Automation Cloud admin guide

Last updated Oct 3, 2025

Role assignments

You can manage and assign service-level roles from within each service as long as you have the appropriate permissions in the service.

For example, users with the Administrator role in Orchestrator can create and edit roles, and assign roles to existing accounts.

Manage access user interface based on scope

The Manage access user interface (UI) keeps a consistent appearance across all scopes.

The following table illustrates how the Manage access UI looks like for each scope:

Scope	Manage access UI
Organization
Tenant
Service
Project

Assigning organization-level roles

As an organization administrators, you can navigate to Manage access at organization level to assign tenant-level roles.

To view the role definition and the permissions granted, take the following steps:

Navigate to Manage access.
In the Roles tab, select the View button next to the role.

You can assign an organization-level role to a user, group, robot account, or external application. To assign a role, take the following steps:

Navigate to Manage access, then
in the Role assignments tab, search for the account you want to assign the role to and choose the appropriate role.
Select Assign.

Assigning tenant-level roles

Tenant-level roles can be assigned at tenant level and can have granted permissions up to the service level.

Organization Administrators or other Tenant Administrators can view the Manage access screen.

Note: While Organization Administrators can access manage the access in any tenant, Tenant Administrators can manage access only in the tenant they manage.

To view the tenant-level role definition and the permissions granted at tenant and individual service level, take the following steps:

Navigate to Manage access.
In the Roles tab, select the View button next to the role.

You can assign a tenant-level role to a user, group, robot account, or external application. To assign the role, take the following steps:

Navigate to Manage access.
In the Role assignments tab, search for the account you want to assign the role to and choose the appropriate role.
Select Assign.

Tenant Administrator role visibility at service level

The Tenant Administrator role assignment is visible both at tenant and individual service level. At the service level, the Tenant Administrator role has the following properties:

It is shown with a platform role label.
It is immutable, implying that you cannot remove the assignment at the service level.
In some services, such as Orchestrator, there is a link next to the role that redirects you to the Manage access page at platform level, where you can change the tenant-level role assignments.

Assigning and managing service-level roles

You can manage and assign service-level roles from within the services. You can assign roles to groups (recommended), or to accounts that have already been added.

For information and instructions, refer to the applicable documentation, as described in the following table:

Service	Details
Orchestrator Action Center Processes Context Grounding Solutions Integration Service Maestro	Managed from Orchestrator. Learn more about roles.
Actions	Managed from Orchestrator. For the list of permissions required, refer to Roles and permissions. For instructions on assigning roles, refer to Assigning roles.
Processes	Managed from Orchestrator. For the list of permissions required, refer to Roles and permissions in the Action Center documentation. For instructions on assigning roles, refer to Assigning roles.
Automation Hub Automation Store	Managed from Automation Hub. For more information about which roles are required and instructions for assigning them, refer to Role description and matrix.
AutomationOps	Managed from AutomationOps. For more information, refer to AutomationOps user roles.
AI Center	Managed from Orchestrator. For information about the roles required to use AI Center, refer to AI Center access control.
Apps	Managed from Orchestrator. For more information, refer to Orchestrator permissions.
Data Fabric	Managed from Data Fabric. For more information and instructions, refer to User management. For instructions on assigning roles, refer to Managing access.
Document Understanding™	Managed from Document Understanding. For more information about which roles are required and instructions for assigning them, refer to Role-based access control.
Insights	Managed from Insights. For more information, refer to Granting permissions.
IXP Communications Mining	Managed from IXP. For more information, refer to Roles and their underlying permissions.
Process Mining	Managed from Process Mining. For more information, refer to User management in Process Mining.
Studio Web Agents	Managed from Studio Web. For more information, refer to Managing access to Studio Web.
Task Mining	Managed using Automation Cloud^TM organization-level roles. For information about the rights that organization-level roles grant in Task Mining, refer to Managing access and roles in the Task Mining documentation.
Test Cloud	Managed from Test Cloud. For more information, refer to Managing access.
Test Manager	Managed from Test Manager. For information and instructions, refer to User and group access management.

Assigning roles to an account

If you want to control the access a certain account has in a service at a more granular level, but you do not want to add new roles to an entire group, you can explicitly add the account to the service and assign one or more service-level roles to it directly.

For information about the available roles and instructions, refer to the documentation for the target service, as previously described.