- Getting started
- Best practices
- Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Storing Robot Credentials in CyberArk
- Storing Unattended Robot Passwords in Azure Key Vault (read only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read only)
- Storing Unattended Robot Credentials in AWS Secrets Manager (read only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- SmartCard Authentication
- Audit
- Settings - Tenant Level
- Resource Catalog Service
- Folders Context
- Automations
- Processes
- Jobs
- Triggers
- Logs
- Monitoring
- Queues
- Assets
- Storage Buckets
- Test Suite - Orchestrator
- Other Configurations
- Integrations
- Classic Robots
- Host administration
- Organization administration
- About organizations
- Managing organization administrators
- Managing organization settings
- Managing external OAuth applications
- Configuring fine-grained access for confidential apps
- Managing tags
- Audit logs
- Troubleshooting
Orchestrator User Guide
Configuring fine-grained access for confidential apps
As an administrator, you can configure fine-grained tenant or folder permissions for confidential apps, by assigning them to folders or tenants in Orchestrator. An external app gets the permissions required to perform particular operations in a folder or tenant through one or more roles.
An app gets the union of all organization and tenant scopes defined for it.
OR.Machines.Read
scope at the organization level, and View permissions on Folders in the Finance tenant, and nothing defined for the HR tenant in Orchestrator. Here's an overview of
your app's scope and what it can access:
Tenant |
Scope |
---|---|
HR |
OR.Machines.Read
|
Finance |
OR.Machines.Read
OR.Folders.Read
|
External apps need to be assigned directly to a specific tenant and folder, instead of using group assignments.
Organization-level app scopes give access to resources across all tenants and folders in the organizaton.
As an administrator, you can configure fine-grained tenant or folder permissions for confidential apps, by assigning them to folders or tenants in Orchestrator. An external app gets the permissions required to perform particular operations in a folder or tenant through one or more roles.
An app gets the union of all organization and tenant scopes defined for it.
OR.Machines.Read
scope at the organization level, and View permissions on Folders in the Finance tenant, and nothing defined for the HR tenant in Orchestrator. Here's an overview of
your app's scope and what it can access:
Tenant |
Scope |
---|---|
HR |
OR.Machines.Read |
Finance |
OR.Machines.Read OR.Folders.Read |
Deleting either of these scopes leaves the app with access levels according to the remaining scope.
You can use groups to simplify external app management, as groups allow you to manage objects with similar needs together.
External apps need to be assigned directly to a specific tenant and folder, instead of using group assignments.
To grant access to a tenant for an external app or a group of external apps, follow these steps in Orchestrator:
To grant access to a folder for an external app or a group of external apps, follow these steps in Orchestrator:
To remove tenant access for an external app or a group of external apps, follow these steps in Orchestrator: