Organizing Your UiPath Orchestrator for Better Management

UiPath Orchestrator is the heart of the entire UiPath automation suite. The UiPath Orchestrator is used to manage all the published automation solutions, the robots, task allocation, and the execution of created job schedules. The UiPath Orchestrator is available as a part of their cloud offering or as an on-premise solution. UiPath Orchestrator offers many capabilities for its users to manage better and scale the automation resources. Some of those features are:

  • provisioning new robots and maintaining existing robots
  • User access control
  • Deployment of automation processes with version control
  • Log management for better auditing and troubleshooting
  • Queue management for transactional data processing
  • Storage space for robots to easily access configuration data and the data being processed

Further, some features such as Multitenancy, Modern Folders, and Personal workspaces are used to organize better and manage the processes, user access, and working environments.

The use of the mentioned features/ components change over time to suit the business requirements. Hence, it is crucial to understand how the Orchestrator’s main components relate to each other.

Orchestrator Structure and its Components

Let’s take a look at the high-level architecture of the components in Orchestrator.

The figure above shows the hierarchy of how the components are organized in the latest version (2010.10) of UiPath Orchestrator. UiPath allows to create multiple Orchestrator tenants in its platform. Each Orchestrator tenant follows the same structure as shown in the figure above.

The multitenancy option enables the user to split the single environment into multiple deployment environments, each with its robots, processes, etc. However, each tenant shares the same Orchestrator database to store the data. This feature comes in very handy when the resources require isolation from the rest of the organization. Hence, if you plan to use a single environment for development, QA, and production, multitenancy is an excellent option to consider to isolate the production resources from development and QA. Further, this feature can also be used if the organization requires different isolation methods on their automation resources based on the requirements.

Orchestrator allows the configuration of Robots, Users , and Machines in the Tenant level. Each tenant is assigned a required number of licenses for the users who need to run automation solutions. Each user, robot, and machine has separate access to the Folders they work. Hence, Folders act as the 3rd layer in the hierarchy, as shown in the figure above. Folders provide access to the resources such as Assets, Queues, and Triggers to execute the Processes deployed within the Folder.

Now let’s take a look at how these components relate to each other. The following figure illustrates the relationship between each Orchestrator component.

Let’s first look at the tenant level components and how they are connected.

  • The users are related to the machine they work. If the user require to run an automation solution in their device, the user should allocate him/herself a machine (probably the same device they work on or a virtual machine)
  • Each robot is now assigned with a specific user irrespective of the robot type (unattended/ attended/ Studio/ Test). Hence, the robot creation and allocation take place dynamically when a new user is created.
  • A robot requires a machine to work. Hence, the robot is linked with the machine through UiPath Assistant during configuration.

Let’s now see how to configure these three options using the Modern Approach to get the user’s robot setup.

Configuring the three components, as described below, ensures better utilization of the robots and licenses. The below configuration uses the licenses only when the robot is connected with the machine. When the user logs off from the machine, the license is released so that another user can use it. However, Classic Approach does not provide this functionality. In Classic Folders, once the robot is created, the robot’s license and robot are fixed and cannot be released unless it is completely deleted from the Orchestrator. Hence, the use of the Modern approach is recommended.

You can perform the configuration in the below-mentioned order.

Step 1: Create the user with the required user roles. (Tenant > Users Page)

Shown above is the Users page. Navigate and click on the Create User option to create the user. The Robot access shows as Disabled or Enabled based on whether the user is configured to have a robot or not. The User Creation screen allows the user to configure the user based on the type of the robot required for the user through the Attended/ Unattended Robots, as shown in the screenshot below.

You can configure the Attended Robot or Unattended Robot options highlighted in the figure based on the requirement. If one of these two options is configured, the user’s Robot Status will display as Enabled after configuration. Further, ensure you provide the " Automation User" role under User Roles to allow the robot to access the required resources through your account.

Step 2: Create a Machine for the Robot and the User (Tenant > Machines Page)

I would recommend using Modern Folders (Described below) as they have better features to control user access and organize the resources used for automation. Hence, create a Machine Template which allows you to work with both Classic and Modern Folders.

Note: Standard machine can only be used in Classic Folders

Every machine is associated with a Machine Key. Copy the Machine Key of the created Machine through the Machines Page.

Step 3: Connect the local robot with the Orchestrator using the Machine Key. (UiPath Assistant)

Open the UiPath Assistant installed in the desired machine, and navigate to Preferences > Orchestrator settings and configure it to connect with the Orchestrator as shown in the figure below.

Once the robot is connected, it should show the status as " Connected, Licensed," as shown in the figure above in Green.

Step 4: Open the Robots Page in Orchestrator to check the connection status (Tenant > Robots)

Once you have followed the steps mentioned above, you should see the robot status on the Robots page as Available. The connected robot illustrates to which machine it is connected to along with the availability status.

Since you have configured your access for the robot, now it is time to organize your automation resources.

Organizing Automation Resources in Orchestrator

This section will look at how to organize the resources such as Assets, Processes, and Queues. Once you create your Orchestrator tenant, the tenant would contain automation solutions published for your organization’s multiple user groups or departments. Further, there could be additional groupings done by the organization based on their needs.

So, how would you organize your resources?

Having everything in one Folder doesn’t work. The reasons are:

  • Require better access control as people in different teams should not need to see what processes and data the other team processes.
  • Data Security
  • Need better organizing of the processes and assets to manage them efficiently.

Folders enable the user to limit access to the administration of its content (who can create and view resources within the folder) while sharing the automation across the necessary business units. The Folders houses the automation resources such as Orchestrator Assets, Queues, Triggers, Packages, and processes .

Folders are of two types:

  • Classic -
    • Traditional function where they contain robots and environments.
    • Classic folders cannot create and maintain subfolders.
    • Robots created in classic folders can only work within the folder.
  • Modern -
    • Provides support for almost all the modern features and facilities that UiPath offers.
    • Allows the dynamic allocation of robots and user roles.
    • Modern folders also support a hierarchical structure where you can have up to six subfolders under each first-level folder.
    • Combined with Active Directory integration, and enables large scale automation initiatives
    • Each folder has its own Package feed to store packages related to the context of the folder.

Considering the above, it is clearly seen that Modern Folders’ use enables the users to organize better and better control user access. Hence, it is recommended to consider using folders to organize the resources.

Organizations should come up with a hierarchical structure on how to organize the content. Based on the structure, create the folders and provide access to users and robots. For example, the first level Folders can be created based on the Business Unit/ Department, such as Finance, HR, Legal, etc. Within these folders, you can create subfolders for different user groups to organize their processes and resources related to them.

Such a categorization level helps better organize the Processes, Assets, Queues, and Triggers used by each group. It also helps to ensure only required people have access to their content.

How to configure Folders to achieve this?

Folders Page allows the user to manage all the Folder related configurations within the Orchestrator tenant. Folder management includes:

  • Folder creation/ deletion
  • Subfolder creation/ deletion
  • Assign users/ user groups and manage user roles on the folder level
  • Assign machines that require access to the folders

Let’s now take a look at how to configure the folders.

Step 1: Create Modern Folders (Tenant > Folders Page)

Create the Modern folders based on the required categorization. The Folder page allows the creation of Folders and subfolders along with a few additional features.

As shown in the figure, Folder creation enables the user to select whether the folder requires a separate feed for the packages. Enabling this feature allows the users to upload/ publish automation solutions to the folder rather than add Packages to the general feed. All folders share the General Package Feed. As the feed list grow, it becomes difficult to search and manage the list of packages. The use of individual Folder Feeds provides better management and user control compared with the General Feed.

Note: Use this step to create any subfolders if required.

Step 2: Grant user access to Folders (Tenant > Folder Management > Users Page)

The newly created Folders require user access granted for the users to access the resources in the folder. Configure user access and user roles for each folder through the Folder Management Page.

Note: If the user account links with a robot, ensure to include the “Automation User” role for the Folder to provide access for the robot to access and execute Processes placed in the folder.

Step 3: Grant Machine permissions to Folders (Tenant > Folder Management > Machine Templates Page)

Clicking on the highlighted button takes you to the Machine configuration page in Folders. The page lists all the available machines created through the Tenant > Machines option. Select the Machines you want to link with the Folder and Update the Folder settings.

Note: You also can create Machines through the Tenant > Folders > Machine Template option

The figure below illustrates how the Machine configuration page looks.

Once you perform the configurations mentioned above, you are ready to publish your Processes and create the other resources as required.

Now, by selecting each Modern Folder from the Folders panel, you could see additional options showing up on the top ribbon to configure Assets, Queues, Packages, and Processes for each folder separately.

The following figure shows the feature you have to manage the content within the folder.

Let’s briefly understand what each option does.

  1. Monitoring - provides a folder specific overview of the following with a graphical representation.

    • Status of all machines
    • Process run outcomes
    • Information on related Queues
    • SLA levels of transactions processed
  2. Queues - Lists all the Queues created in the Folder. The page also provides access to perform all Queue configurations.

  3. Assets - Provides access to Manage all the Assets in the Folder.

  4. Storage Buckets - Grants the user permission to create folder specific storage buckets to store the processed data to be used by automation processes.

  5. Processes - Lists all the automation processes published to the folder.

  6. Triggers - Provides the ability to manage Triggers for the processes available in the Folder.

  7. Folder Packages - Lists all the Packages published to the Folder through UiPath Studio.

  8. Logs - Includes the records of all Process executions of the Processes in the Folder.

It is not clear how organized your content can be when you use the Folders effectively. The proper configuration enables the user to manage and monitor the automation solutions related to a specific category separate from others.

Apart from the above categorizations, we can also provide more secure and isolated working environments for the developers and testers to publish and perform test runs on their solutions before moving into QA or Production. Enabling Personal Workspaces creates a personal working environment for each user, reducing the risk of unintentional changes to existing processes in the Orchestrator. The personal workspace is a special folder that is only available for each user to perform his activities. Once the feature is enabled, every user is granted with a personal folder automatically.

You can enable this feature through the option shown in the screenshot below.

Conclusion

The UiPath Orchestrator is an essential component of the automation platform. Hence, it is critical to effectively manage, monitor, and control the resources we have in the Orchestrator. The steps discussed in the article provides insight into how good we can organize the Processes, Assets, Queues, and other resources in Orchestrator for better management and control.

Thank you very much for your time, and I hope you found this article interesting with something new to learn. Please feel free to comment, share your thoughts, and share the topics you would like me to cover in future articles/videos.

45 Likes

Hi @Lahiru.Fernando …

Very nice article. you have explained and elaborated very well…

Regards
Balamurugan.S

3 Likes

@Lahiru.Fernando Profitable article :100:

Best Regards,
Vrushali

2 Likes

Appreciate the Detailed Documentation … :v: :v:

3 Likes

Great Work @Lahiru.Fernando :pray: :clap: :clap: :clap:

1 Like

Great Article my friend!

You rock!

Diego

1 Like

Wondering why there are 2 robot rows that appear to be identical after following those steps… and why they both say “unattended”, but only 1 of these rows says “available”. Did you only choose the “unattended” option in the User dialog above? It wasn’t clear.

Why would 2 robot rows appear if you only added 1 user and 1 machine?

Seemed to me that the Environment feature (while not intuitively named) was reasonably effective for having connected robot users from team A (Env A) not see the processes used by connected robot users from team B (Env B).

I have long used the Environment feature to successfully isolate processes for:

  • Unattended processes (no attended users should see/trigger these)

  • New Business (only New Business users should see/trigger these)

  • Client Services (only Client Services users should see/trigger these)

  • Finance

  • Etc…

So far to me, Modern Folders have added a lot of complexity that most mere mortals will have a hard time comprehending. I get that it’s nice to have organizational tiers… but there are many complexities & nuances to modern folders that I haven’t seen explained well yet, anywhere. Even I’m still trying to wrap my head around it.

4 Likes

Hi Bryan,

I totally agree with you. more I learn about modern folder make me more confuse and Idon’t want to take a risk.
I comfier to use classic folder

Hi,

I have few questions about modern approach:

I assume that users assigned to modern folders dont need to have there machines, if all of them are using attended robots? I guessing that I need to add machine only if I want to run a process placed in that folder only for unattended robots…

Is there any option to block publishing processes in personal workspaces? I mean that user is able to publish package to personal workspace, but process could be created only by person with privilige?

Hi,

@Yameso regarding attended robot I had no issue running an attended bot that could access assets, queues, … of a (sub-)folder without assign the machine template to that folder. Basically like Studio. So as long as you do not need to start the process from Orchestrator not need to assign a template.

I could not find a way to block publishing processes in a personal workspace, also since the role associated with that folder can not be edited.
Also even as admin I am not able to directly see users users personal workspaces.
A workaround would be the create “normal” folders for each user where you can manage the permissions, but that of course takes away the advantage of the easy setup.

I got a question regarding subfolders foe every one.
When removing the subfolder permission from a role, what effect does this have?
My understanding would be that if I assign the user to for example a 1st level folder, that user should we abele to the resources from there (like logs, queues) but not automictically from subfolders
I tested with the following roles


And this folder hierarchy

image

When I assign the user only to a "leaf-"subfolder like 1.1.1 the result is as expected and the user only has access to those resources.

But once I assign that user to example folder 2, that user can also gets the same permissions **
NoSubFolders_Folderadmin** in all subfolders, and has access to all their resources.
image

The reason why i wanted to restrict subfolder access is to have some shared assets for an organizational subunit on the 1st level folder (like the API-Target and credentials to a monitoring tools the robot have to report to) but not enable users to see information about other subunits processes and their data.

Does someone have an idea how to approach this?

2 Likes

great documentation on orchestrator! what is a first level folder? how many can we create?

@cornelius.nowald

have you got any udate on this?

I also have the same requirement.

we have assets in parent folder and processes in subfolders.

If i want to access parent folder from subfolder, I should add user to parent. Since, I added resource to parent, resource has access to all subfolders.

@Lahiru.Fernando it would be great if we can update on this.

This is great article as I begin understanding the set up of Orchestrator. Can you clarify if the “Monitoring” tab shares details on hours saved ? Where would I go to see the hours saved from each process/ bot in production?

Great article and discussions!

I’m looking for advice on real-life implementations.
off-topic maybe?

But If someone could share what pitfalls you have been facing - let us know!

Security perspective?
Dev perspective? (partly covered above by @cornelius.nowald )
Support&Maint (max Depth? too noisy structures)
Licen$e cost tied to a Sub Level (well also covered, a template can sit anywhere in the folder structure. But is it practical?)

And a final, almost religious, question:
Should we add Country at top?
No - it doesn’t match the true Org structure
Yes - it makes sense from a Support&Maint as we can quicly navigate the first level

thoughts?