Hi everyone, can someone help me by summarazing the terms used on orchestrator roles, and with that maybe we can start a discussion about them?
I read all the documentation about ACL on Orch, but I found it extremelly cumbersome for something that should be more simple and direct.
Look at that (I never change any roles, or reate new ones):
Why so many roles? What does Folder, Tenant and Mixed change between them? And if we have those “Allow to be…” roles, why have the same on as “Folder” type.
Every time someone ask me about how this works, I dont know how to answer, and looks to me that the default roles are always changing, something new is going to appear next month.
you need to understand the permission set under them rather than the name of it…as depending on permission set the type tenant,folder mixed would change…few roles are given only at individual folder level…few at tenant level …and few are combinations
for example if you see roles in personal workspace admin…basically it is given to make people admin for their own personal workspace…similarly others
In UiPath Orchestrator, roles are essential for defining the permissions and access control for users. The roles are categorized based on the scope they cover and the permissions they grant. Here’s a detailed breakdown of the different roles and their types, along with an explanation of the distinctions between Folder, Tenant, and Mixed roles, and the rationale behind the “Allow to be…” roles.
Types of Roles
Folder Roles: These roles apply to specific folders within the Orchestrator. They are more granular and allow for precise control over what users can do within particular folders. Examples include:
Automation Developer (Folder)
Automation Publisher (Folder)
Automation User (Folder)
Folder Administrator (Folder)
Tenant Roles: These roles apply to the entire tenant. A tenant in UiPath Orchestrator is an isolated and secure environment within the Orchestrator where users, robots, and other resources are managed. Examples include:
Allow to be Automation Developer (Tenant)
Allow to be Automation Publisher (Tenant)
Allow to be Automation User (Tenant)
Allow to be Folder Administrator (Tenant)
MonitoringMachines (Tenant)
Orchestrator Administrator (Tenant)
Solutions Administrator (Tenant)
Solutions Contributor (Tenant)
Mixed Roles: These roles can apply to both folders and tenants, providing a broader scope of permissions. Examples include:
Administrator (Mixed)
Robot (Mixed)
Explanation of Folder, Tenant, and Mixed Roles
Folder Roles: These are designed to give users specific permissions within a particular folder. This is useful for organizations that want to segment their automation projects and manage permissions at a more granular level. For instance, a user with the “Automation Developer (Folder)” role can only develop automations within the assigned folder.
Tenant Roles: These roles provide permissions across the entire tenant. This is suitable for users who need broader access and permissions that are not confined to a specific folder. For example, the “Orchestrator Administrator (Tenant)” role allows a user to manage the entire tenant, including all folders within it.
Mixed Roles: These roles have permissions that apply both at the folder level and tenant level. This allows for flexibility in managing access control, especially for users who need comprehensive access across different scopes.
Purpose of “Allow to be…” Roles
The “Allow to be…” roles are unique in that they enable certain permissions but do not grant full access until assigned at the folder level. These roles act as permission placeholders or prerequisites. For example:
“Allow to be Automation Developer (Tenant)” allows a user to potentially become an automation developer within the tenant. However, the actual permission to develop automation is granted only when the role is assigned at the folder level.
This dual-layer approach is useful for managing permissions hierarchically:
At the tenant level, you can control who is eligible for certain roles.
At the folder level, you can fine-tune and activate those roles for specific folders, ensuring that users only get the necessary permissions where they need them.
Detailed Roles Overview
Tenant Roles:
Allow to be Automation Developer: Grants potential permissions to develop automations across the tenant.
Allow to be Automation Publisher: Grants potential permissions to publish automations across the tenant.
Allow to be Automation User: Grants potential permissions to use automations across the tenant.
Allow to be Folder Administrator: Grants potential permissions to administer folders across the tenant.
MonitoringMachines: Manages and monitors machines within the tenant.
Orchestrator Administrator: Comprehensive administrative permissions across the entire tenant.
Solutions Administrator: Manages solutions across the tenant.
Solutions Contributor: Contributes to solutions across the tenant.
Folder Roles:
Automation Developer: Develops automations within a specific folder.
Automation Publisher: Publishes automations within a specific folder.
Automation User: Uses automations within a specific folder.
Folder Administrator: Administers a specific folder.
Personal Workspace Administrator: Manages personal workspaces within a folder.
ViewOnly: Provides read-only access within a folder.
Mixed Roles:
Administrator: Full administrative permissions at both the folder and tenant levels.
Robot: Can execute processes at both the folder and tenant levels.
This structure ensures a clear separation of duties and allows for flexible and secure management of users and their permissions within UiPath Orchestrator.