- Organization Modeling in Orchestrator
- Managing Large Deployments
- Automation Best Practices
- Optimizing Unattended Infrastructure Using Machine Templates
- Organizing Resources With Tags
- Orchestrator Read-only Replica
- Exporting grids in the background
- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Storing Robot Credentials in CyberArk
- Storing Unattended Robot Passwords in Azure Key Vault (read-only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read-only)
- Storing Unattended Robot Credentials in AWS Secrets Manager (read Only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- Bulk Uploading Queue Items Using a CSV File
- Managing Queues in Orchestrator
- Managing Queues in Studio
- Review Requests
- Test Automation
- Testing Data Retention Policy
- Host Administration Portals
- Configuring System Email Notifications
- Managing System Administrators
- Configuring Host Security
- Host Audit Logs
- Customizing the Login Page
- Maintenance Mode
- Managing tags
- Audit Logs
- Overriding System Email Settings
Managing Access and Automation Capabilities
On the Manage Access page you can define and assign roles as well as configure the automation capabilities of your accounts. In Orchestrator, you use roles to control the level of access a user should have. On this page we go over the notions you need to understand to effectively plan and implement your access control strategy.
The level of access and the actions that your users can perform is controlled using two elements:
- accounts, which establish the identity of a user and are used to log in to your UiPath applications
- roles, which are assigned to accounts in order to grant them certain permissions within the UiPath ecosystem.
Accounts are created and managed by organization administrators, as described in Accounts and groups. Accounts must already exist to be able to assign roles to them.
This page, and the following pages, describe:
- how to manage roles
- how to manage automation capabilities, which are configured as part of role setup.
Orchestrator uses an access-control mechanism based on roles and permissions. Roles are collections of permissions meaning that the permissions needed to use certain Orchestrator entities are assigned to roles.
Role-permissions and user-roles relationships allow for a certain level of access to Orchestrator. A user gets the permissions required to perform particular operations through one or multiple roles. Since users are not assigned permissions directly, but only acquire them through roles, management of access rights involves assigning appropriate roles to the user. See Modifying the Roles of a User.
There are two categories of permissions:
- Tenant permissions - Define a user's access to resources at the tenant level.
- Folder permissions - Define the user's access and ability within each folder to which they are assigned.
Based on the permissions they include, there are three types of roles:
- Tenant roles, which include tenant permissions and are required for working at the tenant level.
- Folder roles, which include permissions for working within a folder.
Mixed roles, which include both types of permissions.
With mixed roles, for a global operation, only the user's tenant permissions are taken into consideration; for a folder-specific operation, if a custom role is defined, folder permissions are applied in favor of any tenant permissions present.Note: Mixed roles are no longer supported and you cannot create new ones. If you have mixed roles, we recommend replacing them with a combination of tenant and folder roles to grant the required permissions.
The following resources are available to users, depending on the type of roles they have:
Auth.DisabledPermissions parameter in UiPath.Orchestrator.dll.config.
Typically you can select all available rights (View, Edit, Create, or Delete) for any permission, but the following rights have no effect for the listed permission, and therefore you cannot edit them:
This is because, for example, it is not possible to edit system-generated logs.
By default, after 10 failed login attempts, you are locked out for 5 minutes.
System administrators can customize the Account Lockout settings from the host Management portal.