# Role assignments
> You can manage and assign service-level roles from within each service as long as you have the appropriate permissions in the service.
You can manage and assign service-level roles from within each service as long as you have the appropriate permissions in the service.
For example, users with the **Administrator** role in Orchestrator can create and edit roles, and assign roles to existing accounts.
## Manage access user interface based on scope
The **Manage access** user interface (UI) keeps a consistent appearance across all scopes.
The following table illustrates how the Manage access UI looks like for each scope:
| Scope | Manage access UI |
| --- | --- |
| Organization | |
| Tenant | |
| Service | |
| Project | |
## Assigning organization-level roles
As an organization administrators, you can navigate to **Manage access** at organization level to assign tenant-level roles.
To view the role definition and the permissions granted, take the following steps:
1. Navigate to **Manage access**.
2. In the **Roles** tab, select the **View** button next to the role.
You can assign an organization-level role to a user, group, robot account, or external application. To assign a role, take the following steps:
1. Navigate to **Manage access**, then
2. in the **Role assignments** tab, search for the account you want to assign the role to and choose the appropriate role.
3. Select **Assign**.
## Assigning tenant-level roles
Tenant-level roles can be assigned at tenant level and can have granted permissions up to the service level.
**Organization Administrators** or other **Tenant Administrators** can view the **Manage access** screen.
:::note
While **Organization Administrators** can access manage the access in any tenant, **Tenant Administrators** can manage access only in the tenant they manage.
:::
To view the tenant-level role definition and the permissions granted at tenant and individual service level, take the following steps:
1. Navigate to **Manage access**.
2. In the **Roles** tab, select the **View** button next to the role.
You can assign a tenant-level role to a user, group, robot account, or external application. To assign the role, take the following steps:
1. Navigate to **Manage access**.
2. In the **Role assignments** tab, select **Assign role**.
3. Search for the account you want to assign the role to and choose the appropriate role.
4. Select **Assign** to confirm the assignment.
### Tenant Administrator role visibility at service level
The **Tenant Administrator** role assignment is visible both at tenant and individual service level. At the service level, the **Tenant Administrator** role has the following properties:
* It is shown with a platform role label.
* It is immutable, implying that you cannot remove the assignment at the service level.
* In some services, such as Orchestrator, there is a link next to the role that redirects you to the **Manage access** page at platform level, where you can change the tenant-level role assignments.
## Assigning and managing service-level roles
You can manage and assign service-level roles from within the services. You can assign roles to groups (recommended), or to accounts that have already been added.
For information and instructions, refer to the applicable documentation, as described in the following table:
Service
Details
Orchestrator Action Center
Processes
Context Grounding
Solutions
Integration Service
Maestro
Managed from Orchestrator. Learn more about roles .
Actions
Managed from Orchestrator.
For the list of permissions required, refer to Roles and permissions .
For instructions on assigning roles, refer to Assigning roles .
Processes
Managed from Orchestrator.
For the list of permissions required, refer to Roles and permissions in the Action Center documentation.
For instructions on assigning roles, refer to Assigning roles .
Automation Hub Automation Store
Managed from Automation Hub. For more information about which roles are required and instructions for assigning them, refer to Role description and matrix .
AutomationOps
Managed from AutomationOps. For more information, refer to AutomationOps user roles .
AI Center
Managed from Orchestrator. For information about the roles required to use AI Center, refer to AI Center access control .
Apps
Managed from Orchestrator. For more information, refer to Orchestrator permissions .
Data Fabric
Managed from Data Fabric.
For more information and instructions, refer to User management .
For instructions on assigning roles, refer to Managing access .
Document Understanding™
Managed from Document Understanding. For more information about which roles are required and instructions for assigning them, refer to Role-based access control .
Insights
Managed from Insights. For more information, refer to Granting permissions .
IXP Communications Mining
Managed from IXP. For more information, refer to Roles and their underlying permissions .
Process Mining
Managed from Process Mining. For more information, refer to User management in Process Mining .
Studio Web Agents
Managed from Studio Web. For more information, refer to Managing access to Studio Web .
Task Mining
Managed using Test Cloud organization-level roles. For information about the rights that organization-level roles grant in Task Mining, refer to Managing access and roles in the Task Mining documentation.
Test Manager
Managed from Test Manager. For information and instructions, refer to User and group access management .
### Assigning roles to an account
If you want to control the access a certain account has in a service at a more granular level, but you do not want to add new roles to an entire group, you can explicitly add the account to the service and assign one or more service-level roles to it directly.
For information about the available roles and instructions, refer to the documentation for the target service, as previously described.
## Assigning folder- or project-level roles
Depending on the service you use, you can assign:
* folder roles from Orchestrator.
* project roles from:
+ Document Understanding
+ IXP
+ Test Manager
+ Task Mining
For more information, refer to the table in [Assigning and managing service-level roles](https://docs.uipath.com/test-cloud/automation-cloud/latest/admin-guide/role-management#assigning-and-managing-service-level-roles).
## Exporting role assignments
To export role assignments, take the following steps:
1. Navigate to **Admin** at organization level.
2. Select **Accounts & local groups**.
3. Select **Download role assignments** for the roles you want to export.
The following table describes the fields from the role assignments file.
Field
Description
Id
The unique identifier of the role assignment.
RoleName
The role name as displayed in the interface. For example, Folder Administrator
RoleId
The unique identifier of the role.
RoleDescription
The role description, as displayed in the interface. For example, Folder Administrator For example, Folder Administrator
RoleType
The role type, as defined by the user or the system:
Custom : Role defined by a user.
BuiltIn : Role present by default Administration portal.
RoleAssignmentType
The role assignment type when it was created, which can be one of the following two options:
Custom : Assignment made by the user.
BuiltIn : Assignment made by default in the Administration portal.
Scope
The scope is a specific level in the organizational hierarchy that serves as a boundary for certain actions, permissions, and objects. A scope can be one of the following hierarchical options, represented as IDs:
Organization
Tenant
Service
Folder
ScopeWithDisplayNames
The scope is a specific level in the organizational hierarchy that serves as a boundary for certain actions, permissions, and objects. A scope can be one of the following hierarchical options:
Organization
Tenant
Service
Folder
ServiceName
The name of the UiPath service that the role belongs to.
SecurityPrincipalId
The unique identifier for the identity of a user, group, etc.
SecurityPrincipalType
The identity type of a user, group, or robot.
SecurityPrincipalEmail
The email of the user. This field is blank in case the identity is not a user.
SecurityPrincipalDisplayName
The name of the identity. This field is blank in case of directory users.
InheritedFromGroupName
The group name from which the role assignment is inherited.
InheritedFromGroupId
Group identifier from which the role assignment is inherited.
TenantName
The name of the tenant where the assignment is made. This field is blank in case of organization-level assignments.
OrganizationName
The name of the organization where the assignment is made.
OrganizationId
The identifier of the organization where the assignment is made.
TenantId
The identifier of the tenant where the assignment is made. This field is blank in case of organization-level assignments.
CreatedBy
The unique identifier of the user who creates the assignment.
CreatedByDisplayName
The name of the user who creates the assignment.
CreatedOn
The timestamp when the role is assigned.
FolderName
The name of the folder associated with the assignment.
FolderKey
The unique identifier of the folder associated with the assignment.
ProjectId
The ID of the project (for example, Document Understanding or IXP) associated with the assignment.
## Auto-provisioning
Through auto-provisioning, any directory account can be set up with access and rights for using the UiPath platform directly from the external identity provider (IdP).
Auto-provisioning requires a one-time setup after you enable an integration with a third-party IdP: Microsoft Entra ID or other IdPs that are connected through SAML integration. For details, refer to [Configuring the Microsoft Entra ID integration](https://docs.uipath.com/test-cloud/automation-cloud/latest/admin-guide/microsoft-entra-id-integration-for-automation-cloud-and-automation-cloud-public-sector) or [Configuring the SAML integration](https://docs.uipath.com/test-cloud/automation-cloud/latest/admin-guide/configuring-the-saml-integration).