Hi. Good question. Can you provide which version you are on, because I know that the newer version went through some good changes to permissions that could impact your outlook.
From my perspective (and I’m looking at v2018.2.3), the permissions are all straight forward. Each row is indicated by a section of the Orchestrator, like “Settings”, “Robots”, “Processes”, and so on, and each of those sections represent a button that is clicked to enter that section - so, if you want to restrict access to the “Audit” section there is a button that is used to enter that section, for example.
And, “View” “Edit” “Create” and “Delete” are straight foward as well. “Edit” means you can’t change a value, et cetera.
I think the best practice is somewhat subjective, but I do think you should keep it simple. I also do think you should have more than one administrator and one who understands the features good. Also, bare in mind that if the Role has “Users” “Edit” access, they would be able to change their Role. - atleast in older versions. You will want a Developer Role which will need Edit and Create/Delete permissions for most things to be honest. Then, you will need a Robot Role which is used for your robots, and they will also need Edit and Create/Delete access to many things (like Assets) so they can automate tasks in Orchestrator. If you will be having Managers or other Users use Orchestrator then you would need a Role so they can edit Assets or various other things.
Note: the new versions make User profiles more manageable from my understanding.
I would show a snippet of our Roles, but to be honest, I don’t think they are very good yet so don’t want to feed in bad information.
Regards.
Anil_G
ashokkarale
Ajay_Mishra
Gautham_Pattabiraman
BHUSHAN_NAGAONKAR1
vrdabberu
ABHIMANYU_THITE1
lrtetala
samantha_shah
shyamala_shyamu