Proper AD/LDAP Integration

So I have been using the UiPath Orchestrator product for 1.5 years and I have been asking for this enhancement from day one. I have also met with the product owners a couple of times regarding this and I can’t seem to get a straight answer on when a feature like this would be put into the product. I am looking for something straight forward that most other Enterprise Applications have.

Request is simple.

Ability to create new roles in Orchestrator and have them managed by Active Directory groups. This would be not only ensuring that users are added to Orchestrator and assigned to the appropriate roles but also remove access when the user has been removed from the Active Directory Group. Ensure that every time that a user logs in it verifies that they are supposed to have access.

This would also need to support multi tenancy and not just the Default tenant.

I do not like nor want to manually create and remove users from the system. Currently sure it is great they can login using their AD Username and password however this all has to be manually added when you have multiple roles available in orchestrator. What is worse is that if someone moves from one department in the company to another or is no longer with the company you need to again log in and manually remove the user from the system.

If there was proper Acitve Directory integration and you defined the roles and groups properly there would be no work to do on the system as it would all be handled through a centralized service like AD.

Seems like a useful concept. Would defintely help reduce (automate :wink: ) the headache of adding or deleting users in big enterprises

1 Like

It definitely would automate all this headache of user management and work like most other Enterprise products I have used. Too bad explaining this too them is a huge headache. We keep trying though

1 Like

Absolutely needed. The current model of importing an AD group is point in time, and without that registering with the UiPath admin, could be very risky. Similar RPA products do provide the groups based management.

I agree and you got my vote. However, at the same time, I’m always concerned that roles managed by the AD give too much power to IT and adds other headaches of needing to go through them for any type of role changes. I suppose if it was versatile where Admins in Orchestrator could manage what groups get included in the Role etc, it would work best… although, I’m sure I will lose my admin powers at some point anyway, :persevere::laughing:

1 Like

It is done currently via a powershell script (please revert to support) but it is planned to be done out of the box with auto-creation of users in 19.10.

1 Like

I have also voted for the idea.
And I agree with @ClaytonM that it gives too much power to the IT and create process blockages.

Hi @badita, I would like to know more on this topic. Currently going through the powershell script available on url : orchestrator-powershell/Sync-UiPathADUsers.ps1 at master · UiPath/orchestrator-powershell · GitHub
As you said - “It is done currently via a powershell script but it is planned to be done out of the box with auto-creation of users in 19.10”, we got in touch with uipath support on this script but they said - “script is not part of UiPath core components and is also a version dependent hence it is not in support scope at the current portal” Can u provide your comments on this?

Hi, Can we create LDAP connection and make object of AD server to use it’s properties. I am using “UiPath.ActiveDirectoryDomainServices.Activities.ActiveDirectoryScope” but not getting any AD object work on it.

Please suggest, how can I create AD server object.

Hi @mmacdon

Check the new feature below :slight_smile:

I marked the idea as Closed :slight_smile:

2 Likes

Hello,

@loginerror, @badita

we have Orchestrator version 2019.10.17, but still it is not functioning as expected. Concept is simple and plain. If user is removed from AD group, user should not have access to orchestrator, or at least to respective folder.
Keeping in mind section Known issues in Orchestrator documentation:

Auto-provisioned users do not inherit alert subscription settings from the parent group, nor do they receive any alerts. In order to have access to alerts you are required to explicitly grant the corresponding permissions to the user.

…in order to allow SMEs to receive alerts about application exceptions or failed jobs, directly user needs to be added to Folder with respective roles (explicit access-rights), if I understood it correctly.
And here we come. If user is removed from AD group, due to explicit access-rights user has still access to folder.

Is there a plan to cover this gap?
Thank you in advance.

@Ovidiu_Constantin

is it possible to add users from ‘Active directory’ to ‘uipath Orchestrator users’ without login to uipath orchestrator

Maybe not a direct answer, but I hope this link to the documentation section about AD user management helps here:

It is possible to set a user with disabled access to the Orchestrator web interface (just to connect them to Robot).

Thanks a lot for your reply.

My requirement is: need to enable/create a user in Orchestrator to approve the form/task based on the provided approver details checking the AD status