Orchestrator
2023.4
false
Banner background image
Orchestrator User Guide
Last updated 2024年5月20日

Enabling users to run automations on unattended infrastructure via unattended robots

UiPath accounts can be thought of as identities intended to represent human (user accounts) or non-human users (robot accounts) that need to be authorized to access Orchestrator resources. These accounts and their association with roles allows for a certain level of access to resources in Orchestrator. Learn about access control in Orchestrator.

Unattended automation typically runs on robot accounts, the UiPath equivalent of Windows service accounts. An administrator can enable an unattended robot to impersonate a user account, that is act on behalf of that user identity, to allow the robot to run automations with the same privileges as the user it impersonates.

Running unattended automations on user accounts is typically done by developers debugging their automation projects, and business users running automations under their own identity, but on server-side resources instead of their local machines.

Running background processes on unattended infrastructure is also possible via personal remote automation which is easier to set up since it does not need an unattended robot enabled for the user account. See how to enable your users to run personal automation.

The differences between personal remote automations and unattended automation capabilities on a user account are:

  • You can only run personal remote automations if the underlying process is a background process; it does not work for processes that require user interaction. To execute processes that require user interaction configuring an unattended robot is still required.
  • In personal remote automation, the user's identity is used for executing that single process, so it helps achieve granular control in terms of when and how the user's identity is used. Unattended robots, on the other hand, act as the user they impersonate to execute processes across all folders the user has access to.

This article describes how administrators can enable developers and business users to:

  • Run background processes on unattended infrastructure, by allowing an unattended robot to impersonate a user for execution;
  • Run processes that require user interaction on unattended infrastructure; by allowing an unattended robot to impersonate a user for execution.

Running automations in a folder

Users can debug and run processes from all folders they have access to. They can use unattended infrastructure for execution, provided that an administrator has allocated to that folder the physical resources to run unattended automation, that is they assigned to that folder a machine template object with at least one runtime. Typically, for debugging, a NonProduction runtime is used.

Developers and business users can launch a process either by launching a job manually or via triggers in that folder.



If the user does not see any runtimes available when starting a job from Orchestrator, then the admin should make sure that:

  • they assigned both the user account and a machine template to the folder that contains the process to be executed.
  • they assigned runtimes to the machine template. This is not necessary in personal workspaces.

Debugging in a personal workspace

A personal workspace is the personal folder of a user and it acts as a separate and segregated storage space from the official Orchestrator feed. In a personal workspace, Orchestrator takes over several operations an admin would have to perform in a folder, allowing publishing, running and debugging automation projects without the admin intervention:

  • Orchestrator automatically creates a process from each package published from Studio to the personal workspace feed of that user;
  • Orchestrator automatically manages machine templates on the behalf of the administrator for personal workspace owners and a machine template with a Development runtime is automatically created and assigned to each new personal workspace.

Users can debug or run a process either by launching a job manually or via triggers in that workspace.



Enabling users to debug from Orchestrator

For a user to run processes on unattended infrastructure, an administrator needs to enable for them both personal automation capabilities (which enables them to perform the operations described here) and impersonation by an unattended robot (which enables the robot on a physical host machine to run under that user's identity).

Required licenses:
  • a user license
  • an unattended runtime

To enable users to debug processes on unattended infrastructure, do the following when referencing or editing the user account in Orchestrator:

  1. Click the Personal automation setup tab to configure personal automation for that user. If the user is member of a group with personal automation capabilities, then they inherit the capabilities from that group and you can skip this step.
  2. Enable the Enable users in this group to run automations toggle. This enables users in that group to:
    • Run automation on their local machine via the UiPath Assistant;
    • Run background personal remote automations in folders where the user has the necessary permissions;
    • Run and debug in UiPath Studio, both desktop and web.
  3. In the Settings section, enable the Enable Personal Workspaces for members of this group toggle. This enables users in that group to:
    • Manage automations in their personal workspace;
    • Run background personal remote automations in their personal workspaces.
  4. Click the Unattended setup tab to configure unattended debugging settings for the user.
  5. Enable the Allow unattended robots to run automations as this user toggle to allow user account impersonation by unattended robots. This enables unattended robots to:
    • Run unattended automations under that user's identity to run background unattended automation and automations that require user interaction (further configured in step 5).
  6. In the Foreground automations settings section, select the infrastructure to be used for executing unattended foreground processes under that account:
    1. Select the Use a specific Windows user account. Add credentials below option to execute processes on a specific Windows machine. You must specify correct credentials for that host machine, such that the robot can log into it successfully. This allows running processes that require user interaction under that specific Windows account. Here's how to configure the credential settings when using specific Windows accounts:

      Field

      Description

      Domain\Username

      The account under which the robot runs.

      • For domain-joined accounts, use the domain\username syntax. For example deskover\localUser1.
      • For local Windows accounts, use the host_machine_name\username syntax, with the host machine's name instead of the domain. For example, LAPTOP1935\localUser2.
      • For local Windows accounts residing on multiple host machines, which you want to use regardless of machine, use the .\username syntax with a dot instead of the host machine name. For example .\localUser3.
      • For Azure AD joined machines, use the azuread\username@domain.com syntax.

      Credential store

      The credential store to be used for your password. Click here for details about credential stores.

      Password

      The password used to log on to the machine on which UiPath Robot is installed.

      Credential type

      Specifies the type of password credential.

  7. Enable the Run only one job at a time option to restrict the user from simultaneously executing multiple jobs. This helps when automating applications that do not allow for a credential to be be used more than once at a time (e.g., SAP).
  8. Click Add or Update. The user account is created/updated.


Enabling users without Orchestrator access to debug on the host machine

When interactive authentication is enforced, in UiPath Assistant, a user can only see the processes to which they have access and only after signing in to their account. A user license is also required. Therefore, unattended processes which do not run under a user account are not available in UiPath Assistant for troubleshooting, making it impossible for a user to debug an unattended process by logging into that host machine.

To overcome this, an administrator can temporarily enable a troubleshooting session on their machine. Doing this lets the user see and run the unattended process locally, without requiring a user license. The troubleshooting session is temporary and the above only applies while troubleshooting is active.

You can also use Studio for its remote debugging capabilities. It allows running and debugging attended and unattended processes on remote machines, including on Linux robots that can run cross-platform projects.

Step 1. Enable a troubleshooting session

  1. Go to Tenant > Monitoring.
  2. Select Unattended sessions from the Section dropdown menu.
  3. Identify the machine where the error occurred, click More Actions at the end of the machine row and select Configure troubleshooting session.

    The option is only available if interactive authentication is enforced.

    You can find out on which machine a process ran by selecting the Processes section.

    The Configure troubleshooting session dialog opens:



  4. Under Troubleshooting session, click the toggle to switch it to Enabled.
  5. In the Session timeout (minutes) box, edit the value to change the number of minutes the troubleshooting session should be active.

    After the specified number of minutes passes, the troubleshooting session is automatically disabled and no further connections are accepted. However, any existing connections remain active until disconnected.

  6. Click Save.

Step 2. Connect to UiPath Assistant

Follow these instructions to connect to the machine and run the unattended processes from UiPath Assistant with your account.

  1. In Orchestrator, go to Tenant > Machines and click Copy Client ID / Machine keydocs image at the end of the machine row to copy the machine key to your clipboard.
  2. In UiPath Assistant, click the user icon in the title bar and select Preferences.
  3. Select the Orchestrator Settings tab and click Disconnect or Sign out if needed so that you can edit the connection settings.
  4. Configure the connection as follows:
    1. Connection Type - Select Machine Key.
    2. Orchestrator URL - Add the URL to the Orchestrator instance, which should include the tenant and organization.
    3. Machine Key - Paste the copied machine key from your clipboard.
  5. Click Connect and then close the Preferences window.
  6. If you do not see the unattended processes in Assistant, then go to Preferences > Sign In and log in with your credentials.

Now you can run unattended processes from UiPath Assistant to troubleshoot them.

Step 3. Extend or disable the troubleshooting session

When you have finished debugging, you can disable the troubleshooting session for the machine so that it won't allow attended connections anymore. Or, if you need to, you can extend the amount of time that the session is active.

  1. Go to Tenant > Monitoring.
  2. Select Unattended sessions from the Section dropdown menu.
  3. Click More Actions at the end of the machine row and select Configure troubleshooting session.
  4. In the Configure troubleshooting session dialog:

    • Close the session: switch the toggle under Troubleshooting session to Disabled.

      When disabled, no further connections are accepted. However, any existing connections remain active until disconnected.

    • Extend the session: Edit the value in the Session timeout (minutes) box with a greater value to extend the session to the specified duration.
  5. Click Save.
  6. Disconnect UiPath Assistant to close the connection.

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2024 UiPath. All rights reserved.