# Roles
> Roles are a collection of permissions and represent a more granular layer for managing user access, following the broader option of maintaining access through groups. You can add roles to either groups so that all member accounts inherit them, or to individual accounts.
Roles are a collection of permissions and represent a more granular layer for managing user access, following the broader option of maintaining access through groups. You can add roles to either groups so that all member accounts inherit them, or to individual accounts.
Accounts and groups typically have an organization-level role and one or more service-level roles.
## Types of roles
The following types of roles can include several permissions at either organization level, or at service level:
* The built-in role is a predefined role that has specific permissions set by the platform. These roles can be used to grant users or groups the necessary permissions to perform certain operations.
* The custom role is a role that an organization administrator creates to meet the specific needs of their organization. This is particularly useful role for when none of the available built-in roles perfectly match the access a user or group should have.
## Scopes and categories
A scope is a specific level in the organizational hierarchy that serves as a boundary for certain actions, permissions, and objects. A scope can be an organization, a tenant, a service, or a folder, each with its own set of role assignments.
:::note
The **Manage access** menu is available within all possible scopes, descending from the organization level down to the project level.
:::
A category is a parameter for a custom role that you define for each scope, determining whether you apply the role within the same scope, or within a lower-level scope.
## Types of roles based on scopes and permissions
A role is defined by multiple permissions. Permissions can be specific to a certain scope.
:::note
The organization administrator role is a special role that grants access to all scopes: organization, tenant, service, and folder.
:::
The following types roles are based on scopes and permissions:
* The organization level role is a type of role you create at organization scope. This role type consists of permissions that apply exclusively within the organization scope. Organization-level roles:
+ Can be created only at the organization level.
+ Can include only permissions associated with organization-level products and services, such as:
- Manage Access
- Apps
- Automation Ops
- Insights (organization-level dashboards)
+ Can be assigned only at the organization level.
+ Cannot currently include permissions for tenant-level products (such as IXP or Document Understanding).
+ Cannot currently manage licensing quotas or other tenant-scoped licensing configurations.
* The global tenant role is a type of role you create at organization scope. You can apply this role type to all tenants within the organization. You can apply this role type to all tenants within the organization, but assignment is performed at tenant or service level. Global-tenant roles:
+ Are created at the organization level.
+ Can include permissions associated with organization-level products, as well as supported tenant-level products, such as:
- IXP
- Document Understanding
+ If created with IXP permissions, the role becomes visible in all tenants within the organization.
+ Can be assigned only at tenant or service level (not at organization level).
* The cross-service role is a type of role you create at tenant scope. This role type contains permissions from multiple services simultaneously.
* The service role is a type of role you create at service scope. This role type contains permissions from certain services.
* The project or folder role is a type of role you create at service scope that you exclusively assign at project or folder scope.
The following table classifies scopes, role types based on scopes and permissions, and examples of roles:
Scope
Types of roles based on scopes and permissions
Examples of roles
Organization
Organization level roles
Insights Dashboard Viewer Organization Administrator
Global tenant roles
Note: A global tenant role can be created using the custom role functionality.
Tenant
Cross-service roles
Tenant Administrator
Service
Service roles
Orchestrator Administrator
Folder or project roles
Folder Administrator
## Groups and roles
In the following table you can view the roles that are assigned to accounts when they are added to a group. For example, adding an account to the **Administrators** default group grants them the **Organization Administrator** role for the organization and the **Administrator** role within your services. This user can manage both organization-level roles from **Admin**, then select **Accounts and Groups**, as well as service-level roles.
| Group membership | Organization-level role | Service-level roles for Orchestrator |
| --- | --- | --- |
| Administrators | Organization Administrator | [Administrator](https://docs.uipath.com/orchestrator/automation-suite/2.2510/user-guide/default-roles#administrator-role) |
| Automation Users | User | [Automation User](https://docs.uipath.com/orchestrator/automation-suite/2.2510/user-guide/default-roles#automation-user) at folder level 1 [Allow to be Automation User](https://docs.uipath.com/orchestrator/automation-suite/2.2510/user-guide/default-roles#allow-to-be-automation-user) at tenant level |
| Automation Developers | User | [Automation User](https://docs.uipath.com/orchestrator/automation-suite/2.2510/user-guide/default-roles#automation-user) at folder level 1 [Folder Administrator](https://docs.uipath.com/orchestrator/automation-suite/2.2510/user-guide/default-roles#folder-administrator) at folder level 1 [Allow to be Automation User](https://docs.uipath.com/orchestrator/automation-suite/2.2510/user-guide/default-roles#allow-to-be-automation-user) at tenant level [Allow to be Folder Administrator](https://docs.uipath.com/orchestrator/automation-suite/2.2510/user-guide/default-roles#allow-to-be-folder-administrator) at tenant level |
| Everyone | User | No roles. |
| Automation Express | User | [Allow to be Automation User](https://docs.uipath.com/orchestrator/automation-suite/2.2510/user-guide/default-roles#allow-to-be-automation-user) at tenant level |
| [Custom group] | User | No roles by default, but you can [add roles to the group](https://docs.uipath.com/test-cloud/automation-suite/2.2510/admin-guide/role-management#role-assignments) as needed. |
1 The roles are assigned to the **Shared** modern folder, if it exists.
:::note
For information about roles across UiPath services, refer to [Role management](https://docs.uipath.com/test-cloud/automation-suite/2.2510/admin-guide/role-management#role-assignments).
:::
## Organization-level roles
The organization level represents the highest level of scope.
At organization level, the **Organization Administrator**, **User**, and **Insights Dashboard Viewer** roles are available. You cannot change these roles.
Organization administrators have permission to modify organization-level settings, such as security, Single Sign-On (SSO), and licensing settings. Therefore, the number of organization-level roles is limited. Additionally, organization administrators can grant organization-level permissions, as well as cascade down to tenant-, service-, and folder-level permissions.
Organization-level roles also include organization-level service permissions for services such as Apps and AutomationOps.
:::note
Licensing quota management is available through tenant-level roles (for example, the Tenant Administrator role).
:::
### Organization administrator role
This role grants access to every organization- and service-level feature within the organization. An account with this role can perform all administrative actions for the organization, such as creating or updating tenants, managing accounts, viewing organization audit logs, and so on. There can be multiple accounts with this role.
The organization administrator and the **Tenant Admin** roles are the only roles that allow access to the **Admin** section.
The first organization administrator for any given organization is appointed when the organization is created.
:::note
The organization administrator role is not an assignable role. To have this role assigned to you, you need to be part of the **Administrators** group.
:::
To grant this role to others, the organization administrator can add user accounts to the **Administrators** group, which is one of the [default groups](https://docs.uipath.com/test-cloud/automation-suite/2.2510/admin-guide/about-accounts#default-local-groups).
The organization administrator role includes the following organization-level permissions, which cannot be changed, as described in the following table:
| Areas subject to permissions | View | Edit | Create | Delete |
| --- | --- | --- | --- | --- |
| Usage charts and graphs | ✅ | ❌ | ❌ | ❌ |
| Tenants | ✅ | ✅ | ✅ | ✅ |
| Accounts and groups | ✅ | ✅ | ✅ | ✅ |
| Security settings | ✅ | ✅ | ❌ | ❌ |
| External applications | ✅ | ✅ | ✅ | ✅ |
| Licenses | ✅ | ✅ | ❌ | ❌ |
| API keys | ✅ | ❌ | ✅ | ❌ |
| Resource center (Help) | ✅ | ❌ | ❌ | ❌ |
| Audit logs | ✅ | ❌ | ❌ | ❌ |
| Organization settings | ✅ | ✅ | ❌ | ❌ |
### User role
This is the basic level of access within the UiPath ecosystem. Local user accounts automatically become members of the **Everyone** [group](https://docs.uipath.com/test-cloud/automation-suite/2.2510/admin-guide/about-accounts#groups), which grants them the **User** role.
This role is granted to all accounts that are in the default groups **Everyone**, **Automation Users**, or **Automation Developers**.
This role provides read-only access to pages, such as the **Home** page, **Resource Center** (if available).
The users can view and access the provisioned services for their current tenant. However, the content they can view and the actions they can perform within each service depends on the service-level roles assigned to their account.
:::note
All platform users are part of the **Everyone** group by default, regardless if they are local or directory users.
:::
To grant access to everyone to a specific service, the users need to have the **Everyone** group mapped at service level. For example, if you want to grant all users access to view ideas in Automation Hub, you can assign the **Everyone** group to a role in Automation Hub.
The available services that currently incorporate this mapping into roles and grant minimal rights within them are:
* Studio Web
* Apps
* Test Manager
## Tenant-level roles
Tenant-level roles control the access rights of accounts within the tenant settings and configuration area. They also define the permitted actions within each of the UiPath services in a given tenant.
Most of the tenant-level roles in the platform are cross-service roles as they grant permissions across multiple services within a particular tenant.
Currently, **Tenant Administrator** is the only built-in role available at the tenant level.
### Tenant Administrator role
The **Tenant Administrator** role allows you to effectively delegate responsibilities. The role grants access to manage all resources1 in the tenant, allowing operations such as role assignment, licensing management, and service provisioning.
The **Tenant Administrator** role can be assigned to multiple accounts.
1The following services support the **Tenant Administrator** role:
* Orchestrator (includes Actions, Processes, Integration Service)
* Data Service
* Document Understanding
* Test Manager
#### Tenant Administrator role permissions
The following tables describe the Tenant Administrator role permissions:
Resource
Permissions
Description
View
Create
Delete
Read
Update
Centralized Access
Administration page
✅
❌
❌
❌
❌
Grants permissions to centralized access, roles and role assignments.
Role
❌
✅
✅
✅
✅
Role assignments
❌
✅
✅
✅
✅
Resource
Permissions
Description
View
Create
Delete
Read
Update
Edit
Manage
Data Fabric
Permission
❌
❌
❌
❌
❌
❌
✅
Grants administrator permissions and is equivalent to the Data Fabric Administrator role.
Resource
Permissions
Description
Create
Delete
Read
Update
Document Understanding
Classifier
✅
✅
✅
✅
Grants administrator permissions and is equivalent to the Document Understanding Administrator role.
Data Set Export
✅
✅
✅
❌
Documents
❌
✅
❌
❌
Document Type
✅
✅
✅
✅
Extractor
✅
✅
✅
✅
Monitor Processed Documents
❌
❌
✅
❌
Monitor Processed Documents Detail
❌
❌
✅
❌
Monitor Project Performance
❌
❌
✅
❌
Project
✅
✅
✅
✅
Project Version
✅
✅
✅
✅
Project Version Label
✅
✅
✅
✅
Tenant Settings
✅
❌
✅
✅
Resource
Permissions
Description
View
Create
Delete
Read
Update
Edit
Manage
Licensing
Quota
❌
❌
❌
❌
❌
❌
✅
Grants permissions to manage quotas.
Resource
Permissions
Description
View
Create
Delete
Edit
Orchestrator
Action Design
✅
✅
✅
✅
Grants administrator permissions and is equivalent to the Orchestrator Administrator role.
Alerts
✅
✅
✅
✅
App Versions
✅
✅
✅
✅
Audit
✅
✅
✅
✅
Background Tasks
✅
❌
❌
❌
Libraries
✅
✅
✅
✅
License
✅
✅
✅
✅
Machines
✅
✅
✅
✅
Packages
✅
✅
✅
✅
Robots
✅
✅
✅
✅
Roles
✅
✅
✅
✅
Settings
✅
✅
✅
✅
Solution Deployments
✅
✅
✅
✅
Solution Packages
✅
✅
✅
✅
Tags
✅
✅
✅
✅
Units
✅
✅
✅
✅
Users
✅
✅
✅
✅
Webhooks
✅
✅
✅
✅
Resource
Permissions
Description
View
Create
Delete
Read
Update
Edit
Assign
Toggle
AutomatedExecution
CreateAndUnlinkDefects
ExecutePerformanceTest
ManualExecution
OverrideTestResult
SmartTestGeneration
TestExecutionAssignment
Test Manager
Performance Scenarios
❌
✅
✅
✅
❌
✅
❌
❌
❌
❌
❌
❌
❌
❌
❌
Grants administrator permissions and is equivalent to the Test Manager administrator role.
Project
❌
✅
✅
✅
❌
✅
❌
❌
❌
❌
❌
❌
❌
❌
❌
Project Settings
❌
❌
❌
❌
✅
❌
❌
❌
❌
❌
❌
❌
❌
❌
❌
Prompt
❌
✅
✅
✅
❌
✅
❌
❌
❌
❌
❌
❌
❌
❌
❌
Requirement
❌
✅
✅
✅
❌
✅
❌
❌
❌
❌
❌
❌
❌
❌
❌
Role
❌
✅
✅
✅
❌
✅
✅
❌
❌
❌
❌
❌
❌
❌
❌
Task Permissions
❌
❌
❌
❌
❌
❌
❌
❌
✅
✅
✅
✅
✅
✅
✅
Test Case
❌
✅
✅
✅
❌
✅
❌
❌
❌
❌
❌
❌
❌
❌
❌
Test Execution
❌
✅
✅
✅
❌
✅
❌
❌
❌
❌
❌
❌
❌
❌
❌
Test Set
❌
✅
✅
✅
❌
✅
❌
❌
❌
❌
❌
❌
❌
❌
❌
To view the available Tenant Administrator role permissions, take the following steps:
1. Navigate to **Admin**.
2. Select **Manage access** at organization level.
3. Select the **Roles** tab.
4. In the **Role Name** column, select the **Tenant Administrator** role. You can now view the **Tenant Administrator** role permissions in the expanded panel.
### Known limitations
The following known limitations affect the tenant-level roles:
* The rest of the tenant-level services are currently not supported, and users that only hold the Tenant Administrator role cannot access these services.
* The **Tenant Administrator** cannot access organization-level menus from the interface.
* On the **Admin > Tenants > Services** screen, the **Tenant Administrator** can view enabled services, but cannot add or remove services.
* On the **Admin > Tenants > Manage access** screen, the **Tenant Administrator** can view tenants they do not administer. However, if they access these tenants, they cannot perform any actions.
## Service-level roles
Service-level roles control access rights and permitted actions within each of your UiPath services, such as the Orchestrator service, or Data Service. The permissions for each service are managed within the service itself, not from the organization **Admin** page.
To grant permissions for a service to accounts, you can perform the following actions:
* In the selected service, assign service-level roles to a [group](https://docs.uipath.com/test-cloud/automation-suite/2.2510/admin-guide/about-accounts#groups) to grant those roles to all member accounts.
* Add accounts to a group that already has the required service-level roles by navigating to **Admin**, then select **Accounts and Groups**.
* In the selected service, [assign roles to an account](https://docs.uipath.com/test-cloud/automation-suite/2.2510/admin-guide/role-management#assigning-and-managing-service-level-roles).
For the following services, you can create and manage some services-level roles that are external to the service, at platform level:
* Apps
* Automation Ops
* Document Understanding
## Folder- or project-level roles
The folder or project is a scope you manage at service level.
Folder- and project-level roles define the set of permissions assigned to users, determining their ability to access, manage, and interact with specific resources and functionalities within automation workflows.
Depending on the service you use, you can assign folder- or project-level roles, as follows:
* Folder roles:
+ Orchestrator
* Project roles:
+ Document Understanding
+ Test Manager
## Custom roles
### Custom service roles
Custom service roles are user-defined permission sets that allow you to tailor access controls to your specific needs, offering more granular control than default roles.
To create custom roles at service level, navigate to **Manage access** at service level, where you can define roles, and select your preferred scope and permissions.
Currently, you can create custom service roles for the following services:
* Apps
* Document Understanding
### Custom cross-service roles
Custom cross-service roles are user-defined roles that grant tailored permissions across multiple UiPath services, allowing you to enforce consistent, fine-grained access control platform-wide.
To create custom roles at tenant level, navigate to **Manage access** at tenant level, where you can define roles, and select your preferred scope and permissions.