orchestrator
2023.10
false
Orchestrator User Guide
Automation CloudAutomation Cloud Public SectorAutomation SuiteStandalone
Last updated Nov 7, 2024

Configuring access for accounts

As an administrator, you can configure fine-grained tenant or folder permissions for objects that already exist at the organization level (i.e. groups, users, robot accounts, external apps), via Orchestrator, by assigning them to tenants or folders in Orchestrator. An object gets the permissions required to perform particular operations in a tenant or folder through one or more roles.

You can use groups to simplify access control, as groups allow you to manage objects with similar needs together.

Tenant-level access control

The Manage access page allows you to control access for all objects (i.e.groups, users, robot accounts, external apps). This means that you can:
  • assign to a tenant any objects that already exist at the organization level
  • configure permissions for objects in Orchestrator
  • remove tenant access from the existing objects

Group configuration (roles, web login, robot settings) is passed on to any user that belongs to that group and is later added or auto-provisioned.

Assigning groups to a tenant

In a tenant, when assigning groups and adding roles to it, note that these are inherited by all users and robot accounts that are part of that group.

Groups are created and maintained by organization administrators from the Admin > Accounts and Groups page.

  1. In the search field, type an existing user group to which you want to prove tenant access.

    Should a new group be required, click Manage Accounts to arrive at the organiation level, where all new objects are added.

  2. Click the Roles field and select the checkbox for each role you want to assign to the selected group.

    If needed, you can define a new role by clicking New role.

  3. Under Account Settings, you can choose if the group members can to log in to the Orchestrator UI.
    Important: If the UI access setting is enabled for at least one of the groups to which an account belongs (including the Everyone group), then disabling it at the account level or for other groups has no effect for that particular account, only for other group members that are not in the same situation.
  4. If you want to also create an attended robot for group members, click Next.

    Otherwise, click Skip and assign to apply your settings.

Assigning accounts to a tenant

We recommend that you manage user access by assigning roles to groups and then adequately assigning users to the right groups to grant them the necessary roles.

However, if you need to perform a one-time role assignment for a particular user, you can directly provide access to the user, as follows:

  1. In the search field, type the user to whom you want to assign access to the tenant.

    Should a new user be required, click Manage Accounts to arrive at the organiation level, where all new objects are added.

  2. Click the Roles field and then select the check box for each role you want to assign to the selected user.

    If needed, you can define a new role by clicking New role.

  3. Under Account Settings, you can choose if the user can log in to the Orchestrator UI.
    If this account is a member of any groups that have UI access enabled, changing this setting for individual accounts has no effect because the group-level setting is inherited by all accounts. To control UI access for individual accounts, you must either remove the account from groups with a conflicting setting, or remove the group with the conflicting setting from Orchestrator.
  4. (Optional) Under Update policy settings, choose the release level to which you want this user to be required to update UiPath applications on their workstation. If you select a policy, the user will not be able to use UiPath® Robot, Studio, or Assistant until they upgrade these applications to the version required by the policy. This setting can help you make sure that all your users are using the same versions.
  5. If you want to also create an attended or unattended robot for this user, click Next.

    Otherwise, click Skip and assign to apply your settings.

Assigning robot accounts to a tenant

We recommend that you manage robot access by assigning roles to groups and then adequately assigning robot accounts to the right groups to grant them the necessary roles.

However, if you need to perform a one-time role assignment for a particular robot account, you can directly grant access to the robot, as follows:

  1. In the search field, type the robot account to which you want to grant access to the tenant.

    Should a new robot be required, click Manage Accounts to arrive at the organiation level, where all new objects are added.

  2. Click the Roles field and then select the checkbox for each role you want to assign to the selected robot.

    If needed, you can define a new role by clicking New role.

  3. If you want to also create an unattended robot for this user, click Next.

    Otherwise, click Skip and assign to apply your settings.

Assigning external apps to a tenant

As an administrator, you can configure fine-grained tenant or folder permissions for confidential apps, by assigning them to folders or tenants in Orchestrator. An external app gets the permissions required to perform particular operations in a folder or tenant through one or more roles.

  1. Go to Tenant > Manage Access. The Manage Access page is displayed.
  2. Click Assign roles > External app. The Assign roles to an external app window is displayed.


  3. In the search field, type the name of the external app you want to add.
  4. Under Roles, select the role(s) for this object.
  5. Click Assign.

Assigning multiple accounts

  1. Go to Tenant > Manage access and click the Roles tab.
  2. On the Roles page, select a role from the list and click More Actionsdocs image > Manage Users.

    The Manage Users window is displayed and all users, groups, and robots are listed. If a checkbox is selected, that means the objects have this role assigned to them.

  3. Select or clear the checkboxes as needed so that only those who should have this role are selected.


  4. Click Update to apply your changes.

Changes to roles apply immediately when a user logs in, or automatically within one hour.

Checking Assigned Roles

To see what roles are assigned to a user or a group:

  1. Go to Tenant > Manage access > Assign roles tab.
  2. Click the Check roles & permissions above the table.

    The Check roles window opens.

  3. In the Select a user field, type to search for the group or user whose roles you want to check. Optionally, filter the results by Users or Groups.
  4. Select the group or user from the search results.

    You can see the user or group's roles at the tenant and folder level. You can also see whether the role has been explicitly assigned or inherited from a group they are in.



    Important: If you are using an Azure AD guest user account, the role information that is displayed may not be accurate.

Activating or deactivating a user

Note: Only users with administrative privileges can perform this operation. Orchestrator access is revoked for deactivated users.
  1. Go to Tenant > Manage access > Assign roles tab.
  2. Select the user you want to remove the access for, click More Actions , and select Activate or Deactivate.

    The user entity is updated on the Users page.

Removing a user or group

Removing a user or group from Orchestrator does not delete the account from your organization.

  1. Go to Tenant > Manage access > Assign roles tab.
  2. Select the user or group, click More Actions docs image, and select Remove.

    If the user whose role you want to delete has a robot that is currently busy, you are informed that any running jobs will be deleted, and are asked whether you want to proceed with the deletion or cancel the operation.

  3. Confirm the operation.

The user or group is removed from Orchestrator and all roles are revoked.

Alternatively, select one or multiple users, and click the Remove button.

Important:
  • You cannot remove a user having the Administrator role.
  • You cannot remove or unassign users part of mappings that are employed in triggers from the folder the trigger resides in. Make sure the user is not set as an execution target in a trigger so you can delete them.
  • Removing a directory group does not remove the license of an associated directory user, even if the group removal unassigns the user from any folder. The only way to release the license is to close UiPath Assistant.

Recommended role-to-group mapping

The right combination of group and role allows you to correctly separate permissions, and give granular control to the appropriate people. To achieve this, we recommend the following role-group pairing:

Group

Has access to the Orchestrator interface

Has access to all folders/personal workspace only

Has API access

Tenant role

Folder role

Automation Users

No

Personal workspace

Important:

If a user is assigned to other folders via API, they also have access to those in addition to the personal workspace.

Yes

Allow to be Automation User

Automation User

Automation Developers

Yes

All folders

Yes

Allow to be Automation DeveloperAutomation Developer

Administrators

Yes

All folders

Yes

Orchestrator Administrator

Folder Administrator

Automation Express

Yes

All folders

Yes

Allow to be Automation User

Automation User

Troubleshooting

The Not Found error

If an account was removed from the organization, when attempting to edit, enable/disable, or remove the account from Orchestrator (Tenant > Manage Access), a Not found (#1002) error is displayed.

In this case, the account in fact no longer exists and no longer has access to the UiPath products.

Folder-level access control

In the tenant, access can also be controlled at folder-level from the Folders tab, used for managing folders and objects, and from the folder context, in the sidebar menu.

Assigning objects to a folder

Go to Tenant > Folders tab, choose the folder, and click Accounts & Groups. Next, click Assign and select the object to be added to the folder.

Note: You can also filter objects by category (all, user, group, robot account, external app).

In order to assign the object, you are required to add a role to it. Once this is done, click Assign, and the object becomes visible in the list.

Another method to assign objects to a folder is to go to the folder context from the sidebar menu and click Users > Assign. In the search field, type the name of the object you want to add to the folder, select the roles it needs, and click Assign to finish the configuration.

Editing access

To give specific folder access to assigned objects (groups, users, robot accounts, external apps), open a folder from the sidebar menu and go to Users. Next to the object for which you want to edit the folder access, click More Actions > Edit role in this folder. This brings up the assign page, where you can add or remove any roles for the selected object.

The same steps can be applied when going to Tenant > Folder tab > Accounts & Groups > More Actions next to the object you want to modify > Edit role in this folder. Now you can add or remove any roles for the selected object.

Removing folder access

Go to Tenant > Folders tab, choose the folder, and click Accounts & Groups. Next to the object you would like to remove, click More Actions > Unassign. Once this is performed, the object no longer has access to that folder.

Important: Accounts part of account-machine mappings that are employed in triggers cannot be deleted or unassigned from the folder in which the trigger resides. Make sure the account is not set as an execution target in a trigger to be able to delete it.

Subfolder access

A folder hierarchy can be established with up to 7 levels. This structure includes the top-level folder and allows for 6 additional layers of subfolders beneath it. In terms of user access, it is inherited from the parent folders. This means if you are assigned access to a folder, you automatically gain access to all of its subfolders.

Important: Performance degradation and possible errors occur when loading the Folder selection menu for an account assigned to more than 1,000 folders.

Personal Workspace access control

When configuring attended robots for a group or a single user, you also have the option to create a personal workspace for it.

To enable this option, go to Tenant > Manage Access > select the user or group > More Actions > Edit > Next > check the option Enable this user to run automations > check the option Create a personal workspace for this user. Once this is done, a new folder, My Workspace, is visible in the sidebar menu, next to the other folders.

Personal Workspaces permissions

Tenant-level permissions required to manage the workspaces of other users:

  • Settings - View and Settings - Edit to allow the use of personal workspaces in the tenant from the Tenant > Settings page.
  • Users - View and Users - Edit to enable a personal workspace for a user or group by editing it from the Manage Access page.

Folder-level permissions required to use a personal workspace:

  • Alerts - View to see alerts generated for the personal workspace.
  • Actions - View,Actions - Edit,Actions - Create, and Actions - Delete to enable long-running workflow execution in the personal workspace.
  • Action Catalogs - View,Action Catalogs - Edit,Action Catalogs - Create,Action Catalogs - Delete to allow the user to manage action catalogs in the personal workspace.

Checking Assigned Roles

To see what roles are assigned to a user or a group:

  1. Go to Tenant > Manage access > Assign roles tab.
  2. Click the Check roles & permissions above the table.

    The Check roles window opens.

  3. In the Select a user field, type to search for the group or user whose roles you want to check. Optionally, filter the results by Users or Groups.
  4. Select the group or user from the search results.

    You can see the user or group's roles at the tenant and folder level. You can also see whether the role has been explicitly assigned or inherited from a group they are in.



    Important: If you are using an Azure AD guest user account, the role information that is displayed may not be accurate.

Recommended role-to-group mapping

The right combination of group and role allows you to correctly separate permissions, and give granular control to the appropriate people. To achieve this, we recommend the following role-group pairing:

Group

Has access to the Orchestrator interface

Has access to all folders/personal workspace only

Has API access

Tenant role

Folder role

Automation Users

No

Personal workspace

Important:

If a user is assigned to other folders via API, they also have access to those in addition to the personal workspace.

Yes

Allow to be Automation User

Automation User

Automation Developers

Yes

All folders

Yes

Allow to be Automation DeveloperAutomation Developer

Administrators

Yes

All folders

Yes

Orchestrator Administrator

Folder Administrator

Automation Express

Yes

All folders

Yes

Allow to be Automation User

Automation User

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2024 UiPath. All rights reserved.