Subscribe

UiPath Orchestrator

The UiPath Orchestrator Guide

Managing access and automation capabilities

On the Manage Access page you can define and assign roles as well as configure the automation capabilities of your accounts. In Orchestrator, you use roles to control the level of access a user should have.
On this page we go over the notions you need to understand to effectively plan and implement your access control strategy.

The level of access and the actions that your users can perform is controlled using two elements:

  • accounts, which establish the identity of a user and are used to log in to your UiPath applications
  • roles, which are assigned to accounts in order to grant them certain permissions within the UiPath ecosystem.

Accounts are not created or managed in Orchestrator, only roles and their assignments are.

This page, and the following pages, describe:

  • how to manage roles
  • how to manage automation capabilities, which are configured as part of role setup.

About roles


Orchestrator uses an access-control mechanism based on roles and permissions. Roles are collections of permissions meaning that the permissions needed to use certain Orchestrator entities are assigned to roles.

Role-permissions and user-roles relationships allow for a certain level of access to Orchestrator. A user gets the permissions required to perform particular operations through one or multiple roles. Since users are not assigned permissions directly, but only acquire them through roles, management of access rights involves assigning appropriate roles to the user. See Modifying the Roles of a User.

1081

Permission types and role types


There are two categories of permissions:

  • Tenant permissions - Define a user's access to resources at the tenant level.
  • Folder permissions - Define the user's access and ability within each folder to which they are assigned.

Based on the permissions they include, there are three types of roles:

  • Tenant roles, which include tenant permissions and are required for working at the tenant level.
  • Folder roles, which include permissions for working within a folder.
  • Mixed roles, which include both types of permissions.
    With mixed roles, for a global operation, only the user's tenant permissions are taken into consideration; for a folder-specific operation, if a custom role is defined, folder permissions are applied in favor of any tenant permissions present.

📘

Note:

Mixed roles are no longer supported and you cannot create new ones. If you have mixed roles, we recommend replacing them with a combination of tenant and folder roles to grant the required permissions.

The following resources are available to users, depending on the type of roles they have:

Tenant ResourcesFolder Resources
Alerts
Audit
Background tasks
Libraries
License
Machines
ML Logs
ML Packages
ML Skills
Packages
Robots
Roles
Settings
Folders
Users
Webhooks
Assets
Storage Files
Storage Buckets
Connections
Environments
Execution Media
Folder Packages
Jobs
Logs
Monitoring
Processes
Queues
Triggers
Subfolders
Action Assignment
Action Catalogs
Actions
Test Case Execution Artifacts
Test Data Queue Items
Test Data Queues
Test Set Executions
Test Sets
Test Set Schedules
Transactions

Assigning the different types of roles

The type of role is important because you assign roles differently based on their type:

  • If Activate Classic Folders is cleared under Tenant > Settings > General:
    You assign Tenant roles and Mixed roles from the Users page or from the Roles page.
    You assign Folder roles and Mixed roles from the Folders page or from the folder's Settings page.
  • If Activate Classic Folders is selected under Tenant > Settings > General:
    You assign any of the three types of roles from the Users page or from the Roles page.
    You assign Folder roles and Mixed roles from the Folders page or from the folder's Settings page.

Permissions without effect

Typically you can select all available rights (View, Edit, Create, or Delete) for any permission, but the following rights have no effect for the listed permission, and therefore you cannot edit them:

Permission typePermissionUnavailable rights
TenantAlerts Delete
Audit Edit
Create
Delete
License Edit
Create
Delete
FolderExecution Media Edit
Logs Edit
Delete
Monitoring Create
Delete
Connections View
Edit
Create
Delete

This is because, for example, it is not possible to edit system-generated logs.

Disabling concurrent execution

When a credential cannot be used more than once at a time (e.g., SAP), an administrator can restrict an account from simultaneously executing multiple jobs. Enabling the Run only one job at a time option at the account level restricts the account from simultaneously executing multiple jobs.

Updated 6 days ago


Managing access and automation capabilities


On the Manage Access page you can define and assign roles as well as configure the automation capabilities of your accounts. In Orchestrator, you use roles to control the level of access a user should have.
On this page we go over the notions you need to understand to effectively plan and implement your access control strategy.

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.