orchestrator
2023.10
false
UiPath logo, featuring letters U and I in white

Orchestrator User Guide

Automation CloudAutomation Cloud Public SectorAutomation SuiteStandalone
Last updated Dec 4, 2024

Account types

Here's an overview of the different account types available in the UiPath platform, helping you understand and manage identities within the platform. Identities can come in the form of user accounts, robot accounts, external applications, and groups.

All objects or individual ones can be viewed and managed from their dedicated tabs.

Groups

You can use groups for a collection of accounts that share common permissions. Groups are used to simplify the access control of users accounts. You can assign roles to groups as opposed to assigning them to individual users. Anything assigned to the group is automatically assigned to all group members.

Local Group

Local groups are entities originating in Identity Server, and are considered local to the UiPath ecosystem.

You can choose from default groups or you can create your own custom groups.

Directory Group

A directory group is a type of group managed through an external identity provider. Unlike local groups, it offers streamlined user and access management due to its integration with an existing identity infrastructure. When a user is added to a directory group in the external identity provider, and directory integration is enabled in the platform, the user automatically inherits the roles assigned to that group in the UiPath platform. This automated role assignment adapts as users move across groups, optimizing identity and access management in wide-reaching automation situations.

  • A user who is part of multiple groups benefits from a union of roles inherited from all these groups.
  • A user who is part of multiple groups and also has specific roles assigned, holds a set of both roles. This set combines both inherited roles from the groups and those explicitly assigned.

Using directory groups enables automatic access with the group permissions, based on users being added or removed from the directory group (when switching departments, for example) with no need to manage user permissions individually.

Example

Directory GroupsInherited PermissionsExplicit Permissions
Added group X with X set of permissions and group Y with Y set of permissions.John Smith belongs to both Group X and Y. He logs in to Orchestrator. His user is auto-provisioned with the following permissions: X, Y.

In addition to the X and Y sets, John is also granted the Z set explicitly. John now has the following permissions: X, Y, Z.

Deleting groups X and Y leaves John with Z.

  • You don't need an explicit user entry to log in to Orchestrator, if you belong to a group that has been added to Orchestrator.
  • Inherited permissions are dependent on the associated directory group. If the directory is deleted, so are inherited permissions.
  • Explicitly-set permissions are independent of the Directory Group. They persist between sessions, regardless of the group's state.

Users

Depending on where their details and access are managed, users can be classified into:

Local users

A local user in the UiPath platform is an account created and administrated directly within the platform, independent of any external identity provider. Roles are specifically assigned during their creation or editing, establishing their permissions within the platform.

Directory users

These accounts are defined outside of Orchestrator, in an active directory such as Azure Active Directory. You must link the directory to Orchestrator to use this type of accounts. When linked, Orchestrator can search for and reference directory users so that you can view them, assign roles to them, or add them to Orchestrator groups. The benefit is that you do not need to define these identities twice: you define them once in your directory and can use them in Orchestrator, too.
Directory users can be of the following types:
  • Manually added users, meaning users that are added individually by an admin. The admin searches for the user in the directory and adds it into the system.
  • Auto-provisioned users, meaning users that are automatically added into the system once they log in. Auto-provisioning is the process by which a system, upon recognizing a user automatically, creates a new user entry for them.
 Manually Added UserAuto-provisioned User
Inherits permissionsYesYes
Can be assigned additional explicit permissionsYesYes
Can use SSOYesYes

Robot accounts

Robot accounts are helpful for when you need to run back-office unattended processes that should not be the responsibility of any particular user. These are our UiPath equivalent of service accounts. Similar to the accounts that Windows services run as application identities in the OAuth model, they are a non-user identity to be used to run unattended processes.

Working with robot accounts

Robot accounts in the UiPath platform are subject to permissions, same as user accounts. Robot accounts differ in two main aspects: they cannot be configured for interactive processes, and their creation doesn't need an email address.

Management of robot accounts is largely similar to that of user accounts. Administrators can create and oversee these accounts just as they would with user accounts.

External Apps

Applications that are external to the UiPath platform can be granted access to UiPath resources without having to share user credentials. Using the OAuth framework, you can delegate authorization to external applications. Once registered, these applications can make API calls to UiPath applications or resources scoped to the APIs you designate.

  • Groups
  • Local Group
  • Directory Group
  • Users
  • Local users
  • Directory users
  • Robot accounts
  • Working with robot accounts
  • External Apps

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2024 UiPath. All rights reserved.