orchestrator
2024.10
true
UiPath logo, featuring letters U and I in white

Orchestrator User Guide

Automation CloudAutomation Cloud Public SectorAutomation SuiteStandalone
Last updated Dec 4, 2024

Access control

In Orchestrator, you use roles to control the level of access for users, groups, robot accounts, and external apps. On this page, we go over the notions you need to understand to effectively plan and implement your access control strategy:

  • accounts and apps (i.e. user accounts, robot accounts, external apps) which represent the identity used to access Orchestrator resources
  • roles, which are assigned to accounts in order to grant them explicit permissions within the UiPath ecosystem
  • groups, which are used to simplify account administration by granting the same access to multiple user accounts

Accounts are not created and managed in Orchestrator, only their Orchestrator roles and assignments are. Accounts are created by organization administrators and, once created, they can be assigned to a folder or tenant in Orchestrator.

About permissions

Orchestrator uses an access-control mechanism based on roles and permissions. Roles are collections of permissions meaning that the permissions needed to use certain Orchestrator entities are assigned to roles.

Role-permissions and user-roles relationships allow for a certain level of access to Orchestrator. A user gets the permissions required to perform particular operations through one or multiple roles. Since users are not assigned permissions directly, but only acquire them through roles, permission management involves assigning appropriate roles to the user.

Permission and role types

There are two types of permissions, as follows:

  • Tenant permissions define a user's access to resources at the tenant level.
  • Folder permissions define the user's access and ability within each folder to which they are assigned.
Two primary permission sets govern operations within folders:
  • Folder permissions (tenant scoped):
    • allow a user to create, edit, or delete all folders within the entire tenant.
    • are typically granted to admins, or users responsible for managing the organization.
  • Subfolder permissions (folder scoped):
    • allow a user to create, edit, or delete a particular folder they are assigned to, along with any subfolders under it.
    • offer more granular control, enabling users to manage specific folders without having control over the other folders in the tenant.

Based on the permissions they include, there are three types of roles:

  • Tenant roles, which include tenant permissions, and are required for working at the tenant level.
  • Folder roles, which include permissions to work within a folder.
  • Mixed roles, which include both types of permissions.

    With mixed roles, for a global operation, only the user's tenant permissions are taken into consideration. For a folder-specific operation, if a custom role is defined, folder permissions are applied in favor of any tenant permissions present.

    Note: Mixed roles are no longer supported, and you cannot create new ones. If you have mixed roles, we recommend replacing them with a combination of tenant and folder roles to grant the required permissions.

The following resources are available to users, depending on the type of roles they have:

Tenant resources

Folder resources

  • Alerts
  • Audit
  • Background tasks
  • Libraries
  • License
  • Machines
  • ML Logs
  • ML Packages
  • Robots
  • Roles
  • Settings
  • Folders
  • Users
  • Webhooks
  • Assets
  • Storage Files
  • Storage Buckets
  • Connections
  • Environments
  • Execution Media
  • Folder Packages
  • Jobs
  • Logs
  • Monitoring
  • Processes
  • Queues
  • Triggers
  • Subfolders
  • Action Assignment
  • Action Catalogs
  • Actions
  • Test Case Execution Artifacts
  • Test Data Queue Items
  • Test Data Queues
  • Test Set Executions
  • Test Sets
  • Test Set Schedules
  • Transactions
You have the possibility to disable permissions completely from the user interface and API using the Auth.DisabledPermissions parameter in UiPath.Orchestrator.dll.config.

Permissions without effect

Typically, you can select all available permissions (View, Edit, Create, or Delete) for any permission, except for the following, which have no effect for the listed permissions, and, therefore, you cannot edit them:

Permission type

Permissions

Unavailable permissions

Tenant

Alerts

  • Delete
 

Audit

  • Edit
  • Create
  • Delete

Folder

Execution Media

  • Edit
 

Logs

  • Edit
  • Delete
 

Monitoring

  • Create
  • Delete

This is because, for example, it is not possible to edit system-generated logs.

Security considerations

Account lockout

By default, after 10 failed login attempts, you are locked out for 5 minutes.

System administrators can customize the Account Lockout settings from the host Management portal.

Note: Logging in with the same account on a different machine disconnects the user from the first machine.
  • About permissions
  • Permission and role types
  • Permissions without effect
  • Security considerations

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2024 UiPath. All rights reserved.