Important updates in Orchestrator roles and permissions

News Product News
1

Hello, UiPath community!

We’ve been collecting your feedback around setting up roles and permissions in Orchestrator, and are pleased to announce a few upcoming improvements in the initial setup experience, as well as some important changes to the Automation User role.

When creating a new tenant, you will notice a better separation of group roles by default. The changes to the default seeding are as follows:

  • Updated group: Automation Users will no longer be able to access the Orchestrator UI and will continue to use Assistant to run automations as intended
  • New group: Citizen Developers will have access only to their Personal Workspace in the Orchestrator UI and will behave like an Automation User in other folders
  • New role: Automation Developers will have access to the standard interface in the Orchestrator UI and will be now assigned to Automation Developers group.

If you are an existing customer, you might notice another important change in the Automation User role. Since the primary purpose of an Automation User is to run a predefined set of automations, Automation Users will no longer have the permissions to publish automations. This is a governance best practice to ensure that personal user projects do not accidentally get published without first being reviewed. While we recommend you to make use of the new Automation Publisher role instead (see below), you can still keep the old role definition for Automation Users by downloading it from UiPath and uploading it into Orchestrator via the Role Import feature.

But if you want to fully benefit from the new separation of roles and permissions, you will have two more options for assigning roles:

  • For proficient users that can self-publish automations, you can assign the additional Automation Publisher role, which contains only Publishing-required permissions
  • For developers that do not need to access to potentially expensive resources (e.g. storage buckets), you can assign the new Automation Developer role

With the introduction of these new roles, we’re also looking at reducing the complexity of assigning user roles. Setting up roles for users needs to be done both at folder-level and tenant-level, so we’re implementing a one-step flow to auto-assign the corresponding tenant-level role when assigning a standard folder-level role based on the recommended level of access.

Auto-assigning tenant roles in Orchestrator based on suggested access level
Auto-assigning tenant roles in Orchestrator based on suggested access level1512×832 105 KB

The changes above are coming to Community users on August 21, and will be available to Enterprise customers one week later, on August 28.

We hope this update will allow you to both set up user roles faster and have more fine-grained control over permissions, and are looking forward to your feedback here on the forum, along with what you’d like to see next.

Thank you!

8 Likes
2

Hi, @sebastian.ungureanu

It’s great news.

About Automation Publisher Role, is there any equivalent External Application Scope or we do not expect any impact for it ? (We’ve implemented CI/CD in Azure DevOps).

3

Very helpful. Thanks for the update!

1 Like
4

No impact expected. Nor a specific scope available, but we’ll take it as a suggestion.

5

You mentioned that “Automation Users” will no longer be able to access the Orchestrator UI. Does this also impact their ability to access the Process Launcher, Action Center, or Test Manager?

1 Like
6

Ok, but to be honest why are you messing with these? Isn’t it organization responsibility to define access according to needs?
Again some update just to update something.

7

The changes to the “Automation Users” group, only affect Orchestrator UI access, as a simple and effective means of limiting business user access to admin capabilities. It does not affect members of the group access to other capabilities, like Process Launcher, Action Center, or Test Manager.

8

The Orchestrator default roles are a set of out of the box suggested roles created on the more common RBAC usage patterns.
Custom Roles continue to be available for organizations to define access according to more specific needs.

10

Thanks for the Orchestrator role updates! Looking forward to the improvements. Great work, UiPath team! :rocket:

11

I’m a community user, so I’ll check the changes on August 21st.

12

It’s the 21st and the Automation Publisher still hasn’t appeared in the community edition. I will check again tomorrow.

13

Earlier, a notification dialog was displayed in Orchestrator.I got it.

Capture
Capture820×908 87.4 KB

Capture2
Capture2939×889 59.5 KB

Capture3
Capture3791×854 59.6 KB

14

Hi, UiPath community!

As some of you have already noticed, we have started the rollout of these changes to our community instances this week - https://docs.uipath.com/orchestrator/automation-cloud/latest/release-notes/release-notes-august-2023#roles-and-permissions-changes and plan to follow for our enterprise customers in the coming week.

For the inquisitive minds among us, the set of updated or new role definitions is now available in: https://docs.uipath.com/orchestrator/automation-cloud/latest/user-guide/default-roles#standard-roles-for-modern-folders

1 Like