# Managing access

> The following pages describe how you can manage access in Automation Cloud:

The following pages describe how you can manage access in Automation Cloud:

* [Roles](https://docs.uipath.com/orchestrator/standalone/2023.10/user-guide/managing-access#roles)
* [Role assignments](https://docs.uipath.com/orchestrator/standalone/2023.10/user-guide/managing-access#role-management)

## Roles

Roles are a collection of permissions and represent a more granular layer for managing user access, following the broader option of maintaining access through groups. You can add roles to either groups so that all member accounts inherit them, or to individual accounts.

Roles can include several permissions at either the organization level, or at the service level, so there are:

* organization-level roles: these roles control the permissions that accounts have on organization-wide options. They are available in the UiPath standalone product installations portal by default and you cannot change them, nor can you add new ones.
* service-level roles: these roles control the access rights and actions that accounts can perform in each UiPath® service you own. They are managed from within each service and can include default roles which you cannot change, as well as custom roles that you create and manage in the service.

Accounts and groups typically have an organization-level role and one or more service-level roles.

### Groups and roles

In the following table you can view the roles that are assigned to accounts when they are added to a group. For example, adding an account to the **Administrators** default group grants them the **Organization Administrator** role for the organization and the **Administrator** role within your services. This user can manage both organization-level roles from **Admin**, then select **Accounts and Groups**, as well as service-level roles.

| Group membership | Organization-level role | Service-level roles for Orchestrator |
| --- | --- | --- |
| Administrators | Organization Administrator | [Administrator](https://docs.uipath.com/orchestrator/standalone/2023.10/user-guide/default-roles#administrator-role) |
| Automation Users | User | [Automation User](https://docs.uipath.com/orchestrator/standalone/2023.10/user-guide/default-roles#automation-user) at folder level <sup>1</sup>  [Allow to be Automation User](https://docs.uipath.com/orchestrator/standalone/2023.10/user-guide/default-roles#allow-to-be-automation-user) at tenant level |
| Automation Developers | User | [Automation User](https://docs.uipath.com/orchestrator/standalone/2023.10/user-guide/default-roles#automation-user) at folder level <sup>1</sup>  [Folder Administrator](https://docs.uipath.com/orchestrator/standalone/2023.10/user-guide/default-roles#folder-administrator) at folder level <sup>1</sup>  [Allow to be Automation User](https://docs.uipath.com/orchestrator/standalone/2023.10/user-guide/default-roles#allow-to-be-automation-user) at tenant level  [Allow to be Folder Administrator](https://docs.uipath.com/orchestrator/standalone/2023.10/user-guide/default-roles#allow-to-be-folder-administrator) at tenant level |
| Everyone | User | No roles. |
| Automation Express | User | [Allow to be Automation User](https://docs.uipath.com/orchestrator/standalone/2023.10/user-guide/default-roles#allow-to-be-automation-user) at tenant level |
| [Custom group] | User | No roles by default, but you can [add roles to the group](https://docs.uipath.com/orchestrator/standalone/2023.10/user-guide/managing-access#role-management)  as needed. |

<sup>1</sup> The roles are assigned to the **Shared** modern folder, if it exists.

:::note
For information about roles across UiPath services, refer to [Role management](https://docs.uipath.com/orchestrator/standalone/2023.10/user-guide/managing-access#role-management).
:::

### Organization-level roles

Accounts can have only one organization-level role. This role controls the access that the account has to options within the portal area, such as the tabs they can view on the **Admin** page or the options available to them on the **Home** and **Admin** pages.

At organization level, the roles **Organization Administrator** and **User** are available.

You cannot change these roles or add new roles at the organization level.

## Role management

You can manage and assign service-level roles from within each service and you need the appropriate permissions in the service.

For example, users with the **Administrator** role in Orchestrator can create and edit roles, and assign roles to existing accounts.

There are two ways to assign roles to an account:

* Direct provisioning implies manually assigning roles to an existing account. You can do this by adding the account to a group, by assigning service-level roles to the account directly, or a combination of both.
* Auto-provisioning is only applicable if your UiPath organization is integrated with a third-party identity provider (IdP), such as Microsoft Entra ID). In this case, to fully hand off identity and access management to the external provider, you can set up the UiPath platform so that any directory account can receive the appropriate roles without the need for any actions in the UiPath platform. The IdP administrator then has control over a user's access and rights in the UiPath organization by creating and configuring the account in the external provider alone.

### Direct provisioning

#### Assigning organization-level roles

Organization-level roles are predefined and cannot be changed.

Organization administrators can assign organization-level roles to individual accounts from **Admin &gt; Accounts and Groups** by adding accounts to a default or custom group.

:::note
If you have linked your UiPath organization to a directory, such as Microsoft Entra ID, then it is possible to also assign organization-level roles to directory groups by adding them to groups, same as with accounts. This is not possible with local groups.
:::

#### Managing service-level roles

You manage and assign service-level roles from within the services. You can assign roles to groups (recommended), or to accounts that have already been added.

For information and instructions, refer to the applicable documentation, as described in the following table:

 <colgroup>
  <col/>
  <col/>
 </colgroup>
 
  
     Service  
     Details  
  
 
 
  
    Orchestrator 
     Managed from Orchestrator.  Learn more about roles  .  
  
  
    Actions 
     Managed from Orchestrator. 
      
         For the list of permissions required, refer to  Roles and permissions  . 
         For instructions on assigning roles, refer to  Assigning roles  . 
      

  
  
    Processes 
     Managed from Orchestrator. 
      
         For the list of permissions required, refer to  Roles and permissions  in the Action Center documentation. 
         For instructions on assigning roles, refer to  Assigning roles  . 
      

  
  
    Test Manager 
     Managed from Test Manager.  For information and instructions, refer to  User and group access management  .  
  
 

#### Assigning roles to an account

If you want to control the access a certain account has in a service at a more granular level, but you do not want to add new roles to an entire group, you can explicitly add the account to the service and assign one or more service-level roles to it directly.

For information about the available roles and instructions, refer to the documentation for the target service, as previously described.

### Auto-provisioning

Through auto-provisioning, any directory account can be set up with access and rights for using the UiPath platform directly from the external identity provider (IdP).

Auto-provisioning requires a one-time setup after you enable an integration with a third-party IdP: Microsoft Entra ID or other IdPs that are connected used SAML integration.