How does fine grained access works for external applications

News Knowledge Base
,
1

How does fine grained access works?

External Application Access Restriction:

Previously, in Automation Cloud, external applications had default access at the organization and tenant levels. However, with our new enhancement, you can now implement fine-grained access controls. As an administrator, you can set precise permissions for external applications by assigning them to specific folders or tenants in Orchestrator. External applications receive the necessary permissions to perform specific actions within a folder or tenant through designated roles.

Scenario: Restricting Access to a Folder

Consider an external application with the scope OR.Queues, which allows it to view and create queues and queue items. If this application is assigned at the tenant level, it will have these permissions across all folders within that tenant by default.

However, with fine-grained access controls, if the external application is given no scopes at the application level and is assigned to particular folders with specific roles or permissions, it will only be able to perform actions allowed by those permissions. This setup means that the application will only execute permitted activities when interacting with those folders via API calls.

Example: Adding a Queue Item with Fine-Grained Access

When an external application with no predefined scopes is assigned to a folder with fine-grained access, it will combine permissions from both the organization and the folder levels. This combined set of permissions will dictate what actions the application can perform, such as adding a queue item, based on the specific roles and permissions granted at the folder level.

image.png

When we assign the external application to a specific folder with the Role as Robot, it will only perform the activities permitted by the Robot role.

Note: Since we are providing any scopes for above external application for API input OR.Default scope can be used which is a null scope

If you use a specific external application with the Robot role assigned to add queue items in a designated folder, it will be able to successfully create transactions because the Robot role permits this action.


Outcome to Note:

If you assign the same external application at the tenant level, it will encounter an "authentication error" when attempting to add queue items. This happens because the external application lacks scopes at the organization level, and the Robot role at the tenant level does not include permissions for creating transaction items.

Reference: https://docs.uipath.com/orchestrator/standalone/2023.10/user-guide/configuring-access-for-external-apps.

1 Like