or within the hour if they are already logged in.

Assigning Roles to an Account

We recommend that you maintain user access by assigning roles to groups and then adequately assigning users to the right groups to grant them the roles they need.

However, if you need to perform a one-time role assignment for a specific user, you can assign roles to the user directly, as described below.

Go to Tenant > Manage Access > Assign roles tab.
In the top right of the tab, click Assign roles and select User.

1) General Details

In the Select a user field, type to search for the user to whom you want to assign roles.

If needed, you can add a new user to your organization by clicking Add new to the right of the field.
Click the Roles field and then select the check box for each role you want to assign to the selected user.

If needed, you can define a new role by clicking New role to the right of the field.

If classic folders are inactive for your tenant, you can only assign Tenant roles and Mixed roles. If you want to also assign Folder roles to this user, you must do so from the Folders page or from the folder's Settings page.
Under Web Access, click the toggle to select if the user can log in to Orchestrator by navigating directly to the Orchestrator URL.

Note: If this account is a member of any groups that have Web Access set to enabled, changing this setting for individual accounts has no effect because the group-level setting is inherited by all accounts. To control web access for individual accounts, you must either remove the account from groups with a conflicting setting, or remove the group with the conflicting setting from Orchestrator.
Under UI Profile, select the user interface profile for the user.
(Optional) Under Update policy settings, choose the release level to which you want this user to be required to update UiPath applications on their workstation.

If you select a policy, the user will not be able to use UiPath Robot, Studio, or Assistant until they upgrade these applications to the version required by the policy. This setting can help you make sure that all your users are using the same versions.
If you want to also create an attended or unattended robot for this user, click Next and continue with the next sub-section.

Otherwise, click Skip and assign to apply your settings. Skip the rest of the instructions in this section.

2a) Attended Robot

Under Attended Robot, set the first toggle to Enabled (right position) if you want to automatically create an attended robot for the user.
Select the Enable a Personal Workspaces for this user if you want them to have a Personal Workspace.
If the user license management model is disabled, under License Type select a user license to assign to the user. What is my licensing model?

Note:
If the user license management model is enabled, the License Type options are not available on this page.

You must also assign an attended user license - either at the group level, or to individual users - so that they can use the attended robot.
Click the second toggle Automatically create Personal Workspaces for members of this group to set it to off (left position) if you do not want each user to have a Personal Workspace.

2b) Unattended Robot

Under Unattended Robot, click the toggle to set it to Enabled (right position) if you want to also create an unattended robot for the user.

If this user does not require an unattended robot, click Next to review robot settings and continue with step 15 or click Skip and assign to apply your changes and skip the rest of the instructions in this section.
In the Domain\Username field, type the domain and username used to log on to the machine on which UiPath Robot is installed. The credentials must exist in the selected credential store.
- For domain-joined users, use the domain\username syntax. For example deskover\localUser1.
- For local Windows accounts, use the host_machine_name\username syntax, with the host machine's name instead of the domain. For example, LAPTOP1935\localUser2.
- For local Windows accounts residing on multiple host machines, which you want to use regardless of machine, use the .\username syntax with a dot instead of the host machine name. For example .\localUser3.
  
  Note:
  The credentials you set must match the Windows account credentials for the machine on which this account can run automations.
  
  To get the account name, on the machine, open command prompt and use the whoami command.
In the Password field, enter the password for the above-mentioned account which is used to log on to the machine on which UiPath Robot is installed.
From the Credential Type list, select the type of credentials you provided above for the unattended robot.
Optional: If you opted for a CyberArk® credential store, indicate the External Name. If not specified, the default value is used.
Under Concurrent execution, click the toggle to set it to Enabled (right position) if you want to only allow this robot to run one job at a time. If disabled, the user can simultaneously execute multiple jobs.
Click Next to review additional settings for the unattended robot.

If you do not want to customize robot settings, click Skip and assign to apply your changes and skip the remaining instructions in this section.

3) Robot Settings

Configure execution settings for the UiPath Robot.
Click Assign. The entity is created and displayed on the Manage Access page. One floating robot is created for each configured above per user.

Assigning Roles to a Robot Account

Go to Tenant > Manage Access > Assign roles tab.
In the top right of the tab, click Assign roles and select Robot account.

1) General Details

In the Search for a Robot account field, type to search for the robot account to which you want to assign roles.

If needed, you can add a new robot account to your organization by clicking Manage Accounts to the right of the field. You must be an organization administrator to be able to add accounts.
Click the Roles field and then select the checkbox for each role you want to assign to the robot account.

If needed, you can define a new role by clicking New role to the right of the field.

If classic folders are inactive for your tenant, you can only assign Tenant roles and Mixed roles. To also assign Folder roles to this account, you must do so from the Folders page or from the folder's Settings page.

2) Robot Setup

Note: For robot accounts, Unattended robot is enabled by default and cannot be disabled. Also, there is no option for Attended robot.

If this account will be used to run foreground processes, under Settings, select the Machine login credentials checkbox to specify the account credentials for logging in to the machine.
- In the Domain\Username field, type the domain and username used to log on to the machine on which UiPath Robot is installed.
  For domain-joined users, use the domain\username format. For example uipath\localUser1.
  
  For local Windows accounts, use the host_machine_name\username format, with the host machine's name instead of the domain. For example, LAPTOP1935\localUser2.
  
  For local Windows accounts residing on multiple host machines and which you want to use regardless of machine, use the .\username format, with a dot instead of the host machine name. For example .\localUser3.
  
  Note:
  The credentials you set must match the Windows account credentials for the machine on which this account can run automations.
  
  To get the account name, on the machine, open command prompt and use the whoami command.
- In the Password field, type the password for the above-mentioned account.
- From the Credential Type list, select the type of credentials you provided above.
- If you selected a CyberArk credential store, indicate the External Name. If not specified, the default value is used.
If you want to only allow the robot to run one job at a time and therefore consume only one runtime, select the Run only one job at a time checkbox.

If disabled, the robot can simultaneously execute multiple jobs. The maximum number of jobs it can run at the same time depends on the number of runtimes that were allocated to the standard machine or machine template on which the robot runs.
Click Next to review additional settings for the robot and continue with the instructions in the next sub-section.

If you do not want to customize robot settings, click Skip and assign to apply your changes and skip the remaining instructions.

3) Robot Settings

Configure execution settings for the UiPath Robot.
When finished, click Assign.

The robot account is now set up and displayed on the Assign roles page.

Checking Roles

To see what roles are assigned to a user or a group:

Go to Tenant > Manage access > Assign roles tab.
Click the Check roles & permissions above the table.

The Check roles window opens.
In the Select a user field, type to search for the group or user whose roles you want to check. Optionally, filter the results by Users or Groups.
Select the group or user from the search results.

You can see the user or group's roles at the tenant and folder level. You can also see whether the role has been explicitly assigned or inherited from a group they are in.

Important: If you are using an Azure AD guest user account, the role information that is displayed may not be accurate.

Editing Roles

Go to Tenant > Manage access > Assign roles tab.
At the right end of the row, click More Actions and select Edit.
Make changes as needed.
When finished, click Update to apply your changes.

Note: You cannot change the email address for users that logged in to Orchestrator using an external identity provider.

Activating or Deactivating a User

Note: Only users with administrative privileges can perform this operation. Orchestrator access is revoked for deactivated users.

Go to Tenant > Manage access > Assign roles tab.
At the right end of the row, click More Actions and select Activate or Deactivate.

The user entity is updated on the Users page.

Removing an Account or Group

Removing a user or group from Orchestrator does not delete the account from your organization.

Go to Tenant > Manage access > Assign roles tab.
At the right end of the row, click More Actions and select Remove.
Confirm the operation.

The user or group is removed from Orchestrator and all roles are revoked.

Alternatively, select one or multiple users, and click the Remove button.

Important:

You cannot remove a user having the Administrator role.
Removing a directory group does not remove the license of an associated directory user, even if the group removal unassigns the user from any folder. The only way to release the license is to close UiPath Assistant on the user's machine.

Important: For accounts that are part of mappings which are employed in triggers, you cannot delete them or unassign them from the folder where the trigger resides. Make sure the account is not set as an execution target in a trigger so you can delete them.

Troubleshooting

Not Found Error

If an account was removed from the organization, when attempting to edit, enable/disable, or remove the account from Orchestrator (Tenant > Manage Access), a Not found (#1002) error is displayed.

In this case, the account in fact no longer exists and no longer has access to the UiPath products.

Disabling Concurrent Execution

Optimizing resource consumption and maximizing execution capacity in modern folders involves little to no control over how users are allocated to jobs. For scenarios where a credential cannot be used more than once at a time (for example, with SAP), you can limit concurrent execution for unattended processes. This helps modulate the job allocation algorithm by restricting a user from simultaneously executing multiple jobs.