Orchestrator uses an access-control mechanism based on roles and permissions. Roles are collections of permissions meaning that the permissions needed to use certain Orchestrator entities are assigned to roles.
Role-permissions and user-roles relationships allow for a certain level of access to Orchestrator. A user gets the permissions required to perform particular operations through one or multiple roles. Since users are not assigned permissions directly, but only acquire them through roles, management of access rights involves assigning appropriate roles to the user. See Modifying the Roles of a User.

Permission Types and Role Types
There are two categories of permissions:
- Tenant permissions - Define a user's access to resources at the tenant level.
- Folder permissions - Define the user's access and ability within each folder they are assigned to.
Based on the permissions they include, there are three types of roles:
- Tenant roles, which include tenant permissions and are required for working at the tenant level.
- Folder roles, which include permissions for working within a folder.
- Mixed roles, which include both types of permissions.
With mixed roles, for a global operation, only the user's tenant permissions are taken into consideration; for a folder-specific operation, if a custom role is defined, folder permissions are applied in favor of any tenant permissions present.
Note:
Mixed roles are no longer supported and you cannot create new ones. If you have mixed roles, we recommend replacing them with a combination of tenant and folder roles to grant the required permissions.
The following resources are available to users depending on the type of roles they have:
Tenant Resources | Folder Resources |
---|---|
Alerts Audit Background tasks Libraries License Robots Machines ML Logs Packages Roles Settings Folders Users Webhooks | Assets Storage Files Storage Buckets Environments Execution Media Folder Packages Jobs Logs Monitoring Processes Queues Triggers Subfolders Action Assignment Action Catalogs Actions Tasks Assignment Test Case Execution Artifacts Test Data Queue Items Test Data Queues Test Set Executions Test Sets Test Set Schedules Transactions |
You have the possibility to disable permissions completely from the user interface and API using the Auth.DisabledPermissions
parameter in UiPath.Orchestrator.dll.config
.
Assigning the Different Types of Roles
The type of role is important because you assign roles differently based on their type:
- If Activate Classic Folders is cleared under Tenant > Settings > General:
You assign Tenant roles and Mixed roles from the Users page or from the Roles page.
You assign Folder roles and Mixed roles from the Folders page or from the folder's Settings page. - If Activate Classic Folders is selected under Tenant > Settings > General:
You assign any of the three types of roles from the Users page or from the Roles page.
You assign Folder roles and Mixed roles from the Folders page or from the folder's Settings page.
Permissions Without Effect
Although you can select all available rights (View, Edit, Create, or Delete) for any permission, the following rights have no effect for the listed permission:
Permission | Category |
---|---|
Edit | Audit Execution Media Logs |
Create | Audit License Settings Monitoring |
Delete | Alerts Audit Settings Logs Monitoring |
This is because, for example, it is not possible to edit system-generated logs.
Default Orchestrator Roles
By default, the following roles exist in Orchestrator:
Role | Type | Description |
---|---|---|
Administrator | Mixed | A user with all tenant-level permissions granted. This is the default role granted to the admin user of each tenant and cannot be edited. |
Robot | Mixed | All permissions required to execute processes in Classic folders. |
Standard Roles for Folders
For all users, you can automatically create the following roles:
Role | Type | Description |
---|---|---|
Tenant Administrator | Tenant | The equivalent of the Administrator role, a user with tenant-level permissions granted. Assign at the tenant level to those users, if any, that are delegated the management of all tenant entities. |
Allow to be Folder Administrator | Tenant | A user with the minimum tenant-level permissions needed to manage their own folders and subfolders. Assign this role at the tenant level and assign the Folder Administrator role, below, at the folder level to enable folder management for a user. |
Folder Administrator | Folder | A user with the minimum folder-level permissions needed to manage their own folders and subfolders. Assign this role at the folder level and assign the Allow to be Folder Administrator role, above, at the tenant level to enable folder management for a user. |
Allow to be Automation User | Tenant | A user with the minimum tenant-level permissions needed to execute processes. Assign at the tenant level in conjunction with the Automation User role, below, at the folder level. |
Automation User | Folder | A user with the minimum folder level permissions needed to execute processes. Assign at the folder level in conjunction with the Allow to be Automation User role, above, at the tenant level. |
See Default Roles for the permissions specific to each role.
Note
The permissions associated with roles can change between versions as new features and integrations are added. When this happens, affected roles appear in red on your Tenant Settings page. Click on an affected role to add the missing permissions for each role.
Updated about a year ago