We’re studying how to partition our Orchestrator between different teams into a single tenant using unattended bots. We were thinking to use classic folders, roles and AD groups. Here’s what I did as a test.
I created a 1st role that we can call VIEWERS allowing to view machines, robots, environments, processes, jobs and logs. I assigned this role to the AD Group TEAM1_VIEWERS on the classic folder TEAM1.
I created a 2nd role called DESIGNERS giving the same permissions than VIEWERS plus the creation of processes and jobs. I assigned this role to the AD Group TEAM2_DESIGNERS on the classic folder TEAM2.
Then I add people into these AD groups:
- John into TEAM1_VIEWERS
- Bill into TEAM2_DESIGNERS
- Bob into TEAM1_VIEWERS and TEAM2_DESIGNERS
Everything is OK for John who can only view elements in TEAM1 folder. He can’t view TEAM2 folder.
Same thing for Bill who can create processes and launch them in TEAM2 folder. As expected he can’t view TEAM1 folder.
For Bob, there’s a problem : I expected he would have only view permissions in TEAM1 folder. But he can there create processes and jobs.
So by this test I understood that with classic folders, if you have access to a folder, you will have there the sum of all permissions that you have from the different AD groups you’re belonging to. Is that correct?
Is there a way to distinguish the partitions per folder in a tenant?