Store multiple credentials

Hi All,

I would like to know what is the industry standard to store credentials of multiple users who use a bot? Is it stored in orchestrator? Is it handled using windows credential manager? Please advise.

You can use Orchestrator’s assets page to input credentials. If multiple users are running the same bot, you can have an if statement that decides the exact asset name to pull depending on the user’s machine the bot is running on, or the user profile, etc.

So my question is, who inputs these credentials into orchestrator? I mean would each user require to login to orchestrator and create a new asset since the password cannot be shared with someone else to create an asset on their behalf??

This is not correct. Assets are built so that you can have them give a different value to each Robot. You don’t have to if/then inside your code.

An Asset has nothing to do with an Orchestrator login. An Asset is just a way to store a value, or values (for non-global Assets). Someone who is an Orchestrator admin would create the Asset.

I’ve faced a similar dilemma. My solution was to build a separate bot called Password_Updater. When the end user runs it, it prompts for the new password, which will be stored as a credential asset.

Then, the actual bot will always be pulling the latest password from the assets. And the end user never needs to log into orchestrator themselves.

So would the users have to share their password with the Orchestrator admin? Whats the general standard followed?

They don’t have to. The admin makes the asset, then deploys the password updater bot as I described. The end user then inputs their credentials via the password updater bot.

1 Like

ah ok I see… Still I am wondering how multiple app creds can be updated when there are a lot of users. Would a separate password update bot be created for each apps cred?

Let’s say you have a bot for John Smith called JSmithBot, and a process that automates You’d have 1 credentials asset named TwitterCreds. Within the TwitterCreds, you can have different credentials for each robot, so John Smith will have his own login.

When John Smith runs the Password Updater Bot, it will be on Robot JSmithBot, which means when it updates the TwitterCreds, it will only update the TwitterCreds for JSmithBot.

Basically, as long as the end user is running the Password Updater Bot on the same robot that runs the actual process, the credentials will always remain specific to the robot, while only requiring 1 credential asset TwitterCreds, and 1 Password Updater Bot

1 Like

No. The username/pwd in the Asset is entirely unrelated to any Orchestrator logins. You can put anything you want in the Asset. If these are passwords of actual users, not service accounts, then you’ll have to have them type the password in for you or they’ll have to tell you their password. This is why it’s better to use service accounts, not actual user passwords.

A password updater is a great idea. I assume it just prompts the user for the password and then updates the Asset?


1 Like