Elastic governance ruled by orchestrator

I read doc: Governance

and there is an option to set governance for user via Orchestrator Asset. I created required folder and asset and it worked pretty well. When I changed asset, after restarting Studio, policy had changed too.

But… According to this page I can set this asset with value per user. So my goal was to create two governance and switch beetwen them (by changing text value in asset) for specific user. When I turned off global value, and paste the same governance for user in user/value section, no governance was loaded for Studio.

I know I can create governance and paste location to file in registry or even paste governance to local. But I would rather like to switch them in Orchestrator for specific users. Right now it is working global only. Is it my configuration or it just not working in Studio/Orchestrator?

Studio: 2020.10.4
Orchestrator: 2020.10.4

Hi @Yameso

Please have a look at this one and let us know what you think :slight_smile:

Hi,

This option requires from users to log in in assistant. We would like to use machine template key and url service type connection. When robot is installed in service mode then changing that settings requires admin privileges. And that’s ok, because in that case user would not be able to log in in any other orchestrator.

Our goal is to let user install UiPath by himself (access to installation would be given for specific users in company). Installation is based on .msi file. After installation, prepared bash script (or sth like that) should connect robot to orchestrator. Basically user should do just two clicks.

After that I want to give user governance for building robot or just using assistant. I know I can just install assistant for user who would use only robots, but in case his needs for developing a robot I would not be able to install studio and after finishing development to uninstall studio. That’s why I need governance which allow me to block users running projects from studio without permission.

Licence Attended still alow user to open Studio and run project. It blocks editing the project but it’s not enough. User would be able to build few projects and then run them in Studio without showing jobs on Orchestrator.

So I would still use governance as shown in my first post, but I still need to get easier solution to manage policy by user (like asset without global value)

Hi, @Yameso - Thanks for this question, I’ll try to clarify things. Please correct me if I missed something. The Governance capabilities in Automation Ops address the same product functionalities as the Governance file - i.e. Backstage settings, Package Sources, Workflow Analyzer Rules etc. So, if the Governance file helps you achieve something, Automation Ops will come with the same enforcement capabilities but will enhance deployment settings (i.e. who gets which policy, which is something you can’t achieve with Orchestrator’s asset)

Adding Automation Ops goes like this:

  • Installing Robot in service mode won’t interfere with the possibility to add governance via Automation Ops (only in Cloud at the moment), you can complete the installation and connect it to an Orchestrator
  • You enforce user authentication in Orchestrator
  • The users are forced to authenticate using interactive sign-in and when they do, they get governance from Automation Ops

Now, what I don’t really understand, is the use-case you’re pursuing, can you please clarify this? You don’t want users to run projects in Studio (as in production)? If yes, this is something we haven’t yet included in our current governance capabilities, but it is planned. Thanks!

Hi @Paul_Boulescu :slight_smile:

When I installed program in service mode, then I cannot connect without administrator priviliges:


Thats why all our users would have the same machine template and URL, because it would be easy to connect only by running special script (which has those priviliges). Therefore we prevent to log in to any other Orchestrator then ours.

We dont have Automation Ops - we use Orchestrator on premise.

We are able right now to switch beetwen governance by using local file and Orchestrator. I tested it out and this is possible, but it is quite complicated and difficult to manage.

We can block running process in Studio by creating governance, which disallow it in specific way. But yes - it is just workaround.

Hi there,

I am having the same issue trying to provide different policies to different users in an OnPrem Orchestrator version 2020.10.7
The use-case in my case is that for some developers who are experimenting with new features and workflow analyzer settings I want to give them the option to for example edit some setting by setting “AllowEdit”: true for some values in the policies, but not enable this for all users globally.
So the Idea was to have a GlobalValue for all users and a Per-User value for some as described here https://docs.uipath.com/studio/docs/governance#using-an-orchestrator-asset

I created the uipath.studio.governancepolicy asset and tried a few combination.

Only a per user value without global value

Then Studio shows no Policy
image

With a GlobalValue and a per-user value. Then Studio is pulling a policy but not the one specific to the user, but the global one.


And not the PerUser one where only the name is different. But I also tried with policies with settings.

I also tried the uipath.studio.governancesource workaround mentioned by @Yameso but could not get it to work.
Jakub how did you manage to set a per-user file? In may case the per-user for that asset also has no effect.

KR,
Cornelius

Keep the global value enabled and then override the value for the specific user, that should work.

As a note however, the long term recommended way of doing this will be to use Automation Ops which is now GA for Cloud Customers. It will be available on-premise in a future update.

Hi @cornelius.nowald and @Yameso,

I am having exact issue as yours.

We are on on-prem version so Automation ops is not an option for us currently.

Hence, we have applied governance using exact method as shown in your scheenshots above by using asset - uipath.studio.governancepolicy

Our requirement is to have global level policy but also want to have value per user with different settings in policy file. So to make this happen and verify, I changed policy name at both locations.

kept Global-policy at global and user-policy at user level. But only global level policy is being picked if “Global value” radio button is enabled.
And if “Global value” radio button is disabled, no policy is being applied to studio.

Apparently, studio is not picking value per user to apply the policy.

Have you guys been able to find its resolution? Please suggest.

Regards
Sonali

Hi @AndrewHall, @loginerror and @Paul_Boulescu,

Us being on on-prem version, automation ops is not an option currently. Hence, we are applying policy at enterprise level using asset - uipath.studio.governancepolicy

However, it is only picking global value defined and never the one defined per user.

For policy to enable at an enterprise level, we would definitely require “value per user” to work as that way, we will be able to make changes in the policy file per teams.

Please suggest a solution to this.

Regards
Sonali

When I test it with my Studio and Orchestrator setup it is picking up the value per user rather than the global value. Unfortunately this is extremely hard to debug over the forum, so I would recommend you create a support ticket with UiPath and the UiPath support engineers can help debug why it isn’t working in your environment.

1 Like

Thank you @AndrewHall for your response.

Did you have any additional role settings enable to pick values per users.

The way we are doing currently is as below:

  1. have defined a new role called PolicyUser which has only “View assets” settings enabled and no other permissions.
  2. Add user in uipath.settings.config folder with this role “PolicyUser”. Please note that we are using modern folders.
  3. No machine templates are added in this folder.
  4. User added are being added as robot type “attended” automatically.
  5. Studio version 2020.10.6 , orchestrator version 2020.10.7

Are you also using all these role/user settings or is there any difference in those?

Please suggest.

PS: I will also raise a case on customer portal in the meanwhile.

Regards
Sonali

I was running 21.4 when I tried and everything worked as expected. I went back and tried with 20.10.6/7 and it appears that there is a bug in 20.10.6/7 with loading individual values that has been subsequently fixed.

Thanks for finding and report, I’ll file this internally, but a support ticket will also be helpful so please raise that as well to help for prioritization in a patch.

1 Like

Thank you @AndrewHall and @sonaliaggarwal47.
Will open a ticket and also report if another possible workaround comes form this.

Hi all,

I got an reply and as of now the issue of providing the policy per user via asset can only be solved by updating to 21.4.

Hi @Yameso @cornelius.nowald @AndrewHall ,

We had raised a ticket on uipath portal for this issue and have been provided fix for same.

It works now in on-prem version 20.10.9 as well after integrating patch delivery received.

Regards
Sonali

The issue in 20.10 was fixed in the 20.10.8 patch that shipped in June

Hi @AndrewHall,

Unfortunately, it didn’t back then. We tested it and dint work(looks like it was done for cloud versions and not the on-prem ones).

Now a new patch 20.10.9 has come our way last week for which we did a round of testing(on its beta version as well) and it worked finally :slight_smile:

Regards
Sonali

1 Like