Neither Orchestrator nor Windows Credential Manager are a secure way to store and retrieve credentials since anyone could simply retrieve the password as a SecureString and then type it’s value into a text editor as plain text.
I’m wondering if there is a best practice guide or an alternative, more secure way to work with passwords in a UiPath Robot?
I agree in the case if the roles and policies are not assigned to the assets or credentials stored in the orchestrator. If you use roles, then you can secure them. When coming to windows, when you store the credentials for your particular user, then the other user won’t access them right?
I don’t understand what you mean by insecure here. Even if you use any other way, you need to get it as a secure string and type it to the field. @pduffy
Anyone who can fetch a credential from the queue can read the password as a secure string and then use “Type Secure String” activity with the output selector set to a text editor such as notepad. The attached main.xaml file does this for an orchestrator credential called “MyTestCredential”
I may be missing something obvious here, which is why I’m looking for guidance.
Main.xaml (7.4 KB)
to be honest if you want to provide the developer robot a way to type some password, somewhere, you always will have to give him the opportunity to see the actual password…
It’s true what you’re saying, the developer could just do that. Nevertheless, best practices indicate that developers shouldn’t have access to production Orchestrator, and processes must be tested and reviewed to prevent them to getting access to production credentials
Anyone who can access the asset in orchestrator could get the password.
Thank you @nerlichman. I’m thinking how this can be best accomplished for both attended and unattended bots. I may need to spend a bit more time understanding orchestrator permissions (and I’m on community edition for now) but I’m not sure it’s suitable for environments where a high level of security is required… need to do some more testing. Thanks!
@pduffy have you tried looking through the best practices page? it’s maybe not the most visible page in the docs, but it is there.
Here’s a link to it.
The key is to use Windows access rights and Orchestrator access rights correctly in your development or deployment scenarios. Hope this helps.
Apologies, just realised I replied 3 years too late