- Getting started
- Best practices
- Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Storing Robot Credentials in CyberArk
- Storing Unattended Robot Passwords in Azure Key Vault (read only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read only)
- Storing Unattended Robot Credentials in AWS Secrets Manager (read only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- Account types
- Default roles
- Managing custom roles
- Configuring access for accounts
- Configuring automation capabilities
- Solutions
- Audit
- Settings
- Cloud robots
- Folders Context
- Automations
- Processes
- Jobs
- Apps
- Triggers
- Logs
- Monitoring
- Queues
- Assets
- Storage Buckets
- Test Suite - Orchestrator
- Resource Catalog Service
- Integrations
- Troubleshooting
Orchestrator User Guide
Configuring access for accounts
As an administrator, you can configure fine-grained tenant or folder permissions for objects that already exist at the organization level (i.e. groups, users, robot accounts, external apps), via Orchestrator, by assigning them to tenants or folders in Orchestrator. An object gets the permissions required to perform particular operations in a tenant or folder through one or more roles.
- When you rename a local group at the organization level, it is also renamed in Orchestrator. If you rename it several times in a short timeframe, only the last change is captured in the Orchestrator audit logs. If you want to see all such changes, you can check the organization-level audit.
- Since the username of a robot account
is permanent, and cannot be changed after it is set, the Username column under
Manage Access also remains unchanged. For example, if you rename the robot from
Test
toTest1
, only the Name column updates with the new value, leaving the Username unchanged. For more information, refer to Adding robot accounts.
To make use of all available types of identities, groups, users, robot accounts, and external apps are split into separate pages for groups, users, robot accounts, and external apps. You can find these under dedicated tabs, on the Manage Access page.
As an overview of the tabs, the All tab includes all objects that have been assigned access at the tenant level. The Groups, Users, Robot accounts, and External apps tabs include the local and directory groups, local and directory users, robot accounts, and external apps that have been assigned access at the tenant level.
- assign to a tenant any objects that already exist at the organization level
- configure permissions for objects in Orchestrator
- remove tenant access from the existing objects
Group configuration (roles, web login, robot settings) is passed on to any user that belongs to that group and is later added or auto-provisioned.
In a tenant, when assigning groups and adding roles to it, note that these are inherited by all users and robot accounts that are part of that group.
Groups are created and maintained by organization administrators from the Admin > Accounts and Groups page.
We recommend that you manage user access by assigning roles to groups and then adequately assigning users to the right groups to grant them the necessary roles.
However, if you need to perform a one-time role assignment for a particular user, you can directly provide access to the user, as follows:
We recommend that you manage robot access by assigning roles to groups and then adequately assigning robot accounts to the right groups to grant them the necessary roles.
However, if you need to perform a one-time role assignment for a particular robot account, you can directly grant access to the robot, as follows:
As an administrator, you can configure fine-grained tenant or folder permissions for confidential apps, by assigning them to folders or tenants in Orchestrator. An external app gets the permissions required to perform particular operations in a folder or tenant through one or more roles.
Changes to roles apply immediately when a user logs in, or automatically within one hour.
- Manage access > Assign roles tab > select the object from the list > More Actions > Check roles & permissions
- Manage access > Assign roles > three-dots icon > Check roles & permissions
- Robots > select the account from the list > More Actions > Check roles & permissions
- Monitoring > User sessions > select the account from the list > Check roles & permissionsicon
-
The roles pane - includes the name of the role and its type (i.e. explicitly assigned or inherited).
-
The permissions pane - lists the permissions included in the selected roles.
Tenant access
- All roles in this tenant - the permissions pane displays all permissions corresponding to all roles granted to the selected entity at the tenant level.
- Specific role - the permissions pane only displays permissions corresponding to the selected role, as granted to the selected entity at the tenant level.
Folder access
This section displays the roles and permissions granted at the folder level.
You can use the selection box to choose the particular folder for which to display the roles and their permissions. The list only contains folders where the selected entity is assigned.
- All roles in this tenant - the permissions pane displays all permissions corresponding to all roles granted to the selected entity at the folder level.
- Specific role - the permissions pane only displays permissions corresponding to the selected role, as granted to the selected entity at the folder level.
Removing a user or group from Orchestrator does not delete the account from your organization.
The user or group is removed from Orchestrator and all roles are revoked.
Alternatively, select one or multiple users, and click the Remove button.
- You cannot remove a user having the Administrator role.
- You cannot remove or unassign users part of mappings that are employed in triggers from the folder the trigger resides in. Make sure the user is not set as an execution target in a trigger so you can delete them.
- Removing a directory group does not remove the license of an associated directory user, even if the group removal unassigns the user from any folder. The only way to release the license is to close UiPath Assistant.
Group |
Has access to the Orchestrator interface |
Has access to all folders/personal workspace only |
Has API access |
Tenant role |
Folder role |
---|---|---|---|---|---|
Automation Users |
No |
Personal workspace Important:
If a user is assigned to other folders via API, they also have access to those in addition to the personal workspace. |
Yes |
Allow to be Automation User | Automation User |
Automation Developers |
Yes |
All folders |
Yes | Allow to be Automation Developer | Automation Developer |
Administrators |
Yes |
All folders |
Yes |
Orchestrator Administrator |
Folder Administrator |
Automation Express |
Yes |
All folders |
Yes |
Allow to be Automation User | Automation User |
The Not Found error
Not found (#1002)
error is displayed.
In this case, the account in fact no longer exists and no longer has access to the UiPath products.
In the tenant, access can also be controlled at folder-level from the Folders tab, used for managing folders and objects, and from the folder context, in the sidebar menu.
Go to Tenant > Folders tab, choose the folder, and click Accounts & Groups. Next, click Assign and select the object to be added to the folder.
In order to assign the object, you are required to add a role to it. Once this is done, click Assign, and the object becomes visible in the list.
Another method to assign objects to a folder is to go to the folder context from the sidebar menu and click Users > Assign. In the search field, type the name of the object you want to add to the folder, select the roles it needs, and click Assign to finish the configuration.
To give specific folder access to assigned objects (groups, users, robot accounts, external apps), open a folder from the sidebar menu and go to Users. Next to the object for which you want to edit the folder access, click More Actions > Edit role in this folder. This brings up the assign page, where you can add or remove any roles for the selected object.
The same steps can be applied when going to Tenant > Folder tab > Accounts & Groups > More Actions next to the object you want to modify > Edit role in this folder. Now you can add or remove any roles for the selected object.
Go to Tenant > Folders tab, choose the folder, and click Accounts & Groups. Next to the object you would like to remove, click More Actions > Unassign. Once this is performed, the object no longer has access to that folder.
A folder hierarchy can be established with up to 7 levels. This structure includes the top-level folder and allows for 6 additional layers of subfolders beneath it. In terms of user access, it is inherited from the parent folders. This means if you are assigned access to a folder, you automatically gain access to all of its subfolders.
When configuring attended robots for a group or a single user, you also have the option to create a personal workspace for it.
To enable this option, go to Tenant > Manage Access > select the user or group > More Actions > Edit > Next > check the option Enable this user to run automations > check the option Create a personal workspace for this user. Once this is done, a new folder, My Workspace, is visible in the sidebar menu, next to the other folders.
Personal Workspaces permissions
Tenant-level permissions required to manage the workspaces of other users:
- Settings - View and Settings - Edit to allow the use of personal workspaces in the tenant from the Tenant > Settings page.
- Users - View and Users - Edit to enable a personal workspace for a user or group by editing it from the Manage Access page.
Folder-level permissions required to use a personal workspace:
- Alerts - View to see alerts generated for the personal workspace.
- Actions - View,Actions - Edit,Actions - Create, and Actions - Delete to enable long-running workflow execution in the personal workspace.
- Action Catalogs - View,Action Catalogs - Edit,Action Catalogs - Create,Action Catalogs - Delete to allow the user to manage action catalogs in the personal workspace.
- Manage access > Assign roles tab > select the object from the list > More Actions > Check roles & permissions
- Manage access > Assign roles > three-dots icon > Check roles & permissions
- Robots > select the account from the list > More Actions > Check roles & permissions
- Monitoring > User sessions > select the account from the list > Check roles & permissionsicon
-
The roles pane - includes the name of the role and its type (i.e. explicitly assigned or inherited).
-
The permissions pane - lists the permissions included in the selected roles.
Tenant access
- All roles in this tenant - the permissions pane displays all permissions corresponding to all roles granted to the selected entity at the tenant level.
- Specific role - the permissions pane only displays permissions corresponding to the selected role, as granted to the selected entity at the tenant level.
Folder access
This section displays the roles and permissions granted at the folder level.
You can use the selection box to choose the particular folder for which to display the roles and their permissions. The list only contains folders where the selected entity is assigned.
- All roles in this tenant - the permissions pane displays all permissions corresponding to all roles granted to the selected entity at the folder level.
- Specific role - the permissions pane only displays permissions corresponding to the selected role, as granted to the selected entity at the folder level.
Recommended role-to-group mapping
Group |
Has access to the Orchestrator interface |
Has access to all folders/personal workspace only |
Has API access |
Tenant role |
Folder role |
---|---|---|---|---|---|
Automation Users |
No |
Personal workspace Important:
If a user is assigned to other folders via API, they also have access to those in addition to the personal workspace. |
Yes |
Allow to be Automation User | Automation User |
Automation Developers |
Yes |
All folders |
Yes | Allow to be Automation Developer | Automation Developer |
Administrators |
Yes |
All folders |
Yes |
Orchestrator Administrator |
Folder Administrator |
Automation Express |
Yes |
All folders |
Yes |
Allow to be Automation User | Automation User |
- Tenant-level access control
- Assigning groups to a tenant
- Assigning accounts to a tenant
- Assigning robot accounts to a tenant
- Assigning external apps to a tenant
- Assigning multiple accounts
- Checking assigned roles
- Removing a user or group
- Recommended role-to-group mapping
- Troubleshooting
- Folder-level access control
- Assigning objects to a folder
- Editing access
- Removing folder access
- Subfolder access
- Personal Workspace access control
- Checking assigned roles