- Getting started
- Best practices
- Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Setup Samples
- Storing Robot Credentials in CyberArk
- Setting up Attended Robots
- Setting up Unattended Robots
- Storing Unattended Robot Passwords in Azure Key Vault (read-only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read-only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- SmartCard Authentication
- Audit
- Resource Catalog Service
- Folders Context
- Automations
- Processes
- Jobs
- Triggers
- Logs
- Monitoring
- Queues
- Assets
- Storage Buckets
- Test Suite - Orchestrator
- Other Configurations
- Integrations
- Classic Robots
- Host administration
- Organization administration
- Troubleshooting
Orchestrator User Guide
FAQ
1. What happens access-wise to a user that belongs to multiple groups?
The user receives the union of access rights associated to each group he belongs to.
Example: John Smith belongs to the HR and Finance groups which have been added to Orchestrator. HR group has the Management role and access to the HR folder, Finance has the Executor role, and access to the Finance folder. Being part of both groups, John has the Management and Executor roles and access to both the HR and Finance folders.
2. What happens access-wise when a user is also added separately alongside a group it belongs to?
The user receives the union of access rights associated to the group he belongs to and the ones explicitly set. Keep in mind that inherited access rights are dependent on group settings, and that explicitly set access rights are independent of group settings.
Example: John Smith has been individually added from AD and explicitly given the Executor role, and access to the Finance folder. The HR group (of which John is a member) has been also added to Orchestrator, and given the Management role and access to the HR folder. John has the Executor and Management roles, and access to both the HR and Finance folders. If he is removed from the HR group at AD level, he loses the Management role and access to the HR folder, but keeps the ones set explicitly.
3. My user belongs to two groups, the first one allows automatic Robot creation, the second doesn't. Does a Robot get created for my user or not?
Since a user receives the union of rights associated to all the groups he belongs to, a Robot gets created for your user based on the configuration made for the first group.
4. I deleted/deactivated a directory group. Will the associated directory users still be able to log in?
No, if you did not set access-rights explicitly for them. Yes, if you granted them access-rights individually in Orchestrator. Inherited access-rights are are only kept for the duration of the active user session. Only explicitly set access rights persist between sessions. Deleting or deactivating a directory group deletes inherited rights, but does nothing to those which have been explicitly set.
5. When do changes made to an AD group take effect in Orchestrator?
WindowsAuth.GroupMembershipCacheExpireHours
parameter.