Hello AJ,
I just saw this reply, as I was away for a month.
I created a local account in orchestrator and assign the access it needed to create queue items and jobs but also view access on tenant level.
I got help from IT to whitelist the IPs (all ips) of celonis to allow to make connection to our on-prem orchestrator server.
hope this helps you.
Br,
Nabin