- Getting started
- Best practices
- Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Storing Robot Credentials in CyberArk
- Storing Unattended Robot Passwords in Azure Key Vault (read only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read only)
- Storing Unattended Robot Credentials in AWS Secrets Manager (read only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- SmartCard Authentication
- Configuring automation capabilities
- Audit
- Settings - Tenant Level
- Resource Catalog Service
- Folders Context
- Automations
- Processes
- Jobs
- Triggers
- Logs
- Monitoring
- Queues
- Assets
- Storage Buckets
- Test Suite - Orchestrator
- Other Configurations
- Integrations
- Host administration
- Organization administration
- Troubleshooting
Orchestrator User Guide
Account types
Here's an overview of the different account types available in the UiPath platform, helping you understand and manage identities within the platform. Identities can come in the form of user accounts, robot accounts, external applications, and groups.
All objects or individual ones can be viewed and managed from their dedicated tabs.
You can use groups for a collection of accounts that share common permissions. Groups are used to simplify the access control of users accounts. You can assign roles to groups as opposed to assigning them to individual users. Anything assigned to the group is automatically assigned to all group members.
Local groups are entities originating in Identity Server, and are considered local to the UiPath ecosystem.
You can choose from default groups or you can create your own custom groups.
A directory group is a type of group managed through an external identity provider. Unlike local groups, it offers streamlined user and access management due to its integration with an existing identity infrastructure. When a user is added to a directory group in the external identity provider, and directory integration is enabled in the platform, the user automatically inherits the roles assigned to that group in the UiPath platform. This automated role assignment adapts as users move across groups, optimizing identity and access management in wide-reaching automation situations.
- A user who is part of multiple groups benefits from a union of roles inherited from all these groups.
- A user who is part of multiple groups and also has specific roles assigned, holds a set of both roles. This set combines both inherited roles from the groups and those explicitly assigned.
Using directory groups enables automatic access with the group permissions, based on users being added or removed from the directory group (when switching departments, for example) with no need to manage user permissions individually.
Example
Directory Groups | Inherited Permissions | Explicit Permissions |
---|---|---|
Added group X with X set of permissions and group Y with Y set of permissions. | John Smith belongs to both Group X and Y. He logs in to Orchestrator. His user is auto-provisioned with the following permissions: X, Y. |
In addition to the X and Y sets, John is also granted the Z set explicitly. John now has the following permissions: X, Y, Z. Deleting groups X and Y leaves John with Z. |
- You don't need an explicit user entry to log in to Orchestrator, if you belong to a group that has been added to Orchestrator.
- Inherited permissions are dependent on the associated directory group. If the directory is deleted, so are inherited permissions.
- Explicitly-set permissions are independent of the Directory Group. They persist between sessions, regardless of the group's state.
Depending on where their details and access are managed, users can be classified into:
A local user in the UiPath platform is an account created and administrated directly within the platform, independent of any external identity provider. Roles are specifically assigned during their creation or editing, establishing their permissions within the platform.
- Manually added users, meaning users that are added individually by an admin. The admin searches for the user in the directory and adds it into the system.
- Auto-provisioned users, meaning users that are automatically added into the system once they log in. Auto-provisioning is the process by which a system, upon recognizing a user automatically, creates a new user entry for them.
Manually Added User | Auto-provisioned User | |
---|---|---|
Inherits permissions | Yes | Yes |
Can be assigned additional explicit permissions | Yes | Yes |
Can use SSO | Yes | Yes |
Robot accounts are helpful for when you need to run back-office unattended processes that should not be the responsibility of any particular user. These are our UiPath equivalent of service accounts. Similar to the accounts that Windows services run as application identities in the OAuth model, they are a non-user identity to be used to run unattended processes.
Robot accounts in the UiPath platform are subject to permissions, same as user accounts. Robot accounts differ in two main aspects: they cannot be configured for interactive processes, and their creation doesn't need an email address.
Management of robot accounts is largely similar to that of user accounts. Administrators can create and oversee these accounts just as they would with user accounts.
Applications that are external to the UiPath platform can be granted access to UiPath resources without having to share user credentials. Using the OAuth framework, you can delegate authorization to external applications. Once registered, these applications can make API calls to UiPath applications or resources scoped to the APIs you designate.