# Roles > Roles are a collection of permissions and represent a more granular layer for managing user access, following the broader option of maintaining access through groups. You can add roles to either groups so that all member accounts inherit them, or to individual accounts. Roles are a collection of permissions and represent a more granular layer for managing user access, following the broader option of maintaining access through groups. You can add roles to either groups so that all member accounts inherit them, or to individual accounts. Accounts and groups typically have an organization-level role and one or more service-level roles. The platform also supports global tenant roles, a distinct category created at organization scope that can be applied across all tenants in the organization. ## Types of roles The following types of roles can include several permissions at either organization level, or at service level: * The built-in role is a predefined role that has specific permissions set by the platform. These roles can be used to grant users or groups the necessary permissions to perform certain operations. * The custom role is a role that an organization administrator creates to meet the specific needs of their organization. This is particularly useful role for when none of the available built-in roles perfectly match the access a user or group should have. ## Scopes and categories A scope is a specific level in the organizational hierarchy that serves as a boundary for certain actions, permissions, and objects. A scope can be an organization, a tenant, a service, or a folder, each with its own set of role assignments. :::note The **Manage access** menu is available within all possible scopes, descending from the organization level down to the project level. ::: A category is a parameter for a custom role that you define for each scope, determining whether you apply the role within the same scope, or within a lower-level scope. ## Types of roles based on scopes and permissions A role is defined by multiple permissions. Permissions can be specific to a certain scope. :::note The organization administrator role is a special role that grants access to all scopes: organization, tenant, service, and folder. ::: The following types roles are based on scopes and permissions: * The organization level role is a type of role you create at organization scope. This role type consists of permissions that apply exclusively within the organization scope. Organization-level roles: + Can be created only at the organization level. + Can include only permissions associated with organization-level products and services, such as: - Manage Access - Apps - Automation Ops - Insights (organization-level dashboards) + Can be assigned only at the organization level. + Cannot include permissions for tenant-level products (such as Intelligent Xtraction and Processing (IXP) or Document Understanding). + Cannot manage licensing quotas or other tenant-scoped licensing configurations. * The global tenant role is a type of role you create at organization scope. Unlike organization-level roles, a global tenant role can include permissions for tenant-level products and is designed to span all tenants in the organization. Assignment is performed at tenant or service level, not at organization level. Global-tenant roles: + Are created at the organization level. + Can include permissions associated with organization-level products, as well as supported tenant-level products, such as: - IXP - Document Understanding + If created with IXP permissions, the role becomes visible in all tenants within the organization. + Can be assigned only at tenant or service level (not at organization level). * The cross-service role is a type of role you create at tenant scope. This role type contains permissions from multiple services simultaneously. * The service role is a type of role you create at service scope. This role type contains permissions from certain services. * The project or folder role is a type of role you create at service scope that you exclusively assign at project or folder scope. The following table classifies scopes, role types based on scopes and permissions, and examples of roles: Scope Types of roles based on scopes and permissions Examples of roles Organization Organization level roles Insights Dashboard Viewer Organization Administrator Global tenant roles Custom roles spanning all tenants, for example with IXP or Document Understanding permissions. Created using the custom role functionality. Tenant Cross-service roles Tenant Administrator Service Service roles Orchestrator Administrator Folder or project roles Folder Administrator ## Groups and roles In the following table you can view the roles that are assigned to accounts when they are added to a group. For example, adding an account to the **Administrators** default group grants them the **Organization Administrator** role for the organization and the **Administrator** role within your services. This user can manage both organization-level roles from **Admin**, then select **Accounts and Groups**, as well as service-level roles. | Group membership | Organization-level role | Service-level roles for Orchestrator | | --- | --- | --- | | Administrators | Organization Administrator | [Administrator](https://docs.uipath.com/orchestrator/automation-cloud/latest/user-guide/default-roles#administrator-role) | | Automation Users | User | [Automation User](https://docs.uipath.com/orchestrator/automation-cloud/latest/user-guide/default-roles#automation-user) at folder level 1[Allow to be Automation User](https://docs.uipath.com/orchestrator/automation-cloud/latest/user-guide/default-roles#allow-to-be-automation-user) at tenant level | | Automation Developers | User | [Automation User](https://docs.uipath.com/orchestrator/automation-cloud/latest/user-guide/default-roles#automation-user) at folder level 1[Folder Administrator](https://docs.uipath.com/orchestrator/automation-cloud/latest/user-guide/default-roles#folder-administrator) at folder level 1[Allow to be Automation User](https://docs.uipath.com/orchestrator/automation-cloud/latest/user-guide/default-roles#allow-to-be-automation-user) at tenant level[Allow to be Folder Administrator](https://docs.uipath.com/orchestrator/automation-cloud/latest/user-guide/default-roles#allow-to-be-folder-administrator) at tenant level | | Everyone | User | No roles. | | Automation Express | User | [Allow to be Automation User](https://docs.uipath.com/orchestrator/automation-cloud/latest/user-guide/default-roles#allow-to-be-automation-user) at tenant level | | [Custom group] | User | No roles by default, but you can [add roles to the group](https://docs.uipath.com/test-cloud/automation-cloud/latest/admin-guide/role-management#role-assignments) as needed. | 1 The roles are assigned to the **Shared** modern folder, if it exists. :::note For information about roles across UiPath services, refer to [Role management](https://docs.uipath.com/test-cloud/automation-cloud/latest/admin-guide/role-management#role-assignments). ::: ## Organization-level roles The organization level represents the highest level of scope. At organization level, the **Organization Administrator**, **User**, and **Insights Dashboard Viewer** roles are available. You cannot change these roles. Organization administrators have permission to modify organization-level settings, such as security, Single Sign-On (SSO), and licensing settings. Therefore, the number of organization-level roles is limited. Additionally, organization administrators can grant organization-level permissions, as well as cascade down to tenant-, service-, and folder-level permissions. Organization-level roles also include service permissions for services such as Apps and AutomationOps. :::note Licensing quota management is available through tenant-level roles (for example, the Tenant Administrator role). ::: :::note Organization-level roles apply exclusively within the organization scope and cannot include permissions for tenant-level products. If you need a role that spans all tenants or includes tenant-level product permissions, use a global tenant role instead. See [Global tenant roles](#global-tenant-roles). ::: ### Organization administrator role This role grants access to every organization- and service-level feature within the organization. An account with this role can perform all administrative actions for the organization, such as creating or updating tenants, managing accounts, viewing organization audit logs, and so on. There can be multiple accounts with this role. The organization administrator and the **Tenant Admin** roles are the only roles that allow access to the **Admin** section. The first organization administrator for any given organization is appointed when the organization is created. :::note The organization administrator role is not an assignable role. To have this role assigned to you, you need to be part of the **Administrators** group. ::: To grant this role to others, the organization administrator can add user accounts to the **Administrators** group, which is one of the [default groups](https://docs.uipath.com/test-cloud/automation-cloud/latest/admin-guide/about-accounts#default-local-groups). The organization administrator role includes the following organization-level permissions, which cannot be changed, as described in the following table: | Areas subject to permissions | View | Edit | Create | Delete | | --- | --- | --- | --- | --- | | Usage charts and graphs | ✅ | ❌ | ❌ | ❌ | | Tenants | ✅ | ✅ | ✅ | ✅ | | Accounts and groups | ✅ | ✅ | ✅ | ✅ | | Security settings | ✅ | ✅ | ❌ | ❌ | | External applications | ✅ | ✅ | ✅ | ✅ | | Licenses | ✅ | ✅ | ❌ | ❌ | | API keys | ✅ | ❌ | ✅ | ❌ | | Resource center (Help) | ✅ | ❌ | ❌ | ❌ | | Audit logs | ✅ | ❌ | ❌ | ❌ | | Organization settings | ✅ | ✅ | ❌ | ❌ | ### User role This is the basic level of access within the UiPath ecosystem. Local user accounts automatically become members of the **Everyone** [group](https://docs.uipath.com/test-cloud/automation-cloud/latest/admin-guide/about-accounts#groups), which grants them the **User** role. This role is granted to all accounts that are in the default groups **Everyone**, **Automation Users**, or **Automation Developers**. This role provides read-only access to pages, such as the **Home** page, **Resource Center** (if available). The users can view and access the provisioned services for their current tenant. However, the content they can view and the actions they can perform within each service depends on the service-level roles assigned to their account. :::note All platform users are part of the **Everyone** group by default, regardless if they are local or directory users. ::: To grant access to everyone to a specific service, the users need to have the **Everyone** group mapped at service level. For example, if you want to grant all users access to view ideas in Automation Hub, you can assign the **Everyone** group to a role in Automation Hub. The available services that incorporate this mapping into roles and grant minimal rights within them are: * Studio Web * Apps * Test Manager ### Insights dashboard viewer role :::note Feature availability depends on the cloud platform that you use. For details, refer to the [Feature availability page](https://docs.uipath.com/test-cloud/automation-cloud/latest/admin-guide/test-cloud-feature-availability#test-cloud-product-and-feature-availability). ::: The **Insights Dashboard Viewer** role is a built-in role that grants access to organization-level dashboards in Insights and is assigned by the organization administrator. :::note Before assigning the **Insights Dashboard Viewer** role, you must ensure that users have access to the Insights service within any tenant of the organization. ::: To assign this role, see [Assign the Insights Dashboard Viewer role](#assign-the-insights-dashboard-viewer-role). ## Global tenant roles A global tenant role is created at organization scope but is designed to span all tenants in the organization. Unlike organization-level roles — which apply only within organization scope — global tenant roles can include permissions for tenant-level products such as IXP and Document Understanding. Global tenant roles have the following characteristics: - Created at the organization level, in the same interface as organization-level roles. - Can include permissions for both organization-level products and tenant-level products, such as IXP and Document Understanding. - Visible in all tenants within the organization when created with IXP permissions. - Assigned at tenant or service level, not at organization level. :::note Global tenant roles are created using the custom role functionality. For more information, see [Role management](https://docs.uipath.com/test-cloud/automation-cloud/latest/admin-guide/role-management#role-assignments). ::: ## Create an organization-level or global tenant role Use this procedure to create a custom role at organization scope. Depending on the category you select, the role applies either exclusively within the organization scope (organization-level role) or across all tenants in the organization (global tenant role). ### Prerequisites - You have the Organization Administrator role. ### Steps 1. Navigate to **Admin**, then select **Manage access** at organization level. 2. Select the **Roles** tab. 3. Select **Create Role**. 4. Enter a **Name** and **Description** for the role. 5. For **Category**, select one of the following: - **Organization-level roles** — if the role applies only within organization scope. - **Tenant (Global)** — if the role must span all tenants in the organization. 6. Select the permissions to include in the role. 7. Select **Save**. ### Result The new role appears on the **Roles** tab. If you created a global tenant role with IXP permissions, the role becomes visible in all tenants within the organization. You can now assign the role to accounts or groups from **Manage access** at tenant or service level. ## Create a tenant-level role Use this procedure to create a custom cross-service role at tenant scope. This role type can include permissions from multiple services simultaneously. ### Prerequisites - You have the Organization Administrator or Tenant Administrator role. ### Steps 1. Navigate to **Admin**, then select **Manage access** at tenant level. 2. Select the **Roles** tab. 3. Select **Create Role**. 4. Enter a **Name** and **Description** for the role. 5. Select the permissions to include in the role. 6. Select **Save**. ### Result The new role appears on the **Roles** tab for that tenant. You can now assign the role to accounts or groups from **Manage access** at tenant or service level. ## Assign the Insights Dashboard Viewer role Use this procedure to grant a user access to organization-level dashboards in Insights. ### Prerequisites - You have the Organization Administrator role. - The user has access to the Insights service within at least one tenant in the organization. ### Steps 1. Navigate to **Admin**, then select **Manage access** at organization level. 2. On the **Role assignments** tab, select **Assign role**. 3. In the **Names** field, search for the user you want to assign the role to. 4. In the **Roles** field, select the **Insights Dashboard Viewer** checkbox. 5. Select **Assign**. ### Result The **Insights Dashboard Viewer** role is assigned to the selected user. The role appears on the **Role assignments** tab. ## Tenant-level roles Tenant-level roles control the access rights of accounts within the tenant settings and configuration area. They also define the permitted actions within each of the UiPath services in a given tenant. Most of the tenant-level roles in the platform are cross-service roles as they grant permissions across multiple services within a particular tenant. Currently, **Tenant Administrator** is the only built-in role available at the tenant level. ### Tenant Administrator role The **Tenant Administrator** role lets you effectively delegate responsibilities. The role grants access to manage all resources1 in the tenant, allowing operations such as role assignment, licensing management, and service provisioning. The **Tenant Administrator** role can be assigned to multiple accounts. 1The following services support the **Tenant Administrator** role: * Orchestrator (includes Actions, Processes, Integration Service) * Data Service * Document Understanding * Task Mining * Test Manager #### Tenant Administrator role permissions The following tables describe the Tenant Administrator role permissions: Resource Permissions Description View Create Delete Read Update Centralized Access Administration page ✅ ❌ ❌ ❌ ❌ Grants permissions to centralized access, roles and role assignments. Role ❌ ✅ ✅ ✅ ✅ Role assignments ❌ ✅ ✅ ✅ ✅ Resource Permissions Description View Create Delete Read Update Edit Manage Data Fabric Permission ❌ ❌ ❌ ❌ ❌ ❌ ✅ Grants administrator permissions and is equivalent to the Data Fabric Administrator role. Resource Permissions Description Create Delete Read Update Document Understanding Classifier ✅ ✅ ✅ ✅ Grants administrator permissions and is equivalent to the Document Understanding Administrator role. Data Set Export ✅ ✅ ✅ ❌ Documents ❌ ✅ ❌ ❌ Document Type ✅ ✅ ✅ ✅ Extractor ✅ ✅ ✅ ✅ Monitor Processed Documents ❌ ❌ ✅ ❌ Monitor Processed Documents Detail ❌ ❌ ✅ ❌ Monitor Project Performance ❌ ❌ ✅ ❌ Project ✅ ✅ ✅ ✅ Project Version ✅ ✅ ✅ ✅ Project Version Label ✅ ✅ ✅ ✅ Tenant Settings ✅ ❌ ✅ ✅ Resource Permissions Description View Create Delete Read Update Edit Manage Licensing Quota ❌ ❌ ❌ ❌ ❌ ❌ ✅ Grants permissions to manage quotas. Resource Permissions Description View Create Delete Edit Orchestrator Action Design ✅ ✅ ✅ ✅ Grants administrator permissions and is equivalent to the Orchestrator Administrator role. Alerts ✅ ✅ ✅ ✅ App Versions ✅ ✅ ✅ ✅ Audit ✅ ✅ ✅ ✅ Background Tasks ✅ ❌ ❌ ❌ Libraries ✅ ✅ ✅ ✅ License ✅ ✅ ✅ ✅ Machines ✅ ✅ ✅ ✅ Packages ✅ ✅ ✅ ✅ Robots ✅ ✅ ✅ ✅ Roles ✅ ✅ ✅ ✅ Settings ✅ ✅ ✅ ✅ Solution Deployments ✅ ✅ ✅ ✅ Solution Packages ✅ ✅ ✅ ✅ Tags ✅ ✅ ✅ ✅ Units ✅ ✅ ✅ ✅ Users ✅ ✅ ✅ ✅ Webhooks ✅ ✅ ✅ ✅ Resource Permissions Description View Assign Remove Edit Task Mining Manage Access ✅ ❌ ❌ ✅ Grants administrator permissions and is equivalent to the Task Mining Administrator role. Role ❌ ✅ ✅ ❌ Resource Permissions Description View Create Delete Read Update Edit Assign Toggle AutomatedExecution CreateAndUnlinkDefects ExecutePerformanceTest ManualExecution OverrideTestResult SmartTestGeneration TestExecutionAssignment Test Manager Performance Scenarios ❌ ✅ ✅ ✅ ❌ ✅ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ Grants administrator permissions and is equivalent to the Test Manager administrator role. Project ❌ ✅ ✅ ✅ ❌ ✅ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ Project Settings ❌ ❌ ❌ ❌ ✅ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ Prompt ❌ ✅ ✅ ✅ ❌ ✅ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ Requirement ❌ ✅ ✅ ✅ ❌ ✅ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ Role ❌ ✅ ✅ ✅ ❌ ✅ ✅ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ Task Permissions ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ✅ ✅ ✅ ✅ ✅ ✅ ✅ Test Case ❌ ✅ ✅ ✅ ❌ ✅ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ Test Execution ❌ ✅ ✅ ✅ ❌ ✅ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ Test Set ❌ ✅ ✅ ✅ ❌ ✅ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ To view the **Tenant Administrator** role permissions, navigate to **Admin** > **Manage access** at organization level > **Roles** tab, then select **Tenant Administrator** in the **Role Name** column. The permissions appear in the expanded panel. ### Known limitations The following known limitations affect the tenant-level roles: * The rest of the tenant-level services are not supported, and users that only hold the Tenant Administrator role cannot access these services. * The **Tenant Administrator** cannot access organization-level menus from the interface. * On the **Admin > Tenants > Services** screen, the **Tenant Administrator** can view enabled services, but cannot add or remove services. * On the **Admin > Tenants > Manage access** screen, the **Tenant Administrator** can view tenants they do not administer. However, if they access these tenants, they cannot perform any actions. ## Service-level roles Service-level roles control access rights and permitted actions within each of your UiPath services, such as the Orchestrator service, or Data Fabric. The permissions for each service are managed within the service itself, not from the organization **Admin** page. To grant permissions for a service to accounts, you can perform the following actions: * In the selected service, assign service-level roles to a [group](https://docs.uipath.com/test-cloud/automation-cloud/latest/admin-guide/about-accounts#groups) to grant those roles to all member accounts. * Add accounts to a group that already has the required service-level roles by navigating to **Admin**, then select **Accounts and Groups**. * In the selected service, [assign roles to an account](https://docs.uipath.com/test-cloud/automation-cloud/latest/admin-guide/role-management#assigning-and-managing-service-level-roles). For the following services, you can create and manage some services-level roles that are external to the service, at platform level: * Apps * Automation Ops * Document Understanding * IXP ## Managing service-level roles Service-level roles are created and managed within each UiPath service, not from the organization **Admin** page. For instructions, refer to the documentation for the specific service you are configuring: - [Orchestrator roles](https://docs.uipath.com/orchestrator/automation-cloud/latest/user-guide/about-roles) - [Document Understanding roles](https://docs.uipath.com/document-understanding/automation-cloud/latest/user-guide/roles) - [IXP roles](https://docs.uipath.com/intelligent-experience-platform/automation-cloud/latest/admin-guide/roles) ## Folder- or project-level roles The folder or project is a scope you manage at service level. Folder- and project-level roles define the set of permissions assigned to users, determining their ability to access, manage, and interact with specific resources and functionalities within automation workflows. Depending on the service you use, you can assign folder- or project-level roles, as follows: * Folder roles: + Orchestrator * Project roles: + Document Understanding + IXP + Test Manager + Task Mining ## Custom roles Custom roles let you create permission sets tailored to your organization's specific access requirements, offering more granular control than built-in roles. They are available at organization, tenant, and service level. ![Custom roles panel in the Test Cloud Admin portal](https://dev-assets.cms.uipath.com/assets/images/test-cloud/test-cloud-image-449555-1164d441-89109785.webp) :::note Feature availability depends on the cloud platform that you use. For details, refer to the [Feature availability page](https://docs.uipath.com/test-cloud/automation-cloud/latest/admin-guide/test-cloud-feature-availability#test-cloud-product-and-feature-availability). ::: ### Custom service roles Custom service roles are user-defined permission sets that allow you to tailor access controls to your specific needs, offering more granular control than default roles. To create custom roles at service level, navigate to **Manage access** at service level, where you can define roles, and select your preferred scope and permissions. Currently, you can create custom service roles for the following services: * Apps * Document Understanding * IXP * Studio Web ### Custom cross-service roles Custom cross-service roles are user-defined roles that grant tailored permissions across multiple UiPath services, allowing you to enforce consistent, fine-grained access control platform-wide. To create custom roles at tenant level, navigate to **Manage access** at tenant level, where you can define roles, and select your preferred scope and permissions. ### Platform-related permissions When creating custom roles, in addition to service-specific permissions, you can assign permissions related to platform-level functionality, such as Authorization, or Licensing. Platform-related permissions are available for custom roles created at both the organization and tenant levels. The following sections list the available platform permissions. #### Organization-level platform permissions * **Standard permissions**: + Authorization/Action: Allows users to view the available authorization actions (permissions) when creating or viewing a custom role. + Authorization/Role: Allows users to view, create, edit, or delete custom roles on the **Roles** tab in **Manage access**. + Authorization/Role assignment: Allows users to view, create, update, or delete role assignments on the **Role assignments** tab in **Manage access**. * **Additional permissions**: + Authorization/Roles assignment - Allows users to export role assignment data from the user interface. #### Tenant-level platform permissions * **Standard permissions**: + Authorization/Action: Allows users to view the available authorization actions (permissions) when creating or viewing a custom role. + Authorization/Role: Allows users to view, create, edit, or delete custom roles on the **Roles** tab in **Manage access**. + Centralized access: Allows users to access both **Roles** and **Role assignments** tabs within a tenant. + Authorization/Role assignment: Allows users to view, create, update, or delete role assignments on the **Role assignments** tab in **Manage access**. * **Additional permissions**: + Authorization/Roles assignment - Allows users to export role assignment data from the user interface at the tenant level. + Licensing - Manage quotas for a tenant in Licensing: Allows users to view and manage tenant licensing quotas, such as license allocation limits and usage.