I have observed that while creating a UiPath automation ops pipeline we can select the git branch & destination orchestrator . A risk lies over here in selecting the wrong origin or destination branch for example ; publishing git development code/workflow to production tenant .
What are some preventative settings in orchestrator for this if any?
Hi @Rohit_Nair
As per my knowledge, Orchestrator does not have direct built-in restrictions to block publishing based on Git branches, but you can apply preventive measures like setting role-based access control to restrict who can publish to Production, using separate folders or tenants for Dev and Prod with limited permissions, integrating governance through Automation Ops policies, and enforcing code review and CI/CD pipelines with environment validation before publishing.
If you found helpful please mark as a solution. Thanks
Happy Automation with UiPath
Hi @Rohit_Nair,
You can choose to have a restricted access structure to enable the same.
Like at our end:
- Developers don’t have access to upload/push packages on orchestrator.
- Only our Primary process owner(business owners) is allowed to promote a package on prod orchestrator after UAT sign off.
So, in this case, even if a certain package is pushed to git branch, it will never make its way to prod orchestrator as person responsible for pushing code into git will always be a developer, however, person promoting the package to orchestrator will always be a business user. Hence, no intervention.
Publishing to git - only applicable to developers or robot accounts, zero access to promote code in prod orchestrator.
Publishing to prod orchestrator - only applicable to business owner, zero access to git repo or studio.
Hope this helps.
Regards
Sonali
Can you kindly elaborate on the steps by which I can set who can publish to which tenant ?
Because as far I have used the pipelines , there are only two built-in roles in pipelines for automation ops admin & automation ops contributor but neither of these roles have any preventative measures.
I’m looking for a way where all developers have access to the processes , they are the owners & they push the worflow to git . Now the risk lies when they create a pipeline with develop branch of git to stage or production url of orchestrator . Now this risk lies even if the business owners creates a pipeline .
Are you guys using ci/cd pipeline to push packages in all environments?
Dev, uat and prod?
Regards
Sonali
yes we are using pipelines for all
I also did see build & publish with approval .. couldn’t find any documentation on that
Looks like predefined pipeline available for same:
Also refer below doc, different steps are mentioned in detail:
Hi @Rohit_Nair
To control who can publish to which tenant, use Orchestrator’s role-based access control (RBAC) to assign users specific roles (e.g., Administrator, Robot) at the tenant and folder levels. Integrate Automation Ops to enforce policies and use CI/CD pipelines with approval gates to validate and restrict publishing to production. Set permissions for folders and apply environment-specific validations in the pipeline to ensure only authorized users can publish to specific tenants or environments.
Happy Automation