document-understanding
latest
false
- Overview
- Getting started
- Building models
- Consuming models
- Model Details
- Public endpoints for Automation Cloud and Test Cloud
- Public endpoints for Automation Cloud and Test Cloud Public Sector
- 1040 - document type
- 1040 Schedule C - document type
- 1040 Schedule D - document type
- 1040 Schedule E - document type
- 1040x - document type
- 3949a - document type
- 4506T - document type
- 709 - document type
- 941x - document type
- 9465 - document type
- ACORD125 - document type
- ACORD126 - document type
- ACORD131 - document type
- ACORD140 - document type
- ACORD25 - document type
- Bank Statements - document type
- Bills Of Lading - document type
- Certificate of Incorporation - document type
- Certificate of Origin - document type
- Checks - document type
- Children Product Certificate - document type
- CMS 1500 - document type
- EU Declaration of Conformity - document type
- Financial Statements - document type
- FM1003 - document type
- I9 - document type
- ID Cards - document type
- Invoices - document type
- Invoices2 - document type
- Invoices Australia - document type
- Invoices China - document type
- Invoices Hebrew - document type
- Invoices India - document type
- Invoices Japan - document type
- Invoices Shipping - document type
- Packing Lists - document type
- Payslips - document type
- Passports - document type
- Purchase Orders - document type
- Receipts - document type
- Receipts2 - document type
- Receipts Japan - document type
- Remittance Advices - document type
- UB04 - document type
- US Mortgage Closing Disclosures - document type
- Utility Bills - document type
- Vehicle Titles - document type
- W2 - document type
- W9 - document type
- Supported languages
- Insights dashboards
- Data and security
- Logging
- Licensing
- How to
- Troubleshooting
Document Understanding user guide
Last updated Apr 23, 2026
Role-based access control
This section is primarily intended to guide administrators in configuring and managing access control based on user roles for Document UnderstandingTM.
User roles
Note:
Feature availability depends on the cloud platform that you use. For details, refer to the Choosing the deployment type page.
Document UnderstandingTM has the following default roles and permissions:
- DU Administrator: acts as a service-level administrator who has permission to perform any action within Document Understanding.
Note:
DU Administrators can only assign roles if they also hold the position of Organization Administrator. This can occur in two scenarios:
- If the DU Administrator role was inherited as part of the Administrator group at Organization level, it works as expected. Any user part of the Administrator group in Automation CloudTM is automatically an Organization Administrator.
- If the DU Administrator role was explicitly assigned (for example, to a user that is part of the Everyone group in Automation CloudTM), the user can perform all tasks in Document Understanding as defined by the DU Administrator role, except Role Assignments.
- DU Data Annotator: has permission to view projects and annotate documents, or edit fields, but can't delete data from document types or publish project versions.
- DU Automation User: can discover models and use them to digitize, classify, extract and validate data.
- DU Developer: acts as a project-level administrator who has permission to perform any action within a project.
- DU Model Trainer: has permission to modify certain document type settings and delete or upload documents.
- DU Viewer: has permissions to view certain features, but can't modify any settings within a project.
Note:
Recommendations in Document Understanding are displayed only when the user has sufficient permissions to perform the action suggested by the recommendation. If you do not have permissions to execute the recommended actions, you will see a message indicating insufficient access. Users with the Document Understanding Developer, Document Understanding Administrator, and Document Understanding Project Administrator roles can view all available recommendations. The Project Administrator role applies these permissions at the project level only.
Custom roles
Custom service roles are user-defined permission sets that allow you to tailor access controls to your specific needs, offering more granular control than default roles.
To create custom roles at service level, navigate to Manage access at Document Understanding level, and select Create role from the Roles tab to define roles, and select your preferred scope and permissions.
Inheritance of organization roles
Organization roles are automatically mapped to Document Understanding roles.
Table 1. Organization roles inheritance
| Tenant role | Document Understanding role |
|---|---|
| Administrators | DU Administrator |
| Automation Developers | DU Developer |
| Automation Users | DU Viewer |
Organization Administrators are automatically granted DU Administrator privileges. This applies to all other roles mentioned in the previous table. However, you can't currently remove or delete automatically assigned roles. For instance, if you want only a specific subset of organization admins to have DU Administrator privileges, this feature is not available at this time. You can explicitly assign the DU Administrator role to a user outside of the Administrator group, but they will not have access to manage role assignments.
Managing and assigning roles
To manage overall access and roles for Document Understanding, select the Manage access button at the top-right of the screen.
Figure 1. Document Understanding manage access
To manage access for a specific project, open that project and go to the Manage access section at the bottom-left of the screen.
Figure 2. Project manage access
User roles and permissions
Note:
Feature availability depends on the cloud platform that you use. For details, refer to the Choosing the deployment type page.
Setting up different roles, assigning specific access rights, and managing users ensure that each user within your organization has the type of access suited to their professional requirements, upholding data integrity and enhancing system security.
On the Manage Access page you can see the following roles with their appropriate permissions:
- Document Understanding Administrator: has all permissions at both project and tenant level.
- Document Understanding Automation User: can discover models and use them to digitize, classify, extract and validate data.
- Document Understanding Data Annotator: can view projects, label documents, edit fields, but can't delete data from Document Types or publish project versions.
- Document Understanding Developer: can read projects and can manage anything inside a project: classifiers, extractors, document types. Cannot create or delete projects.
- Document Understanding Model Trainer: can view projects, label documents, edit fields, import or export data and delete data from a Document Type session.
- Document Understanding Viewer: can view all entities but has no rights to edit or delete them.
- Document Understanding Project Administrator: has all permissions to manage a project and users for the project.
Note:
This role is only available at project level.
Document Understanding Administrator permissions
| Permission | Description |
|---|---|
| Classifier.Create | You can create a new classifier. |
| Classifier.Delete | You can delete an already available classifier. |
| Classifier.Read | You can read the classifier. |
| Classifier.Update | You can update a classifier that is already available. |
| DataSetExport.Create | You can export a dataset from a project version and manage the visibility of the Download document(s) button. |
| DataSetExport.Delete | You can delete a dataset export. |
| DataSetExport.Read | You can read an available dataset export. |
| Documents.Delete | You can delete documents. |
| DocumentType.Create | You can create new document types. |
| DocumentType.Delete | You can delete entire document types (including documents, annotations, schemas, etc.) |
| DocumentType.Read | You can read an already available Document Type. |
| DocumentType.Update | You can update a document type that is already available. You can update anything inside a particular document type (for example, add or remove documents, add or remove annotations, add or remove fields, and others). |
| Extractor.Create | You can create a new extractor. |
| Extractor.Delete | You can delete an already available extractor. |
| Extractor.Read | You can read the extractor. |
| Extractor.Update | You can update an extractor that is already available. |
| MonitorProcessedDocuments.Read | You can read the processed documents from the Monitor section. |
| MonitorProcessedDocumentsDetail.Read | You can read the processed documents detail from the Monitor section. |
| MonitorProjectPerformance.Read | You can read the Projects Performance dashboard from the Monitor section. |
| Project.Delete | You can delete the project. |
| Project.Execute | You can execute models within a specific project. |
| Project.Read | You can read the project. |
| Project.Update | You can update the project. |
| Projects.Create* | You can create new projects. |
| Projects.Delete* | You can delete any project available for the tenant. |
| Projects.Read* | You can read any project available for the tenant. |
| Projects.Update* | You can update any project available for the tenant. |
| ProjectVersion.Create | You can create new project versions. |
| ProjectVersion.Delete | You can delete an already available project version. |
| ProjectVersion.Read | You can read a project version. |
| ProjectVersion.Update | You can update an already available project version. |
| ProjectVersionLabel.Create | You can create new project version labels. |
| ProjectVersionLabel.Delete | You can delete an already available project version label. |
| ProjectVersionLabel.Read | You can read a project version label. |
| ProjectVersionLabel.Update | You can update an already available project version label. |
| TenantSettings.Create | You can create Document Understanding tenant level settings. |
| TenantSettings.Read | You can read Document Understanding tenant level settings. |
| TenantSettings.Update | You can update Document Understanding tenant level settings. |
* Permission assigned at the tenant level.
Document Understanding Automation User permissions
| Permission | Description |
|---|---|
| Project.Execute | You can execute models within a specific project. |
Document Understanding Data Annotator permissions
| Permission | Description |
|---|---|
| Classifier.Read | You can read the classifier. |
| DocumentType.Read | You can read an already available Document Type. |
| DocumentType.Update | You can update a document type that is already available. You can update anything inside a particular document type (for example, add or remove documents, add or remove annotations, add or remove fields, and others). |
| Extractor.Read | You can read the extractor. |
| Field.Read | You can read an available field. |
| MonitorProcessedDocuments.Read | You can read the processed documents from the Monitor section. |
| MonitorProcessedDocumentsDetail.Read | You can read the processed documents detail from the Monitor section. |
| MonitorProjectPerformance.Read | You can read the Projects Performance dashboard from the Monitor section. |
| Project.Read | You can read the project. |
| Projects.Read* | You can read any project available for your tenant. |
| ProjectVersion.Read | You can read a project version. |
| ProjectVersionLabel.Read | You can read a project version label. |
TM0 Permission assigned at the tenant level.
Document Understanding Developer permissions
| Permission | Description |
|---|---|
| Classifier.Create | You can create a new classifier. |
| Classifier.Delete | You can delete an already available classifier. |
| Classifier.Read | You can read the classifier. |
| Classifier.Update | You can update a classifier that is already available. |
| DataSetExport.Create | You can export a dataset from a project version and manage the visibility of the Download document(s) button. |
| DataSetExport.Delete | You can delete a dataset export. |
| DataSetExport.Read | You can read an available dataset export. |
| Documents.Delete | You can delete documents. |
| DocumentType.Create | You can create new document types. |
| DocumentType.Delete | You can delete entire document types (including documents, annotations, schemas, etc.) |
| DocumentType.Read | You can read an already available Document Type. |
| DocumentType.Update | You can update a document type that is already available. You can update anything inside a particular document type (for example, add or remove documents, add or remove annotations, add or remove fields, and others). |
| Extractor.Create | You can create a new extractor. |
| Extractor.Delete | You can delete an already available extractor. |
| Extractor.Read | You can read the extractor. |
| Extractor.Update | You can update an extractor that is already available. |
| Field.Create | You can create a new field. |
| Field.Delete | You can delete an already available field. |
| Field.Read | You can read an available field. |
| Field.Update | You can update a field that is already available. |
| MonitorProcessedDocuments.Read | You can read the processed documents from the Monitor section. |
| MonitorProcessedDocumentsDetail.Read | You can read the processed documents detail from the Monitor section. |
| MonitorProjectPerformance.Read | You can read the Projects Performance dashboard from the Monitor section. |
| Project.Execute | You can execute models within a specific project. |
| Project.Read | You can read the project. |
| Project.Update | You can update the project. |
| Projects.ReadTM1 | You can read any project available for your tenant. |
| Projects.UpdateTM2 | You can update any project available for your tenant. |
| ProjectVersion.Create | You can create new project versions. |
| ProjectVersion.Read | You can read a project version. |
| ProjectVersion.Update | You can update an already available project version. |
| ProjectVersionLabel.Read | You can read a project version label. |
TM3 Permission assigned at the tenant level.
Document Understanding Model Trainer permissions
| Permission | Description |
|---|---|
| Classifier.Read | You can read the classifier. |
| Documents.Delete | You can delete documents. |
| DocumentType.Read | You can read an already available Document Type. |
| DocumentType.Update | You can update a document type that is already available. You can update anything inside a particular document type (for example, add or remove documents, add or remove annotations, add or remove fields, and others). |
| Extractor.Read | You can read the extractor. |
| Field.Create | You can create a new field. |
| Field.Delete | You can delete an already available field. |
| Field.Read | You can read an available field. |
| Field.Update | You can update a field that is already available. |
| MonitorProcessedDocuments.Read | You can read the processed documents from the Monitor section. |
| MonitorProcessedDocumentsDetail.Read | You can read the processed documents detail from the Monitor section. |
| MonitorProjectPerformance.Read | You can read the Projects Performance dashboard from the Monitor section. |
| Project.Execute | You can execute models within a specific project. |
| Project.Read | You can read the project. |
| Projects.ReadTM4 | You can read any project available for your tenant. |
| ProjectVersion.Create | You can create new project versions. |
| ProjectVersion.Read | You can read a project version. |
| ProjectVersion.Update | You can update an already available project version. |
| ProjectVersionLabel.Read | You can read a project version label. |
| RetrainingDocuments.Create | You can create a document for retraining. |
| RetrainingDocuments.Read | You can read a document for retraining. |
| RetrainingDocuments.Update | You can update a document for retraining that is already available. |
TM5 Permission assigned at the tenant level.
Document Understanding Viewer permissions
| Permission | Description |
|---|---|
| Classifier.Read | You can read the classifier. |
| DocumentType.Read | You can read an already available Document Type. |
| Extractor.Read | You can read the extractor. |
| Field.Read | You can read a field that is already available. |
| MonitorProcessedDocuments.Read | You can read the processed documents from the Monitor section. |
| MonitorProjectPerformance.Read | You can read the Projects Performance dashboard from the Monitor section. |
| Project.Read | You can read the project. |
| Projects.ReadTM6 | You can read any project available for your tenant. |
| ProjectVersion.Read | You can read a project version. |
| ProjectVersionLabel.Read | You can read a project version label. |
| RetrainingDocuments.Read | You can read a document for retraining. |
| RoleAssignment.Read | You can view a role assignment. |
TM7 Permission assigned at the tenant level.
Project Administrator permissions
Note:
This role is only available at project level.
| Permission | Description |
|---|---|
| Classifier.Create | You can create a new classifier. |
| Classifier.Delete | You can delete an already available classifier. |
| Classifier.Read | You can read the classifier. |
| Classifier.Update | You can update a classifier that is already available. |
| DataSetExport.Create | You can export a dataset from a project version and manage the visibility of the Download document(s) button. |
| DataSetExport.Delete | You can delete a dataset export. |
| DataSetExport.Read | You can read an available dataset export. |
| Documents.Delete | You can delete documents. |
| DocumentType.Create | You can create new document types. |
| DocumentType.Delete | You can delete entire document types (including documents, annotations, schemas, etc.) |
| DocumentType.Read | You can read an already available Document Type. |
| DocumentType.Update | You can update a document type that is already available. You can update anything inside a particular document type (for example, add or remove documents, add or remove annotations, add or remove fields, and others). |
| Extractor.Create | You can create a new extractor. |
| Extractor.Delete | You can delete an already available extractor. |
| Extractor.Read | You can read the extractor. |
| Extractor.Update | You can update an extractor that is already available. |
| Field.Create | You can create a new field. |
| Field.Delete | You can delete an already available field. |
| Field.Read | You can read an available field. |
| Field.Update | You can update a field that is already available. |
| MonitorProcessedDocuments.Read | You can read the processed documents from the Monitor section. |
| MonitorProcessedDocumentsDetail.Read | You can read the processed documents detail from the Monitor section. |
| MonitorProjectPerformance.Read | You can read the Projects Performance dashboard from the Monitor section. |
| Project.Execute | You can execute models within a specific project. |
| Project.Read | You can read the project. |
| Project.Update | You can update an already available project. |
| ProjectVersion.Create | You can create new project versions. |
| ProjectVersion.Delete | You can delete an already available project version. |
| ProjectVersion.Read | You can read a project version. |
| ProjectVersion.Update | You can update an already available project version. |
| ProjectVersionLabel.Create | You can create new project version labels. |
| ProjectVersionLabel.Delete | You can delete an already available project version label. |
| ProjectVersionLabel.Read | You can read a project version label. |
| ProjectVersionLabel.Update | You can update an already available project version label. |
| RetrainingDocuments.Create | You can create a document for retraining. |
| RetrainingDocuments.Delete | You can delete a document for retraining that is already available. |
| RetrainingDocuments.Read | You can read a document for retraining. |
| RetrainingDocuments.Update | You can update a document for retraining that is already available. |
| RoleAssignment.Create | You can assign a role to a group or user. |
| RoleAssignment.Delete | You can remove a role assignment. |
| RoleAssignment.Read | You can view a role assignment. |
| RoleAssignment.Update | You can edit a role assignment. |
Creating a custom role
Apart from the default Document Understanding roles, you can also create and manage custom roles. Adapting custom roles to specific needs and permissions helps align them with organizational requirements.
Custom roles are available at both the tenant level, and the project level.
Tenant-level roles
The tenant-level roles can grant the following permissions:
Table 2. Standard permissions
| Permission Type | Permission | Description |
|---|---|---|
| Authorization / Action | Read | Read allows the users to read the actions or permissions when creating a custom role or when viewing a role. |
| Authorization / Role | Read | View all roles. |
| Authorization / Role | Update | Update custom roles. |
| Authorization / Role | Create | Create custom roles. |
| Authorization / Role | Delete | Delete custom roles. |
| Authorization / Role Assignment | Read | View all existing role assignments. |
| Authorization / Role Assignment | Update | Update existing role assignments. |
| Authorization / Role Assignment | Create | Create new role assignments. |
| Authorization / Role Assignment | Delete | Delete existing role assignments. |
| Document Understanding - Tenant Settings | Read | Read Document Understanding tenant-level settings. |
| Document Understanding - Tenant Settings | Update | Update Document Understanding tenant-level settings. |
| Document Understanding - Tenant Settings | Create | Create Document Understanding tenant-level settings. |
Table 3. Additional permissions
| Permission Type | Permission | Description |
|---|---|---|
| Authorization / Role Assignment | Export role assignment data | Export role assignment data from the user interface. |
Project-level roles
The project-level roles can grant the following permissions:
Table 4. Custom role project-level permissions
| Permission Type | Permission | Description |
|---|---|---|
| Authorization / Action | Read | Read allows the users to read the actions or permissions when creating a custom role or when viewing a role. |
| Authorization / Role | Read | View all roles. |
| Authorization / Role | Update | Update custom roles. |
| Authorization / Role | Create | Create custom roles. |
| Authorization / Role | Delete | Delete custom roles. |
| Authorization / Role Assignment | Read | View all existing role assignments. |
| Authorization / Role Assignment | Update | Update existing role assignments. |
| Authorization / Role Assignment | Create | Create new role assignments. |
| Authorization / Role Assignment | Delete | Delete existing role assignments. |
| Document Understanding - Classifier | Read | View all classifiers. |
| Document Understanding - Classifier | Update | Update classifiers. |
| Document Understanding - Classifier | Create | Create classifiers. |
| Document Understanding - Classifier | Delete | Delete classifiers. |
| Document Understanding - Data Set Export | Read | Read data set exports from a project version. |
| Document Understanding - Data Set Export | Create | Export data sets from a project version and manage the visibility of the download document(s) button. |
| Document Understanding - Data Set Export | Delete | Delete data set exports from a project version. |
| Document Understanding - Document Type | Read | Read document types. |
| Document Understanding - Document Type | Update | Update document types. |
| Document Understanding - Document Type | Create | Create document types. |
| Document Understanding - Document Type | Delete | Delete document types. |
| Document Understanding - Documents | Delete | Delete documents from a project. |
| Document Understanding - Extractor | Read | View extractors. |
| Document Understanding - Extractor | Update | Update extractors. |
| Document Understanding - Extractor | Create | Create extractors. |
| Document Understanding - Extractor | Delete | Delete extractors. |
| Document Understanding - Monitor Processed Documents | Read | View processed documents. |
| Document Understanding - Monitor Processed Documents Detail | Read | View details for processed documents |
| Document Understanding - Monitor Project Performance | Read | View the project performance. |
| Document Understanding - Project | Read | View projects. |
| Document Understanding - Project | Update | Update projects. |
| Document Understanding - Project | Create | Create projects. |
| Document Understanding - Project | Delete | Delete projects. |
| Document Understanding - Project Version | Read | View project versions. |
| Document Understanding - Project Version | Update | Update project versions. |
| Document Understanding - Project Version | Create | Create project versions. |
| Document Understanding - Project Version | Delete | Delete project versions. |
| Document Understanding - Project Version Label | Read | View project version labels. |
| Document Understanding - Project Version Label | Update | Update project version labels. |
| Document Understanding - Project Version Label | Create | Create project version labels. |
| Document Understanding - Project Version Label | Delete | Delete project version labels. |
Table 5. Additional permissions
| Permission Type | Permission | Description |
|---|---|---|
| Authorization / Role Assignment | Export role assignment data | Export role assignment data from the user interface. |
| Document Understanding | Use extractors and classifiers from projects. | Use the same extractors and classifiers used inside projects. |
Creating a custom role
To create a custom role:
- Navigate to your respective Automation CloudTM8 URL and log in with your UiPath® account.
- From the left-side navigation pane, select Document Understanding.
- Select the Manage access button.
- Go to the Roles tab, select Create role, and fill in the following fields:
- Role name - Give your role a descriptive name.
- Description - Optionally, provide a description.
- Category - Choose between:
- Tenant
- You can assign this role at tenant-level. It consists of tenant-level permissions.
- Project - You can assign this role to existing or new projects. It consists of project-level permissions.
- Tenant
- Select Next to proceed to the permissions page.
- In the Standard permissions and Additional permissions tabs, select the permissions to assign to the custom role.
- Select Create.
Viewing a custom role
To view a custom role:
- Navigate to your respective Automation CloudTM9 URL and log in with your UiPath® account.
- From the left-side navigation pane, select Document Understanding.
- Select the Manage access button.
- Go to the Roles tab and select the ellipsis for the custom role you want to view.
- Select View.
Editing a custom role
To edit a custom role:
- Navigate to your respective Automation CloudTM0 URL and log in with your UiPath® account.
- From the left-side navigation pane, select Document Understanding.
- Select the Manage access button.
- Go to the Roles tab and select the ellipsis for the custom role you want to view.
- Select Edit to modify the description and permissions of the custom role.
- After making the changes, select Update.
Duplicating a custom role
To duplicate a custom role:
- Navigate to your respective Automation CloudTM1 URL and log in with your UiPath® account.
- From the left-side navigation pane, select Document Understanding.
- Select the Manage access button.
- Go to the Roles tab and select the ellipsis for the custom role you want to view.
- Select Duplicate & customize, to create a copy of the role and modify its description and permissions.
- After making the changes, select Create.
Removing a custom role
To remove a custom role:
- Navigate to your respective Automation CloudTM2 URL and log in with your UiPath® account.
- From the left-side navigation pane, select Document Understanding.
- Select the Manage access button.
- Go to the Roles tab and select the ellipsis for the custom role you want to view.
- Select Delete.
Note:
Deleting a custom role also removes all associated role assignments.
- User roles
- Custom roles
- Inheritance of organization roles
- Managing and assigning roles
- User roles and permissions
- Document Understanding Administrator permissions
- Document Understanding Automation User permissions
- Document Understanding Data Annotator permissions
- Document Understanding Developer permissions
- Document Understanding Model Trainer permissions
- Document Understanding Viewer permissions
- Project Administrator permissions
- Creating a custom role
- Tenant-level roles
- Project-level roles
- Creating a custom role
- Viewing a custom role
- Editing a custom role
- Duplicating a custom role
- Removing a custom role