Subscribe

UiPath Orchestrator

The UiPath Orchestrator Guide

Roles

Suggest Edits

Orchestrator uses an access-control mechanism based on roles and permissions. Roles are collections of permissions meaning that the permissions needed to use certain Orchestrator entities are assigned to roles.

Role-permissions and user-roles relationships allow for a certain level of access to Orchestrator. A user gets the permissions required to perform particular operations through one or multiple roles. Since users are not assigned permissions directly, but only acquire them through roles, management of access rights involves assigning appropriate roles to the user. See Modifying the Roles of a User.

Permission Types and Role Types

There are two categories of permissions:

  • Tenant permissions - Define a user's access to resources at the tenant level.
  • Folder permissions - Define the user's access and ability within each folder they are assigned to.

Based on the permissions they include, there are three types of roles:

  • Tenant roles, which include tenant permissions and are required for working at the tenant level.
  • Folder roles, which include permissions for working within a folder.
  • Mixed roles, which include both types of permissions.
    With mixed roles, for a global operation, only the user's tenant permissions are taken into consideration; for a folder-specific operation, if a custom role is defined, folder permissions are applied in favor of any tenant permissions present.

📘

Note:

Mixed roles are no longer supported and you cannot create new ones. If you have mixed roles, we recommend replacing them with a combination of tenant and folder roles to grant the required permissions.

The following resources are available to users depending on the type of roles they have:

Tenant Resources

Folder Resources

Alerts
Audit
Background tasks
Libraries
License
Robots
Machines
ML Logs
Packages
Roles
Settings
Folders
Users
Webhooks

Assets
Storage Files
Storage Buckets
Environments
Execution Media
Folder Packages
Jobs
Logs
Monitoring
Processes
Queues
Triggers
Subfolders
Action Assignment
Action Catalogs
Actions
Tasks Assignment
Test Case Execution Artifacts
Test Data Queue Items
Test Data Queues
Test Set Executions
Test Sets
Test Set Schedules
Transactions

You have the possibility to disable permissions completely from the user interface and API using the Auth.DisabledPermissions parameter in UiPath.Orchestrator.dll.config.

Assigning the Different Types of Roles

The type of role is important because you assign roles differently based on their type:

  • If Activate Classic Folders is cleared under Tenant > Settings > General:
    You assign Tenant roles and Mixed roles from the Users page or from the Roles page.
    You assign Folder roles and Mixed roles from the Folders page or from the folder's Settings page.
  • If Activate Classic Folders is selected under Tenant > Settings > General:
    You assign any of the three types of roles from the Users page or from the Roles page.
    You assign Folder roles and Mixed roles from the Folders page or from the folder's Settings page.

Permissions Without Effect

Although you can select all available rights (View, Edit, Create, or Delete) for any permission, the following rights have no effect for the listed permission:

Permission

Category

Edit

Audit
Execution Media
Logs

Create

Audit
License
Settings
Monitoring

Delete

Alerts
Audit
Settings
Logs
Monitoring

This is because, for example, it is not possible to edit system-generated logs.

Default Orchestrator Roles

By default, the following roles exist in Orchestrator:

Role

Type

Description

Administrator

Mixed

A user with all tenant-level permissions granted. This is the default role granted to the admin user of each tenant and cannot be edited.

Robot

Mixed

All permissions required to execute processes in Classic folders.

Standard Roles for Folders

For all users, you can automatically create the following roles:

Role

Type

Description

Tenant Administrator

Tenant

The equivalent of the Administrator role, a user with tenant-level permissions granted.
Assign at the tenant level to those users, if any, that are delegated the management of all tenant entities.

Allow to be Folder Administrator

Tenant

A user with the minimum tenant-level permissions needed to manage their own folders and subfolders.
Assign this role at the tenant level and assign the Folder Administrator role, below, at the folder level to enable folder management for a user.

Folder Administrator

Folder

A user with the minimum folder-level permissions needed to manage their own folders and subfolders.
Assign this role at the folder level and assign the Allow to be Folder Administrator role, above, at the tenant level to enable folder management for a user.

Allow to be Automation User

Tenant

A user with the minimum tenant-level permissions needed to execute processes.
Assign at the tenant level in conjunction with the Automation User role, below, at the folder level.

Automation User

Folder

A user with the minimum folder level permissions needed to execute processes.
Assign at the folder level in conjunction with the Allow to be Automation User role, above, at the tenant level.

See Default Roles for the permissions specific to each role.

📘

Note

The permissions associated with roles can change between versions as new features and integrations are added. When this happens, affected roles appear in red on your Tenant Settings page. Click on an affected role to add the missing permissions for each role.

Updated about a year ago

Roles

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.