automation-cloud

latest

false

Automation Cloud admin guide

Last updated May 27, 2025

Managing access

Roles

Roles are a collection of permissions and represent a more granular layer for managing user access, following the broader option of maintaining access through groups. You can add roles to either groups so that all member accounts inherit them, or to individual accounts.

Accounts and groups typically have an organization-level role and one or more service-level roles.

Types of roles

The following types of roles can include several permissions at either organization level, or at service level:

The built-in role is a predefined role that has specific permissions set by the platform. These roles can be used to grant users or groups the necessary permissions to perform certain operations.
The custom role is a role that an organization administrator creates to meet the specific needs of their organization. This is particularly useful role for when none of the available built-in roles perfectly match the access a user or group should have.

Scopes and categories

A scope is a specific level in the organizational hierarchy that serves as a boundary for certain actions, permissions, and objects. A scope can be an organization, a tenant, a service, or a folder, each with its own set of role assignments.

Note:

The Manage access menu is available within all possible scopes, descending from the organization level down to the project level.

A category is a parameter for a custom role that you define for each scope, determining whether you apply the role within the same scope, or within a lower-level scope.

Types of roles based on scopes and permissions

A role is defined by multiple permissions. Permissions can be specific to a certain scope.

Note:

The organization administrator role is a special role that grants access to all scopes: organization, tenant, service, and folder.

The following types roles are based on scopes and permissions:

The organization level role is a type of role you create at organization scope. This role type consists of permissions that apply exclusively within the organization scope.
The global tenant role is a type of role you create at organization scope. You can apply this role type to all tenants within the organization.
The cross-service role is a type of role you create at tenant scope. This role type contains permissions from multiple services simultaneously.
The service role is a type of role you create at service scope. This role type contains permissions from certain services.
The project or folder role is a type of role you create at service scope that you exclusively assign at project or folder scope.

The following table classifies scopes, role types based on scopes and permissions, and examples of roles:

Scope	Types of roles based on scopes and permissions	Examples of roles
Organization	Organization level roles	Insights Dashboard Viewer Organization Administrator
Organization	Global tenant roles	Note: A global tenant role can be created using the custom role functionality.
Tenant	Cross-service roles	Tenant Administrator
Service	Service roles	Orchestrator Administrator
Service	Folder or project roles	Folder Administrator

Groups and roles

In the following table you can view the roles that are assigned to accounts when they are added to a group. For example, adding an account to the Administrators default group grants them the Organization Administrator role for the organization and the Administrator role within your services. This user can manage both organization-level roles from Admin, then select Accounts and Groups, as well as service-level roles.

Group membership	Organization-level role	Service-level roles for Orchestrator
Administrators	Organization Administrator	Administrator
Automation Users	User	Automation User at folder level ¹ Allow to be Automation User at tenant level
Automation Developers	User	Automation User at folder level ¹ Folder Administrator at folder level ¹ Allow to be Automation User at tenant level Allow to be Folder Administrator at tenant level
Everyone	User	No roles.
Automation Express	User	Allow to be Automation User at tenant level
[Custom group]	User	No roles by default, but you can add roles to the group as needed.

¹ The roles are assigned to the Shared modern folder, if it exists.

Note: For information about roles across UiPath services, refer to Role management.

Organization-level roles

The organization level represents the highest level of scope.

At organization level, the Organization Administrator, User, and Insights Dashboard Viewer roles are available. You cannot change these roles or add new roles at the organization level.

Organization administrators have permission to modify organization-level settings, such as security, Single Sign-On (SSO), and licensing settings. Therefore, the number of organization-level roles is limited. Additionally, organization administrators can grant organization-level permissions, as well as cascade down to tenant-, service-, and folder-level permissions.

Organization-level roles also include organization-level service permissions for services such as Apps and AutomationOps.

Organization administrator role

This role grants access to every organization- and service-level feature within the organization. An account with this role can perform all administrative actions for the organization, such as creating or updating tenants, managing accounts, viewing organization audit logs, and so on. There can be multiple accounts with this role.

The organization administrator and the Tenant Admin roles are the only roles that allow access to the Admin section.

The first organization administrator for any given organization is appointed when the organization is created.

Note: The organization administrator role is not an assignable role. To have this role assigned to you, you need to be part of the Administrators group.

To grant this role to others, the organization administrator can add user accounts to the Administrators group, which is one of the default groups.

The organization administrator role includes the following organization-level permissions, which cannot be changed, as described in the following table:

Areas subject to permissions	View	Edit	Create	Delete
Usage charts and graphs
Tenants
Accounts and groups
Security settings
External applications
Licenses
API keys
Resource center (Help)
Audit logs
Organization settings

User role

This is the basic level of access within the UiPath ecosystem. Local user accounts automatically become members of the Everyone group, which grants them the User role.

This role is granted to all accounts that are in the default groups Everyone, Automation Users, or Automation Developers.

This role provides read-only access to pages, such as the Home page, Resource Center (if available).

The users can view and access the provisioned services for their current tenant. However, the content they can view and the actions they can perform within each service depends on the service-level roles assigned to their account.

Note: All platform users are part of the Everyone group by default, regardless if they are local or directory users.

To grant access to everyone to a specific service, the users need to have the Everyone group mapped at service level. For example, if you want to grant all users access to view ideas in Automation Hub, you can assign the Everyone group to a role in Automation Hub.

The available services that currently incorporate this mapping into roles and grant minimal rights within them are:

Studio Web
Apps
Test Cloud

[Preview] Insights dashboard viewer role

The Insights Dashboard Viewer role is a built-in role that grants access to organization-level dashboards in Insights and is assigned by the organization administrator.

Note:

Before assigning the Insights Dashboard Viewer role, you must ensure that users have access to the Insights service within any tenant of the organization.

To assign the Insights Dashboard Viewer role, take the following steps:

Ensure that the user has access to Insights on any of their given tenants within the organization.
Navigate to Admin, then select Manage access at organization level.
On the Role assignments tab, select Assign role.
In the Names field, search for the user you want to assign a role to.
In the Roles field, check the Insights Dashboard Viewer box.
Select the Assign button to assign the role.

Tenant-level roles

About tenant-level roles

Tenant-level roles control the access rights of accounts within the tenant settings and configuration area. They also define the permitted actions within each of the UiPath services in a given tenant.

Most of the tenant-level roles in the platform are cross-service roles as they grant permissions across multiple services within a particular tenant.

Currently, Tenant Administrator is the only built-in role available at the tenant level.

Tenant Administrator role

The Tenant Administrator role allows you to effectively delegate responsibilities. The role grants access to manage all resources in the tenant, allowing operations such as role assignment, licensing management, and service provisioning.

The Tenant Administrator role can be assigned to multiple accounts.

Known limitations

Tenant-level roles are currently affected by the following known limitations:

Only the following services support the Tenant Administrator role:
- Orchestrator (includes Actions, Processes, Integration Service)
- Data Service
- Document Understanding
- Task Mining
- Test Manager.
The rest of the tenant-level services are currently not supported, and users with only the Tenant Administrator role cannot access these services.
The Tenant Administrator cannot access organization-level menus from the interface.
On the Admin > Tenants > Services screen, the Tenant Administrator can view enabled services, but cannot add or remove services.
On the Admin > Tenants > Manage access screen, the Tenant Administrator can view tenants they do not administer. However, if they access these tenants, they cannot perform any actions.

Service-level roles

Service-level roles control access rights and permitted actions within each of your UiPath services, such as the Orchestrator service, or Data Service. The permissions for each service are managed within the service itself, not from the organization Admin page.

To grant permissions for a service to accounts, you can perform the following actions:

In the selected service, assign service-level roles to a group to grant those roles to all member accounts.
Add accounts to a group that already has the required service-level roles by navigating to Admin, then select Accounts and Groups.
In the selected service, assign roles to an account.

For the following services, you can create and manage some services-level roles that are external to the service, at platform level:

Apps
AutomationOps
Document Understanding
IXP

Folder- or project-level roles

The folder or project is a scope you manage at service level.

Folder- and project-level roles define the set of permissions assigned to users, determining their ability to access, manage, and interact with specific resources and functionalities within automation workflows.

Depending on the service you use, you can assign folder- or project-level roles, as follows:

Folder roles:
- Orchestrator
Project roles:
- Document Understanding
- IXP
- Test Manager
- Task Mining

[Preview] Custom roles

Custom service roles

Custom service roles are user-defined permission sets that allow you to tailor access controls to your specific needs, offering more granular control than default roles.

To create custom roles at service level, navigate to Manage access at service level, where you can define roles, and select your preferred scope and permissions.

Currently, you can create custom service roles for the following services:

Apps
Document Understanding
IXP

Custom cross-service roles

Custom cross-service roles are user-defined roles that grant tailored permissions across multiple UiPath services, allowing you to enforce consistent, fine-grained access control platform-wide.

To create custom roles at tenant level, navigate to Manage access at tenant level, where you can define roles, and select your preferred scope and permissions.

Role assignments

You can manage and assign service-level roles from within each service as long as you have the appropriate permissions in the service.

For example, users with the Administrator role in Orchestrator can create and edit roles, and assign roles to existing accounts.

[Preview] Manage access user interface based on scope

The Manage access user interface (UI) keeps a consistent appearance across all scopes.

The following table illustrates how the Manage access UI looks like for each scope:

Scope	Manage access UI
Organization
Tenant
Service
Project

Assigning organization-level roles

As an organization administrators, you can navigate to Manage access at organization level to assign tenant-level roles.

To view the role definition and the permissions granted, take the following steps:

Navigate to Manage access.
In the Roles tab, select the View button next to the role.

You can assign an organization-level role to a user, group, robot account, or external application. To assign a role, take the following steps:

Navigate to Manage access, then
in the Role assignments tab, search for the account you want to assign the role to and choose the appropriate role.
Select Assign.

Assigning tenant-level roles

Tenant-level roles can be assigned at tenant level and can have granted permissions up to the service level.

Organization Administrators or other Tenant Administrators can view the Manage access screen.

Note: While Organization Administrators can access manage the access in any tenant, Tenant Administrators can manage access only in the tenant they manage.

To view the tenant-level role definition and the permissions granted at tenant and individual service level, take the following steps:

Navigate to Manage access.
In the Roles tab, select the View button next to the role.

You can assign a tenant-level role to a user, group, robot account, or external application. To assign the role, take the following steps:

Navigate to Manage access.
In the Role assignments tab, search for the account you want to assign the role to and choose the appropriate role.
Select Assign.

Tenant Administrator role visibility at service level

The Tenant Administrator role assignment is visible both at tenant and individual service level. At the service level, the Tenant Administrator role has the following properties:

It is shown with a platform role label.
It is immutable, implying that you cannot remove the assignment at the service level.
In some services, such as Orchestrator, there is a link next to the role that redirects you to the Manage access page at platform level, where you can change the tenant-level role assignments.

Assigning and managing service-level roles

You can manage and assign service-level roles from within the services. You can assign roles to groups (recommended), or to accounts that have already been added.

For information and instructions, refer to the applicable documentation and centralized access management availability per service, as described in the following table:

- Available

- Not available

planned - Planned

N/A - Not Applicable

Service	Details
Orchestrator Action Center Processes Context Grounding Solutions Integration Service Maestro	Managed from Orchestrator. Learn more about roles.
Actions	Managed from Orchestrator. For the list of permissions required, refer to Roles and permissions. For instructions on assigning roles, refer to Assigning roles.
Processes	Managed from Orchestrator. For the list of permissions required, refer to Roles and permissions in the Action Center documentation. For instructions on assigning roles, refer to Assigning roles.
Automation Hub Automation Store	Managed from Automation Hub. For more information about which roles are required and instructions for assigning them, refer to Role description and matrix.
AutomationOps	Managed from AutomationOps. For more information, refer to AutomationOps user roles.
AI Center	Managed from Orchestrator. For information about the roles required to use AI Center, refer to AI Center access control.
Apps	Managed from Orchestrator. For more information, refer to Orchestrator permissions.
Data Service	Managed from Data Service. For more information and instructions, refer to User management. For instructions on assigning roles, refer to Managing access.
Document Understanding™	Managed from Document Understanding. For more information about which roles are required and instructions for assigning them, refer to Role-based access control.
Insights	Managed from Insights. For more information, refer to Granting permissions.
IXP Communications Mining	Managed from IXP. For more information, refer to Roles and their underlying permissions.
Process Mining	Managed from Process Mining. For more information, refer to User management in Process Mining.
Studio Web Agents	Managed from Studio Web. For more information, refer to Managing access to Studio Web.
Task Mining	Managed using Automation Cloud^TM organization-level roles. For information about the rights that organization-level roles grant in Task Mining, refer to Managing access and roles in the Task Mining documentation.
Test Cloud	Managed from Test Cloud. For more information, refer to Managing access.
Test Manager	Managed from Test Manager. For information and instructions, refer to User and group access management.

Assigning roles to an account

If you want to control the access a certain account has in a service at a more granular level, but you do not want to add new roles to an entire group, you can explicitly add the account to the service and assign one or more service-level roles to it directly.

For information about the available roles and instructions, refer to the documentation for the target service, as previously described.