UiPath Robot

About Automation Projects on the Robot

The Robot is an execution agent, meaning that you have to provide it with the automation projects you want it to run.

After creating an automation project in Studio, it needs to be published locally or to Orchestrator. Once a project is published, you can send it to the Robot machine and start executing it.

On the Robot machine, the automation packages feed is provided as the value of the NuGetServerUrl parameter, in the UiPath.Settings file (%ProgramData%\UiPath). This is populated by default as follows:

  • When NOT connected to Orchestrator - %ProgramData%\UiPath\Packages
  • When connected to Orchestrator - the default Orchestrator feed (~/NuGetPackages)
    Please note that these values can be customized to suit your needs.

The Robot uses the feed which responds the fastest, whether or not it's connected to Orchestrator.

Important:

As of 2018.2, you should specify a Project.json file when running your project from the UiRobot.exe (command line) client. Running .xaml files is still supported, but the workflow must be inside of a project folder.

Package Signature Verification

When you publish a package from Studio or the Command Line, you have the possibility to sign it. Find out more about signing packages on this page.

The Robot verifies the signature of a package when a job is started. A package is not installed if its signature is not trusted.

A package can have a repository and author certificate. However, only a repository certificate is mandatory, but packages are signed this way by default. You can allow the Robot to install packages if they have just a repository signature, or enforce verification of an author signature as well, before installing a package.

After you start a job, the Robot on the particular machine verifies the package signature as follows:

  1. The repository certificate is checked. It is represented by the certificatefingerprint tag. The fingerprint from the NuGet.config needs to be the same as the one from the package:
    • Different - the package is not installed.
    • Same - checks if the package needs to be signed by authors as well.
  2. The value of the allowUntrustedRoot attribute is verified. It means that the package needs to be signed by an author:
    • ="true" - only a repository signature is required, so the package is installed.
    • ="false" - an author signature is required, so an additional check is made.
  3. The author signature is verified, which needs to be in the <owners> tag, inside the <trustedSigners> tag:
    • Not Trusted - the package is not installed.
    • Trusted - the package is installed.

Automation Projects when Connected to Orchestrator

While connected to Orchestrator, the UiPath Robot tray displays all the automation projects the given Robot has been associated with.

Robots that are connected to Orchestrator still need to download and unzip the automation packages locally to execute them. Consequently, when you deploy a package to an environment (create a process) in Orchestrator, it is automatically installed on all the Robot machines from the indicated environment, in the %USERPROFILE%\.nuget\Packages folder.

If for some reason an automation project is no longer available locally, it is marked with the update update_process icon in the UiPath Robot tray. When you click this button, the package is downloaded and unzipped in the %USERPROFILE%\.nuget\Packages folder.

Note:

The %USERPROFILE%\.nuget\Packages folder is automatically created when you first deploy a package to an environment (create a process) in Orchestrator.

If the automation project is not available locally when you start a job in Orchestrator, it automatically downloads it in the %USERPROFILE%\.nuget\Packages folder and all other dependencies (activities), and then starts the execution.

The Robot can be configured to automatically download and start processes when it is connected to Orchestrator. The option is enabled from the Process Settings window in Orchestrator. A process configured this way is automatically downloaded and started when the Robot Tray is launched. Please note that only Attended Robots can automatically download and start processes.

Automation Projects when Not Connected to Orchestrator

The UiPath Robot tray displays, in the Available Processes section, the automation projects that are stored as follows:

  • in both the %ProgramData%\UiPath\Packages and %USERPROFILE%\.nuget\Packages folders
  • only in the %ProgramData%\UiPath\Packages directory. These items are marked with the update update_process icon. Clicking this button unzips the process in the %USERPROFILE%\.nuget\Packages folder.

Only automation projects that are present in the %ProgramData%\UiPath\Packages folder and decompressed in the %USERPROFILE%\.nuget\Packages folder can be executed directly.

Note:

The %ProgramData%\UiPath\Packages folder is created when you first publish an automation project from Studio. If you are not connected to either Studio nor Orchestrator, you have to create this folder.
The %USERPROFILE%\.nuget\Packages directory is created when you decompress the first automation package.

Security Project Considerations

Standard users are prevented from reading and/or writing workflows (*.xaml files) of installed projects. This feature applies to Robot v2018.1.1 and greater instances where the Robot was installed as a service.

The NuGet packages of projects are downloaded and installed by the Robot Service, as previously mentioned. They are protected in the following manner:

  1. A folder for the package about to be installed is created, in the <ProjectName>\<Version> format, in the %USERPROFILE%\.nuget\Packages directory.
  2. The following security measures are taken for the aforementioned directory:
    • Permission inheritance is disabled and all permissions are cleared;
    • Full control is granted to the Local System account and Built-in Administrators; This means that standard users can no longer list, read or write files in the %USERPROFILE%\.nuget\Packages folder.
  3. The package is downloaded and extracted in this directory, using the NuGet package manager, under the Local System account.
  4. All the temporary generated files are also secured.
  5. For each workflow file (*.xaml) present in the secure folder (including subfolders), permission inheritance is disabled and all permissions are cleared.
  6. Full control over these files is granted to the Local System account and Built-in Administrators.
  7. For the %USERPROFILE%\.nuget\Packages\<ProjectName>\<Version> folder, the inheritance is enabled. The permissions for the %USERPROFILE%\.nuget\Packages\<ProjectName>\<Version> directory are now the same as those for the parent directory, %USERPROFILE%.

Important!

Access to workflow files (*.xaml) remains protected since the permissions for these were explicitly set without inheritance at step 5. Access to other files in the project folder is granted to standard users.

Securely installed projects are ran by Robot executor instances in standard user mode.

The Robot executor cannot access the workflow files (*.xaml) by itself in the installation folder (%USERPROFILE%\.nuget\Packages\<ProjectName>\<Version>), and performs the following steps:

  1. Makes an open file request to the Robot Service.
  2. The Robot Service enables access to the requested workflow files only for executors that were created by the Robot Service.
  3. The Robot Service does not allow other user processes to obtain access to a protected workflow file.

Important!

The packages installed by a previous UiPath version (previous to 2018.1) remain unprotected.
Only Admins can delete projects.

Updated 22 days ago



About Automation Projects on the Robot


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.