Orchestrator
latest
false
Banner background image
Orchestrator User Guide
Last updated Mar 21, 2024

Assigning Roles

Overview

The Assign roles tab of the Manage access page lets you search for users and groups that already exist at the organization level and configure permissions for them in Orchestrator.

Group configuration (roles, web login, robot settings) is passed on to any user that belongs to that group and is later added or auto-provisioned.

To assign roles

  1. Go to Tenant > Manage access.

  2. Above the table, on the right, click Assign roles and select User, Robot account, or Group.

    The Assign roles window opens.

  3. Follow the applicable instructions, available below:

    a. Assigning roles to a group

    b. Assigning roles to a user

    c. Assigning roles to a robot account

Automatic assignment suggestion

When you assign a folder-level role, we check if you also have the corresponding tenant-level role. If you do not, you are automatically prompted to assign that as well. You can choose to assign the required role on the spot or to postpone the action for later.

Important:

  • This works for all entities that can be assigned roles.

  • It only applies to folder roles that are explicitly assigned, not inherited.

Known issue:

This option does not work for Active Directory users or groups.

Assigning Roles to a Group

If you assign roles to a group, those assigned roles are inherited by all users who are part of that group.

Groups are created and maintained by organization administrators from the Admin > Accounts and Groups page.

1) General Details

  1. In the Select a group field, type to search for an existing user group to which you want to assign roles.

    If needed, you can create a new group by clicking Add new to the right of the field.

  2. Click the Roles field and then select the check box for each role you want to assign to the selected group.

    If needed, you can define a new role by clicking New role to the right of the field.

    If classic folders are inactive for your tenant, you can only assign Tenant roles and Mixed roles. If you want to also assign Folder roles to this group, you must do so from the Folders page or from the folder's Settings page.

  3. Under Web Access, click the toggle to select if the group members can log in to the Orchestrator UI.
    Important: If this setting is enabled in at least one of the groups to which an account belongs (including the Everyone group), then setting it to disabled at the account level or for other groups has no effect for that particular account, only for other group members that are not in the same situation.
  4. Under UI Profile settings, select the user interface profile for the members of this group.
  5. If you want to also create an attended robot for group members, click Next.

    Otherwise, click Skip and assign to apply your settings. Skip the rest of the instructions in this section.

2) Robot Setup

  1. Under Attended Robot, set the first toggle to Enabled if you want to automatically create an attended robot for each group member.
    For groups, the default robot settings apply. If you want to customize robot settings, you have to make the adjustments explicitly for each user after you finish this process.
    Note: Make sure that you also assign an attended user license - either at the group level, or to individual accounts - so that they can use the attended robot.
  2. Click the second toggle Automatically create Personal Workspaces for members of this group to set it to off (left position) if you do not want each user to have a Personal Workspace.
  3. Click Assign.

The group is now visible on the Assign roles tab of the Manage access page and the members of the group benefit from the changes as soon as they log in or within the hour if they are already logged in.

Assigning Roles to an Account

We recommend that you maintain user access by assigning roles to groups and then adequately assigning users to the right groups to grant them the roles they need.

However, if you need to perform a one-time role assignment for a specific user, you can assign roles to the user directly, as described below.

1) General Details

  1. In the Select a user field, type to search for the user to whom you want to assign roles.

    If needed, you can add a new user to your organization by clicking Add new to the right of the field.

  2. Click the Roles field and then select the check box for each role you want to assign to the selected user.

    If needed, you can define a new role by clicking New role to the right of the field.

    If classic folders are inactive for your tenant, you can only assign Tenant roles and Mixed roles. If you want to also assign Folder roles to this user, you must do so from the Folders page or from the folder's Settings page.

  3. Under Web Access, click the toggle to select if the user can log in to Orchestrator by navigating directly to the Orchestrator URL.
    If this account is a member of any groups that have Web Access set to enabled, changing this setting for individual accounts has no effect because the group-level setting is inherited by all accounts. To control web access for individual accounts, you must either remove the account from groups with a conflicting setting, or remove the group with the conflicting setting from Orchestrator.
  4. Under UI Profile settings, select the user interface profile for the user.
  5. (Optional) Under Update policy settings, choose the release level to which you want this user to be required to update UiPath applications on their workstation. If you select a policy, the user will not be able to use UiPath Robot, Studio, or Assistant until they upgrade these applications to the version required by the policy. This setting can help you make sure that all your users are using the same versions.
  6. If you want to also create an attended or unattended robot for this user, click Next.

    Otherwise, click Skip and assign to apply your settings. Skip the rest of the instructions in this section.

2a) Attended Robot

  1. Under Attended Robot, set the first toggle to Enabled if you want to automatically create an attended robot for each group member.
  2. Select the Enable a Personal Workspaces for this user if you want them to have a Personal Workspace.
  3. If the user license management model is disabled, under License Type select a user license to assign to the user. What is my licensing model?
    If the user license management model is enabled, the License Type options are not available on this page.
    Note: Make sure that you also assign an attended user license - either at the group level, or to individual accounts - so that they can use the attended robot.

2b) Unattended Robot

  1. Under Unattended Robot, click the toggle to set it to Enabled (right position) if you want to also create an unattended robot for the user.

    If this user does not require an unattended robot, click Next to review robot settings and continue with step 15 or click Skip and assign to apply your changes and skip the rest of the instructions in this section.

  2. In the Domain\Username field, type the domain and username used to log on to the machine on which UiPath Robot is installed. The credentials must exist in the selected credential store.
    • For domain-joined users, use the domain\username syntax. For example deskover\localUser1.
    • For local Windows accounts, use the host_machine_name\username syntax, with the host machine's name instead of the domain. For example, LAPTOP1935\localUser2.
    • For local Windows accounts residing on multiple host machines, which you want to use regardless of machine, use the .\username syntax with a dot instead of the host machine name. For example .\localUser3.
    Note:

    The credentials you set must match the Windows account credentials for the machine on which this account can run automations.

    To get the account name, on the machine, open command prompt and use the `whoami` command.

  3. In the Password field, enter the password for the above-mentioned account which is used to log on to the machine on which UiPath Robot is installed.
  4. From the Credential Type list, select the type of credentials you provided above for the unattended robot.
  5. (Optional) If you opted for a CyberArk® credential store, indicate the External Name. If not specified, the default value is used.
  6. Under Concurrent execution, click the toggle to set it to Enabled (right position) if you want to only allow this robot to run one job at a time. If disabled, the user can simultaneously execute multiple jobs.
  7. Click Next to review additional settings for the unattended robot.

    If you do not want to customize robot settings, click Skip and assign to apply your changes and skip the remaining instructions in this section.

3) Robot Settings

  1. Configure execution settings for the UiPath Robot.

    For details about each setting, see Robot Settings.

  2. Click Assign. The entity is created and displayed on the Manage Access page. One floating robot is created for each configured above per user.

Assigning a Role to Multiple Accounts

Note:

These instructions are for assigning tenant roles.

If you need to assign a folder role, you can:

  • go to Tenant > Folders and then select the folder where you want to assign the role
  • select the folder in the left pane to switch to folder context and then go to the Settings page for that folder.
  1. Go to Tenant > Manage access and select the Roles tab.
  2. On the Roles page, click More Actions docs image at the right end of the row and select Manage Users.

    The Manage Users window is displayed and all users, groups, and robots are listed. If the checkbox on the left is selected, that means they have this role assigned to them.

  3. Select or clear the checkboxes as needed so that only those who should have this role are selected.


  4. Click Update to apply your changes.

Changes to roles apply immediately when a user logs in, or automatically within one hour.

Checking assigned roles

You can see what roles are assigned to an entity (user, group, or external application) from the following tenant-level locations:
  • Manage access > Assign roles > Check roles & permissions button (you need to select the desired entity from the list)
  • Manage access > Assign roles > Check roles & permissions contextual menu option
  • Robots > Check roles & permissions row button
  • Monitoring > User sessions > Check roles & permissions row button
These options display the View permissions window, which is split between the Tenant access and Folder access sections. In turn, each section is made up of:
  • The roles pane - includes the name of the role and its type (i.e. explicitly assigned or inherited).

  • The permissions pane - lists the permissions included in the selected roles.

Tenant access

This section displays the roles and permissions granted at the tenant level. You can choose between these options:
  • All roles in this tenant - the permissions pane displays all permissions corresponding to all roles granted to the selected entity at the tenant level.
  • Specific role - the permissions pane only displays permissions corresponding to the selected role, as granted to the selected entity at the tenant level.
docs image

Folder access

This section displays the roles and permissions granted at the folder level.

You can use the selection box to choose the particular folder for which to display the roles and their permissions. The list only contains folders where the selected entity is assigned.

If the selected entity has more than one role for the chosen folder, you can choose between these options:
  • All roles in this tenant - the permissions pane displays all permissions corresponding to all roles granted to the selected entity at the folder level.
  • Specific role - the permissions pane only displays permissions corresponding to the selected role, as granted to the selected entity at the folder level.
docs image

Editing role assignment

If you want to edit the roles assigned to a particular account, group, robot, or external application, you can do so from these places:

  • Tenant context > Manage access > Assign roles > Edit in the contextual menu of the desired entity

  • Tenant context > Folders page

  • Folder context > Settings page

For the last two options, in the contextual menu of the entity whose roles you want to change, you can click one of these two options:

  • Edit role in this folder - allows you to change the roles assigned to the entity at the folder level.

  • Edit tenant role & robot (optional) - allows you to change the roles assigned to the entity at the tenant level.

Removing a User or Group

Removing a user or group from Orchestrator does not delete the account from your organization.

  1. Go to Tenant > Manage access > Assign roles tab.
  2. At the right end of the row, click More Actions docs image and select Remove.

    If the user whose role you want to delete has a robot that is currently busy, you are informed that any running jobs will be deleted, and are asked whether you want to proceed with the deletion or cancel the operation.

  3. Confirm the operation.

The user or group is removed from Orchestrator and all roles are revoked.

Alternatively, select one or multiple users, and click the Remove button.

Important:
  • You cannot remove a user having the Administrator role.
  • You cannot remove or unassign users part of mappings that are employed in triggers from the folder the trigger resides in. Make sure the user is not set as an execution target in a trigger so you can delete them.
  • Removing a directory group does not remove the license of an associated directory user, even if the group removal unassigns the user from any folder. The only way to release the license is to close UiPath Assistant.

Recommended role-to-group mapping

The right combination of group and role allows you to correctly separate permissions, and give granular control to the appropriate people. To achieve this, we recommend the following role-group pairing:

Group

Has access to the Orchestrator interface

Has access to all folders/personal workspace only

Has API access

Tenant role

Folder role

Automation Users

No

Personal workspace

Important:

If a user is assigned to other folders via API, they also have access to those in addition to the personal workspace.

Yes

Allow to be Automation User

Automation User

Automation Developers

Yes

All folders

Yes

Allow to be Automation DeveloperAutomation Developer

Administrators

Yes

All folders

Yes

Orchestrator Administrator

Folder Administrator

Automation Express

Yes

All folders

Yes

Allow to be Automation User

Automation User

Troubleshooting

Not Found Error

If an account was removed from the organization, when attempting to edit, enable/disable, or remove the account from Orchestrator (Tenant > Manage Access), a Not found (#1002) error is displayed.

In this case, the account in fact no longer exists and no longer has access to the UiPath products.

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2024 UiPath. All rights reserved.