Hi everyone and good afternoon. I am working with a client who has credentials for a portal we use stored in orchestrator. I was discussing with my lead that role permissions change Orchestrator and I’m wondering if there is a role specific to just allowing them to go in and update these credentials and NOTHING else.
Or should we create some sort of automation?
The credentials expire every 90 days.
I have not found anything clear or concise in a situation like this.
I am not sure what you mean with “stored in orchestrator” but I strongly guess you mean the credentials for the portal are provided via an asset.
Please mention that the role feature is not this deep specific that you can’t only allow your customer to edit one asset. The lowest auhtority which you can configure is to allow to edit all assets in a folder. In your scenario I would do the following:
create a new folder only for this specific process
deploy/migrate the specific process and configuration to this folder
create an orchestrator account for customer
create a new folder role with the right to view and edit assets
@ajeffers It’s not mentioned if you are talking about Asset Credentials or User/Robot Credentials.
If Asset Credentials, @christian.schauer solution is good, but could simplify it if needed and only create a Modern Folder for the needed Assets as a Modern Process can work with entities in other Folders. Your other entities (Processes, Triggers, etc.) can continue to live in their Folder assuming they are already in a Modern Folder.
Another approach that can be applied to both User/Robot Credentials and Asset Credentials is to move your credentials into another Provider, if you are already using one for other systems. For example Azure or CyberArk, these could be setup with isolated Safes owned/managed by you or your clients as well as handle the credential rotation if that is what you want.