orchestrator

2023.10

false

Getting started
- Introduction
- User options
- Logging in to Orchestrator
- Resetting your password
- Robots
  - Robot Statuses
  - Robot Settings
- Auto Updating Client Components
- Orchestrator Configuration Checklist
Best practices
- Organization Modeling in Orchestrator
- Managing Large Deployments
- Automation Best Practices
- Optimizing Unattended Infrastructure Using Machine Templates
- Unattended automation
- Organizing Resources With Tags
- Orchestrator Read-only Replica
- Exporting grids in the background
Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Robots
- Folders
- Monitoring
- Access control
  - Account types
  - Default roles
  - Managing custom roles
  - Configuring access for accounts
- Configuring automation capabilities
- Machines
- Packages
- Audit
- Credential Stores
  - Managing credential stores
  - Integrating credential stores
- Webhooks
  - Types of Events
  - Managing Webhooks
- Licensing
  - Managing Your Licenses
- Alerts
- Settings - Tenant Level
Resource Catalog Service
- About Resource Catalog Service
Folders Context
- About the Folders Context
- Home
Automations
- About Automations
Processes
- About Processes
- Managing Processes
- Managing Package Requirements
- Recording
Jobs
- About Jobs
- Managing Jobs
- Job States
- Working with long-running workflows
- Running Personal Remote Automations
- Process Data Retention Policy
Triggers
- About triggers
  - Time triggers
  - Queue triggers
- Managing triggers
  - Creating a time trigger
  - Creating a queue trigger
- Managing Non-Working Days
- Using Cron Expressions
  - Triggering jobs on the last day of the month
Logs
- About Logs
- Managing Logs in Orchestrator
- Logging Levels
- Orchestrator Logs
Monitoring
- About Monitoring
- Machines
- Processes
- Queues
- Queues SLA
Queues
- About Queues and Transactions
- Bulk uploading Queue Items using a CSV file
- Managing Queues in Orchestrator
- Managing Queues in Studio
- Managing Transactions
  - Editing Transactions
  - Field Descriptions for the Transactions .csv File
- Review Requests
Assets
- About Assets
- Managing Assets in Orchestrator
- Managing Assets in Studio
- Storing Assets in Azure Key Vault (read only)
- Storing Assets in HashiCorp Vault (read only)
- Storing Assets in AWS Secrets Manager (read only)
Storage Buckets
- About Storage Buckets
  - CORS/CSP Configuration
- Managing Storage Buckets
- Moving Bucket Data Between Storage Providers
Test Suite - Orchestrator
- Test Automation
- Test Cases
  - Field Descriptions for the Test Cases Page
- Test Sets
  - Field Descriptions for the Test Sets Page
- Test Executions
  - Field Descriptions for the Test Executions Page
- Test Schedules
  - Field Descriptions for the Test Schedules Page
- Test Data Queues
- Testing Data Retention Policy
Other Configurations
- Increasing the Size Limit of Package Files
- Setting up Encryption Key Per Tenant
- GZIP Compression
Integrations
- About Input and Output Arguments
  - Example of Using Input and Output Arguments
Host administration
- About the host level
- Managing system administrators
- Managing tenants
- Configuring host authentication settings
- Managing your host license
  - Allocating Licenses to Tenants
- Configuring system email notifications
- Configuring other host settings
- Audit logs for the host portal
- Maintenance Mode
Organization administration
- About organizations
- Managing organization administrators
- Managing organization settings
- Configuring organization authentication
  - Setting up the Azure AD integration
  - Configuring the SAML integration
    - Setting up SAML SSO with Azure AD
- Configuring organization security
  - Session policy
  - Restricting access to a set of users
- About licensing
  - Activating your license
- Accounts and groups
  - Managing access
  - Managing accounts and groups
- Authorizing external applications
  - Managing external OAuth applications
  - Configuring fine-grained access for confidential apps
- Managing tags
- Overriding system email settings
  - Email setup
    - System emails are not sent - SslHandshakeException
- Audit logs
Troubleshooting
- About Troubleshooting
- Frequently Encountered Orchestrator Errors
- Browser group policies
- Cron Expressions

Orchestrator User Guide

DELIVERY:

Automation Cloud Automation Cloud Public Sector Automation Suite Standalone

Last updated Nov 7, 2024

Configuring access for accounts

As an administrator, you can configure fine-grained tenant or folder permissions for objects that already exist at the organization level (i.e. groups, users, robot accounts, external apps), via Orchestrator, by assigning them to tenants or folders in Orchestrator. An object gets the permissions required to perform particular operations in a tenant or folder through one or more roles.

You can use groups to simplify access control, as groups allow you to manage objects with similar needs together.

Tenant-level access control

The Manage access page allows you to control access for all objects (i.e.groups, users, robot accounts, external apps). This means that you can:

assign to a tenant any objects that already exist at the organization level
configure permissions for objects in Orchestrator
remove tenant access from the existing objects

Group configuration (roles, web login, robot settings) is passed on to any user that belongs to that group and is later added or auto-provisioned.

Assigning groups to a tenant

In a tenant, when assigning groups and adding roles to it, note that these are inherited by all users and robot accounts that are part of that group.

Groups are created and maintained by organization administrators from the Admin > Accounts and Groups page.

In the search field, type an existing user group to which you want to prove tenant access.

Should a new group be required, click Manage Accounts to arrive at the organiation level, where all new objects are added.
Click the Roles field and select the checkbox for each role you want to assign to the selected group.

If needed, you can define a new role by clicking New role.
Under Account Settings, you can choose if the group members can to log in to the Orchestrator UI.

Important: If the UI access setting is enabled for at least one of the groups to which an account belongs (including the Everyone group), then disabling it at the account level or for other groups has no effect for that particular account, only for other group members that are not in the same situation.
If you want to also create an attended robot for group members, click Next.

Otherwise, click Skip and assign to apply your settings.

Assigning accounts to a tenant

We recommend that you manage user access by assigning roles to groups and then adequately assigning users to the right groups to grant them the necessary roles.

However, if you need to perform a one-time role assignment for a particular user, you can directly provide access to the user, as follows:

In the search field, type the user to whom you want to assign access to the tenant.

Should a new user be required, click Manage Accounts to arrive at the organiation level, where all new objects are added.
Click the Roles field and then select the check box for each role you want to assign to the selected user.

If needed, you can define a new role by clicking New role.
Under Account Settings, you can choose if the user can log in to the Orchestrator UI.
If this account is a member of any groups that have UI access enabled, changing this setting for individual accounts has no effect because the group-level setting is inherited by all accounts. To control UI access for individual accounts, you must either remove the account from groups with a conflicting setting, or remove the group with the conflicting setting from Orchestrator.
(Optional) Under Update policy settings, choose the release level to which you want this user to be required to update UiPath applications on their workstation. If you select a policy, the user will not be able to use UiPath® Robot, Studio, or Assistant until they upgrade these applications to the version required by the policy. This setting can help you make sure that all your users are using the same versions.
If you want to also create an attended or unattended robot for this user, click Next.

Otherwise, click Skip and assign to apply your settings.

Assigning robot accounts to a tenant

We recommend that you manage robot access by assigning roles to groups and then adequately assigning robot accounts to the right groups to grant them the necessary roles.

However, if you need to perform a one-time role assignment for a particular robot account, you can directly grant access to the robot, as follows:

In the search field, type the robot account to which you want to grant access to the tenant.

Should a new robot be required, click Manage Accounts to arrive at the organiation level, where all new objects are added.
Click the Roles field and then select the checkbox for each role you want to assign to the selected robot.

If needed, you can define a new role by clicking New role.
If you want to also create an unattended robot for this user, click Next.

Otherwise, click Skip and assign to apply your settings.

Assigning external apps to a tenant

As an administrator, you can configure fine-grained tenant or folder permissions for confidential apps, by assigning them to folders or tenants in Orchestrator. An external app gets the permissions required to perform particular operations in a folder or tenant through one or more roles.

Go to Tenant > Manage Access. The Manage Access page is displayed.
Click Assign roles > External app. The Assign roles to an external app window is displayed.
In the search field, type the name of the external app you want to add.
Under Roles, select the role(s) for this object.
Click Assign.

Assigning multiple accounts

Go to Tenant > Manage access and click the Roles tab.
On the Roles page, select a role from the list and click More Actions > Manage Users.

The Manage Users window is displayed and all users, groups, and robots are listed. If a checkbox is selected, that means the objects have this role assigned to them.
Select or clear the checkboxes as needed so that only those who should have this role are selected.
Click Update to apply your changes.

Changes to roles apply immediately when a user logs in, or automatically within one hour.

Checking Assigned Roles

To see what roles are assigned to a user or a group:

Go to Tenant > Manage access > Assign roles tab.
Click the Check roles & permissions above the table.

The Check roles window opens.
In the Select a user field, type to search for the group or user whose roles you want to check. Optionally, filter the results by Users or Groups.
Select the group or user from the search results.

You can see the user or group's roles at the tenant and folder level. You can also see whether the role has been explicitly assigned or inherited from a group they are in.

Important: If you are using an Azure AD guest user account, the role information that is displayed may not be accurate.

Activating or deactivating a user

Note: Only users with administrative privileges can perform this operation. Orchestrator access is revoked for deactivated users.

Go to Tenant > Manage access > Assign roles tab.
Select the user you want to remove the access for, click More Actions , and select Activate or Deactivate.

The user entity is updated on the Users page.

Removing a user or group

Removing a user or group from Orchestrator does not delete the account from your organization.

Go to Tenant > Manage access > Assign roles tab.
Select the user or group, click More Actions , and select Remove.

If the user whose role you want to delete has a robot that is currently busy, you are informed that any running jobs will be deleted, and are asked whether you want to proceed with the deletion or cancel the operation.
Confirm the operation.

The user or group is removed from Orchestrator and all roles are revoked.

Alternatively, select one or multiple users, and click the Remove button.

Important:

You cannot remove a user having the Administrator role.
You cannot remove or unassign users part of mappings that are employed in triggers from the folder the trigger resides in. Make sure the user is not set as an execution target in a trigger so you can delete them.
Removing a directory group does not remove the license of an associated directory user, even if the group removal unassigns the user from any folder. The only way to release the license is to close UiPath Assistant.

Recommended role-to-group mapping

The right combination of group and role allows you to correctly separate permissions, and give granular control to the appropriate people. To achieve this, we recommend the following role-group pairing:

Group	Has access to the Orchestrator interface	Has access to all folders/personal workspace only	Has API access	Tenant role	Folder role
Automation Users	No	Personal workspace Important: If a user is assigned to other folders via API, they also have access to those in addition to the personal workspace.	Yes	Allow to be Automation User	Automation User
Automation Developers	Yes	All folders	Yes	Allow to be Automation Developer	Automation Developer
Administrators	Yes	All folders	Yes	Orchestrator Administrator	Folder Administrator
Automation Express	Yes	All folders	Yes	Allow to be Automation User	Automation User

Troubleshooting

The Not Found error

If an account was removed from the organization, when attempting to edit, enable/disable, or remove the account from Orchestrator (Tenant > Manage Access), a Not found (#1002) error is displayed.

In this case, the account in fact no longer exists and no longer has access to the UiPath products.

Folder-level access control

In the tenant, access can also be controlled at folder-level from the Folders tab, used for managing folders and objects, and from the folder context, in the sidebar menu.

Assigning objects to a folder

Go to Tenant > Folders tab, choose the folder, and click Accounts & Groups. Next, click Assign and select the object to be added to the folder.

Note: You can also filter objects by category (all, user, group, robot account, external app).

In order to assign the object, you are required to add a role to it. Once this is done, click Assign, and the object becomes visible in the list.

Another method to assign objects to a folder is to go to the folder context from the sidebar menu and click Users > Assign. In the search field, type the name of the object you want to add to the folder, select the roles it needs, and click Assign to finish the configuration.

Editing access

To give specific folder access to assigned objects (groups, users, robot accounts, external apps), open a folder from the sidebar menu and go to Users. Next to the object for which you want to edit the folder access, click More Actions > Edit role in this folder. This brings up the assign page, where you can add or remove any roles for the selected object.

The same steps can be applied when going to Tenant > Folder tab > Accounts & Groups > More Actions next to the object you want to modify > Edit role in this folder. Now you can add or remove any roles for the selected object.

Removing folder access

Go to Tenant > Folders tab, choose the folder, and click Accounts & Groups. Next to the object you would like to remove, click More Actions > Unassign. Once this is performed, the object no longer has access to that folder.

Important: Accounts part of account-machine mappings that are employed in triggers cannot be deleted or unassigned from the folder in which the trigger resides. Make sure the account is not set as an execution target in a trigger to be able to delete it.

Subfolder access

A folder hierarchy can be established with up to 7 levels. This structure includes the top-level folder and allows for 6 additional layers of subfolders beneath it. In terms of user access, it is inherited from the parent folders. This means if you are assigned access to a folder, you automatically gain access to all of its subfolders.

Important: Performance degradation and possible errors occur when loading the Folder selection menu for an account assigned to more than 1,000 folders.

Personal Workspace access control

When configuring attended robots for a group or a single user, you also have the option to create a personal workspace for it.

To enable this option, go to Tenant > Manage Access > select the user or group > More Actions > Edit > Next > check the option Enable this user to run automations > check the option Create a personal workspace for this user. Once this is done, a new folder, My Workspace, is visible in the sidebar menu, next to the other folders.

Personal Workspaces permissions

Tenant-level permissions required to manage the workspaces of other users:

Settings - View and Settings - Edit to allow the use of personal workspaces in the tenant from the Tenant > Settings page.
Users - View and Users - Edit to enable a personal workspace for a user or group by editing it from the Manage Access page.

Folder-level permissions required to use a personal workspace:

Alerts - View to see alerts generated for the personal workspace.
Actions - View,Actions - Edit,Actions - Create, and Actions - Delete to enable long-running workflow execution in the personal workspace.
Action Catalogs - View,Action Catalogs - Edit,Action Catalogs - Create,Action Catalogs - Delete to allow the user to manage action catalogs in the personal workspace.

Checking Assigned Roles

To see what roles are assigned to a user or a group:

Go to Tenant > Manage access > Assign roles tab.
Click the Check roles & permissions above the table.

The Check roles window opens.
In the Select a user field, type to search for the group or user whose roles you want to check. Optionally, filter the results by Users or Groups.
Select the group or user from the search results.

You can see the user or group's roles at the tenant and folder level. You can also see whether the role has been explicitly assigned or inherited from a group they are in.

Important: If you are using an Azure AD guest user account, the role information that is displayed may not be accurate.

Recommended role-to-group mapping

Group	Has access to the Orchestrator interface	Has access to all folders/personal workspace only	Has API access	Tenant role	Folder role
Automation Users	No	Personal workspace Important: If a user is assigned to other folders via API, they also have access to those in addition to the personal workspace.	Yes	Allow to be Automation User	Automation User
Automation Developers	Yes	All folders	Yes	Allow to be Automation Developer	Automation Developer
Administrators	Yes	All folders	Yes	Orchestrator Administrator	Folder Administrator
Automation Express	Yes	All folders	Yes	Allow to be Automation User	Automation User

On this page

Tenant-level access control
Assigning groups to a tenant
Assigning accounts to a tenant
Assigning robot accounts to a tenant
Assigning external apps to a tenant
Assigning multiple accounts
Checking Assigned Roles
Activating or deactivating a user
Removing a user or group
Recommended role-to-group mapping
Troubleshooting
Folder-level access control
Assigning objects to a folder
Editing access
Removing folder access
Subfolder access
Personal Workspace access control
Checking Assigned Roles

Was this page helpful?

PREVIOUSManaging custom roles

NEXTConfiguring automation capabilities

Support and Services

Get The Help You Need

UiPath Academy

Learning RPA - Automation Courses

UiPath Forum

UiPath Community Forum

Trust and Security

Cookies Policy