Orchestrator Release Notes
2023.10
Release date: October 23, 2023
Released on November 1, 2023
Keeping your Orchestrator database neat and free of clutter ensures a smooth experience both during day to day operations, as well as during upgrades. However, as your automation operations increase in size and coverage, this can become a daunting task. In an effort to help you streamline it, we have created a set of scripts that you can use to regularly clean up old data, with the added option to schedule their execution at times that are convenient for you.
You can read more about the Orchestrator database maintenance scripts in the dedicated documentation, and you can download them from the Customer Portal.
Classic folders and all their associated objects are now removed. This change brings about the removal of all such objects from the Orchestrator interface.
If you are planning on upgrading to this version, make sure to migrate any existing classic folders to modern folders.
You can see the Classic folders removal page for details on the steps leading up to this change.
Roles help thoroughly control access to Orchestrator features and objects, allowing you to reliably separate users based on their permissions. In an effort to make this task as easy and effective as possible, we are making several changes to our default roles.
Permission changes
The Automation User folder role and the Allow to be Automation User tenant role no longer have permission to publish processes. This gives the role the minimum folder level permissions needed to execute processes. This way, we ensure that personal user packages do not accidentally get published without first being reviewed.
New roles
Two new sets of roles are available, allowing you to combine several roles so as to achieve the desired results while still maintaining granularity:
-
Automation Publisher and Allow to be Automation Publisher - only contains the permissions needed for publishing processes to Orchestrator, and can be combined with any existing role.
-
Automation Developer and Allow to be Automation Developer - can create automations.
New roles are added as read-only.
In the unlikely event that an organization already contains a custom role with the same name as one of the new roles mentioned above, we will rename it to "Role name - custom". This way, both roles can be used.
Assignment changes
When you assign a default folder role, you are automatically prompted to also assign its tenant counterpart. This is how we ensure that you are not missing any permissions needed for your automations.
Known issue: This option does not work for Active Directory users or groups.
Removal checks
When the Orchestrator Administrator role is unassigned from a user, we check that they are not the last user with that role. The same check applies when deleting a user or a group if there are no other users or groups with the Administrator or the Orchestrator Administrator role.
We're excited to announce the latest enhancement to our platform's access control capabilities — the introduction of a new user group: Citizen Developers. This new group is defined at the organization level and will be seamlessly integrated across all services within the platform.
With the Citizen Developers group, citizen developers can access resources pertinent to their work without any unnecessary access clutter, leading to reduced overhead for your administrators.
To learn more about how the user group is integrated into the various services within the platform, refer to the product documentation.
Unattended automation is one of the core functionalities of Orchestrator, allowing you to set up tasks that can then be carried out on their own, with no human involvement whatsoever. Its seemingly simple output is, however, built on top of a complex foundation, which involves piecing together just the right components.
Clicking Get started allows you to start selecting the necessary Orchestrator objects for your future unattended automation: machine template, robot account, folder, and connection settings. Each step comes with detailed instructions and helpful tips, as well as links to sections where you can create any required objects.
Creating a queue trigger from the API now also requires the Create on Queues permission.
Auth.RememberMe.Enabled
setting in the Authorization
section of the UiPath.Orchestrator.dll.config
file has been removed, as it is no longer used. This allowed you to select whether the Remember Me checkbox on the Login page was displayed or not. However, this particular option is no longer configurable from Orchestrator, as it has been moved
to the Identity Server.
The OpenLDAP store is now available as a secrets engine for HashiCorp Vault.
When you convert an inactive personal workspace to a folder, it now becomes available only to the administrator who initiated the conversion. As such, no other users will have access to it.
You can now log in to Elasticsearch through an API key that you generate and store yourself in a key vault. All you need to do is retrieve the key, store it in your Azure key vault, and connect Orchestrator to this vault by following our instructions.
Now you can set alert subscriptions for groups. This way you can control what alert types a group receives, based on the common denominator of the group members.
Subsequent alert emails are then sent to users that are part of those groups, provided those users have View permission on Alerts at group level.
Known issues:
-
Alert emails sent to groups may be written in English, regardless of the language preference of individual group members.
-
Local users part of local and mail-enabled AD/AAD groups may receive duplicate emails for alerts that have been generated for both groups.
You will have likely wondered why your job was stuck in a Pending status, with no idea how to get it to run. We are coming to your aid with a section in the Job Details windows that is solely dedicated to the reasons why your job has not yet started. What is more, if available, you get actionable advice for each reason - this can either be a link that directs you to the section in Orchestrator where you can fix the problem, or a specific action to take for your particular scenario. In case you do not have permissions to fix the problem, you may need to ask for help from an administrator.
Ever wanted to create dashboards and metrics based on your jobs data? Nothing stands in your way, as you can export all of your job reports from the current folder and download them to your machine. Read more about Exporting grids.
We have streamlined the way data is exported from grids. These are the changes you can benefit from now:
-
When you click Export, you are no longer asked for confirmation. Instead, you are shown a notification letting you know that the export is in progress.
- Once done, another notification is displayed, letting you know that the exported data is ready for download.
-
The download then starts automatically if you have the Alerts - View permission.
- If you don't, you can download the exported data from the My Reports page.
Reports containing exported data from queue transactions, audit, logs, and jobs pages included instances of duplicate information which are now cleaned up. Specifically, exports now only contain absolute time columns, which are expressed in the tenant's timezone.
Reports endpoints available for audit logs, robot logs, and queue definitions are now deprecated. As such, we advise against using the following:
-
GET/odata/AuditLogs/UiPath.Server.Configuration.OData.Reports
-
GET//odata/RobotLogs/UiPath.Server.Configuration.OData.Reports
-
GET/odata/QueueDefinitions({key})/UiPathODataSvc.Reports
The endpoints listed above will be removed in April 2024.
If you would like to retrieve such reports, we recommend these steps:
-
Initiate an export by calling the appropriate endpoint:
-
For audit logs:
POST/odata/AuditLogs/UiPath.Server.Configuration.OData.Export
-
For robot logs:
POST/odata/RobotLogs/UiPath.Server.Configuration.OData.Export
-
For queue definitions:
POST/odata/QueueDefinitions({key})/UiPathODataSvc.Export
Important:- This operation returns an ID that is necessary for the next two steps.
-
-
Get the status of the report by calling the
GET/odata/Exports({key})
endpoint and appending the ID returned at step 1 to it. -
Once the status is Completed, get a download link for retrieving the exported archive, by calling the
GET/odata/Exports({key})/UiPath.Server.Configuration.OData.GetDownloadLink
endpoint and appending the ID returned at step 1 to it.
\ / : * ? " < > |
). This is now fixed by replacing invalid characters with _
, thus allowing queue items to be exported.
QueueProcessingRecords
resource used for returning statistical information on queues and transactions via API returns data that is maximum 90 days
old. You can request data by day, hour, and minute, but it is only displayed if it has been recorded within the last 90 days.
This does not affect the UI functionality, where information recency is still capped at 30 days.
Non-consecutive dots are now allowed in Amazon S3 storage bucket names.
Internal packages, namely packages uploaded via Orchestrator-hosted feeds, are now sorted by published date. The published date is the date when the most recent version of a package was published.
GET/odata/RobotLogs
endpoint, namely MachineKey
. As the name suggests, this stores the machine key, which was previously held by the MachineId
parameter.
MachineKey
, which has a GUID format, was introduced in order to persist robot logs in tenant move scenarios. MachineId
has a dynamic number format, meaning that it cannot be persisted in such cases.
MachineKey
, as MachineId
will be removed in April 2024.
Jobs started from personal workspaces must always run under the identity of the user that started them, not under the identity of the personal workspace owner. As such, if you want to start a job while exploring a personal workspace, you need to have your own robot defined for that specific purpose, regardless of any other robots defined in that workspace.
When you restart a job, the Machine field is now prefilled with the same machine that was initially used for that particular job.
The Jobs page has been enhanced with the new Process filter, allowing you to further narrow down the list of jobs per your desired criteria.
SetTransactionResult
endpoint.
With a success payload on a failed item:
POST https://{yourDomain}/odata/Queues(1)/UiPathODataSvc.SetTransactionResult
{
"transactionResult": {
"IsSuccessful": true
}
}
POST https://{yourDomain}/odata/Queues(1)/UiPathODataSvc.SetTransactionResult
{
"transactionResult": {
"IsSuccessful": true
}
}
With a failure payload on a successful item:
POST https://{yourDomain}/odata/Queues(1)/UiPathODataSvc.SetTransactionResult
{
"transactionResult": {
"IsSuccessful": false,
"ProcessingException": {
"Reason": "string",
"Details": "string",
"Type": "ApplicationException"
}
}
}
POST https://{yourDomain}/odata/Queues(1)/UiPathODataSvc.SetTransactionResult
{
"transactionResult": {
"IsSuccessful": false,
"ProcessingException": {
"Reason": "string",
"Details": "string",
"Type": "ApplicationException"
}
}
}
1866
, with the message "Invalid transition from a final status". This indicates that you cannot change the status after the queue
item reaches a final state.
Besides optimizing your Queue processing mechanism, this also enables UiPath Insights to update and properly sync data based on queue item events.
DeferDate
or DueDate
properties in the SetTransactionResult
payload to move transactions out of their final states. Going forward, to set a new defer or due date, you'll need to clone
the transaction or create a new one.
Now you can set a custom default retention policy for your jobs. You can choose either to permanently delete old jobs, or move them to a designated storage bucket and have them available for future access. Doing so, you free up the database in an organized manner and your Orchestrator performs better. But you should be aware that even if you do not configure your own policy, a default one still applies.
Additionally:
- two new retention columns are available for selection in the Processes > Columns filter, to help you quickly identify the existing policy of a process
- a new alert is available for email subscriptions on the Alert preferences page, to inform you about process retention failures
Discover the retention policy tips and tricks on our documentation page.
When you enable the option, you are given the choice to either wait for running jobs to finish, or to kill all running jobs before going into maintenance mode. Pending jobs, however, keep their status until they are picked up.
We have added new settings to help you control when triggers are disabled following job failure. This is what you can now benefit from:
- A new setting in the time trigger and queue
trigger creation window, namely Set execution-based trigger disabling. When the
toggle is enabled, you are presented with two options:
- Disable when consecutive job execution fail count – the trigger is disabled after the number of failed executions you choose for this setting.
- Grace period on disabling the trigger (days) – the number of days to wait before the trigger is disabled after the first failure of a job.
Robots can now download packages from the tenant feed as long as they have the View on Packages permission.
You can now set SLA predictions with more granularity, as we have added the Minutes field to both the Enable SLA for this queue and Risk SLA sections.
31W
subexpression in order to indicate that a job should be executed on the last day of the month or on the closest weekday to
the last day of the month.
The current behavior is as follows:
-
For months with 31 days, the
31W
subexpression leads to the job being executed:-
on the 31st of the month if it falls on a weekday
-
on the nearest weekday to the 31st if the 31st falls on a weekend
-
-
For months with less than 31 days, the
31W
subexpression prevents any jobs from being executed, thus skipping the month entirely. In this case, we recommend usingLW
instead. This triggers the job on the last weekday of the month, regardless of the number of days, meaning that no months are skipped.
We have added four new columns to the Transactions page (Queues > View Transactions):
-
Deadline (absolute)
-
Postpone (absolute)
-
Started (absolute)
-
Ended (absolute)
Note that they are not enabled by default, so make sure to select them from the Columns list.
These columns are also included in exported reports.
The Action Catalog option has been added to the Type filtering menu in the tenant search window.
POST odata/Webhooks
endpoint.
The user interface items pertaining to account and group assignments have been updated so as to reflect the fact that external apps can also be assigned. Specifically, Assign account/group is now Assign account/group/external app.
The transaction Reviewer column now includes the name, surname, and email address of the reviewer.
.xaml
sources (i.e. the Include Sources option selected in the Publish options > Compilation settings section) can now be viewed in their entirety in the package explorer. This applies to Windows and cross-platform projects.
When the connection to the credential store which contains robot credentials is not established, thus preventing the password from being retrieved, the robot is no longer started, and you are now returned the following error:
Unable to retrieve credentials from {credential_store_name} credential store. Please check your connection settings and ensure the {credential_store_name} service is running.
Unable to retrieve credentials from {credential_store_name} credential store. Please check your connection settings and ensure the {credential_store_name} service is running.
This prevents you from being locked out of the robot account due to repeated attempts to start the robot without credentials.
When Unattended licenses expire, the quantity available for allocation no longer matches the actual allocation. In that case, the following explanatory error is displayed:
Update failed! Too many licenses [license type] have been allocated. Please disconnect X [license type] from machines runtimes
to match the number of defined licenses.
-
Important: The fix only applies to this version. For previous versions, you need to add the following section to the web.config file:
We have fixed an issue that prevented Swagger authentication if Orchestrator and Identity Server were deployed as Azure app services with different URLs.
<rewrite> <outboundRules> <rule name="CSP"> <match serverVariable="RESPONSE_Content-Security-Policy" pattern=".*" /> <action type="Rewrite" value="default-src 'self' https://<YOURIDENTITYURL>;connect-src 'self' https://<YOURIDENTITYURL>;script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self' data:;font-src 'self'" /> </rule> </outboundRules> </rewrite>
<rewrite> <outboundRules> <rule name="CSP"> <match serverVariable="RESPONSE_Content-Security-Policy" pattern=".*" /> <action type="Rewrite" value="default-src 'self' https://<YOURIDENTITYURL>;connect-src 'self' https://<YOURIDENTITYURL>;script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self' data:;font-src 'self'" /> </rule> </outboundRules> </rewrite>
-
When you deleted a user from the host tenant, then created another user with the same username and e-mail address as the one that you had deleted, you could no longer log in to the non-host tenant. This occurred due to a missing rule around provisioning a new user once another user with the same information was deleted. This issue is now fixed.
-
The
minLevel
NLog setting in the Identity Serverappsettings.json
file was not being honored. The defaultminLevel
is "Info" indicating that logs of "Info" severity and above should have been logged. However, theminLevel
was not being considered, and logs with lower severity levels, specifically "Trace" and "Debug", were also being written to the logs. -
Previously, there was an issue where well-known SIDs were inadvertently included when retrieving security groups, leading to unexpected behavior. Well-known SIDs are no longer included when fetching security groups, ensuring smoother and more predictable functionality.
-
After upgrading to version 2022.10.1 or later, logging into the host tenant, then logging out, and subsequently switching to a different tenant resulted in redirection back to the previous log-out location instead of the selected tenant. Now, after logging out and switching tenants, you will be correctly redirected to the selected tenant's page instead of the previous log-out location.
-
Navigating the Browse Bucket window posed some minor display issues that are now fixed.
-
Due to a lack of synchronization, changes made to robot accounts and external applications at the organization level were not reflected in Orchestrator. Now, when you delete or rename an external application or when you delete a robot account at the organization level, the same thing happens to these entities in the Orchestrator folders where they were added.
-
Using the Upload JSON and override option at the transaction level, in the Edit queue item window, allowed you to bypass important validations related to unsupported characters. This would lead to errors when trying to use that particular queue. The issue no longer occurs.
Swagger UI
We have fixed an issue that affected Swagger UI versions 3.14.1 to 3.37.2, allowing their libraries to fetch potentially malicious specification files linked through Swagger UI. Note that the issue is not directly exploitable, and it requires an authenticated user to actually open the malicious link.
To overcome this, we strongly advise you to update to the latest possible version (major or cumulative update).
Please see the security advisory for details.
- Tag operations performed at the platform administration level, such as creating, editing, or deleting a tag, are not currently audited.
- Having 80 thousand or more attended robots running under users with the Allow to be Automation User role causes performance degradation. This is due to the role having View permissions on Alerts. As a workaround, you can create and assign a new role with the same permissions as Automation User, minus Alerts - View.
- The "Trigger automatically disabled after job execution failures." alert, generated when a trigger is automatically disabled as a consequence of the Set execution-based trigger disabling toggle being enabled, does not work in this version. It will be fixed in the first 2023.10 patch.
-
Added on 26 October 2023
Standard machines are removed starting with the current version. This means that you can no longer create new standard machines, and that we recommend you resort to machine templates instead. However, the corresponding interface option is still visible, but we strongly recommend that you do not use it, as it will not work as expected. It will be removed entirely in the next patch.
- When you upgrade to a major version, the upgrade might fail with an error that the
NLog extension
UiPath.Orchestrator.Logs.Elasticsearch.dll
is not compatible with the new version of Orchestrator. To avoid this issue, you should always use the latest patch version.
We recommend that you regularly check the deprecation timeline for any updates regarding features that will be deprecated and removed.
- Administration news
- New database maintenance scripts
- Classic folders removal
- Roles and permissions changes
- Introducing the Citizen Developers user group
- Unattended robot setup
- Permission checks change
- Auth.RememberMe.Enabled setting removed
- New HashiCorp Vault secrets engine
- Conversion of inactive personal workspaces
- API key authentication for Elasticsearch
- Group Alerts
- Automation asset updates
- Troubleshooting pending jobs
- Exporting jobs grids
- Report exports improvements
- Time columns consolidation in exports
- Deprecation of reports endpoints
- Recording failed queue transactions
- Invalid characters in queue names
- Queue processing records limit clarification
- Dots in storage bucket names
- Internal package sorting
- New machine key parameter
- Running jobs from personal workspaces
- Job restart machine selection
- New Jobs page filter
- Queue items final states
- Retention policy for process data
- Introducing machine maintenance mode
- Execution settings changes
- Usability improvements
- Permission checks for package downloads
- Minutes in SLA predictions
- Handling months in cron expressions
- New transactions columns
- New type filtering option in tenant search
- Mandatory webhook name
- External app assignments
- Transaction reviewer column
- Packages with sources in the package explorer
- Faulted job info limitation
- Error message clarifications
- Credential store connection error
- License expiration error
- Bug fixes
- Security vulnerability fixes
- Common Vulnerabilities and Exposures
- Known issues
- Deprecation Timeline