Limiting the resources an external app can access

Help Orchestrator
,
1

Hi all,

I am trying to limit the tenant (Dev/Prod) that a set of external credentials can access. I created a folder role assign it to the external app and then assign the external app to one folder. but the external app’s tokens can still run jobs in another folder. Would you be so kind to offer us advice on how to limit the folders a external app credentials can access?

Regards,
Juan

update as per guidance below. I remove all the scopes from the external app I am using, created two permissive roles one at the tenant level and one the folder level, and test their access.

Without the scopes at the external app definition the credentials cannot generate a token.

On the other side I was able to generate a token using only these scopes OR.Execution OR.Jobs OR.Jobs.Read OR.Jobs.Write OR.Robots OR.Robots.Read. but just these are enough for token created with these credentials to run processes in all the folders in the tenant.

2

@Giraldo_Juan_P

can you please show the setup..also what are you trying to achieve in app?

cheers

3

These are the scopes of the app:

OR.Execution OR.Execution.Read OR.Execution.Write OR.Jobs OR.Jobs.Read OR.Jobs.Write OR.Machines OR.Machines.Read OR.Machines.Write OR.Queues OR.Queues.Read OR.Robots OR.Robots.Read

It is a confidential app and all the scope are app scopes.

we want the credentials to only have access to one folder. from my read of the documentation, by default an external app has global access. in order to narrow it’s access to a folder you have to assigned a role to the credentials and assign the external app to a folder.

this is the external app permission set up in the folder:
The image displays a dark-themed menu bar with several labeled tabs: 'testing,' 'External app,' and 'testing folder access.' (Captioned by AI)

and this are the permissions in the role “testing folder access”

image
image1291×1225 60.3 KB

however, the credentials can still run job from processes in other folders.

4

Hi @Giraldo_Juan_P

To be able to restrict the access at tenant/folder level, you need to ensure to not define those scopes at org/tenant level from under external app registration. Instead, you just need to create external application with no scopes or the minimum possible scop and rest of the scope define at folder level.

Currently, its working for all folders in your case because you have defined that scope at org level so its applicable to all tenants and folders within. Follow the first article below to gain better understanding on how this works.

Please refer below docs for same, should help you.

Regards
Sonali

5

Thank you @sonaliaggarwal47 for the guidance.

I read through and try to emulate. However, when I remove all the scopes from the external app definition, the credentials lose their ability to create token. and no matter how permissive we are on the tenant or folder level the ability to create tokens does not seem to come back.

6

Hi @Giraldo_Juan_P

What is the scope you are providing during get access token request after implementing fine grained access?

Looks like for such scenarios, you only need to provide Or.Default under scopes to retrieve the access token.

The image displays a UiPath documentation page explaining the process of declaring scopes for external applications, including organization-scoped and fine-grained permissions using specific token requests. (Captioned by AI)
The image displays a UiPath documentation page explaining the process of declaring scopes for external applications, including organization-scoped and fine-grained permissions using specific token requests. (Captioned by AI)1320×1958 177 KB

Regards
Sonali

1 Like
7

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.