UiPath Documentation
automation-suite
2.2510
true

Automation Suite admin guide

Last updated May 22, 2026

Roles

Roles are a collection of permissions and represent a more granular layer for managing user access, following the broader option of maintaining access through groups. You can add roles to either groups so that all member accounts inherit them, or to individual accounts.

Accounts and groups typically have an organization-level role and one or more service-level roles.

Types of roles

The following types of roles can include several permissions at either organization level, or at service level:

  • The built-in role is a predefined role that has specific permissions set by the platform. These roles can be used to grant users or groups the necessary permissions to perform certain operations.
  • The custom role is a role that an organization administrator creates to meet the specific needs of their organization. This is particularly useful role for when none of the available built-in roles perfectly match the access a user or group should have.

Scopes and categories

A scope is a specific level in the organizational hierarchy that serves as a boundary for certain actions, permissions, and objects. A scope can be an organization, a tenant, a service, or a folder, each with its own set of role assignments.

Note:

The Manage access menu is available within all possible scopes, descending from the organization level down to the project level.

A category is a parameter for a custom role that you define for each scope, determining whether you apply the role within the same scope, or within a lower-level scope.

Types of roles based on scopes and permissions

A role is defined by multiple permissions. Permissions can be specific to a certain scope.

Note:

The organization administrator role is a special role that grants access to all scopes: organization, tenant, service, and folder.

The following types roles are based on scopes and permissions:

  • The organization level role is a type of role you create at organization scope. This role type consists of permissions that apply exclusively within the organization scope.
  • The global tenant role is a type of role you create at organization scope. You can apply this role type to all tenants within the organization.
  • The cross-service role is a type of role you create at tenant scope. This role type contains permissions from multiple services simultaneously.
  • The service role is a type of role you create at service scope. This role type contains permissions from certain services.
  • The project or folder role is a type of role you create at service scope that you exclusively assign at project or folder scope.

The following table classifies scopes, role types based on scopes and permissions, and examples of roles:

Scope

Types of roles based on scopes and permissions

Examples of roles

Organization

Organization level roles

Insights Dashboard Viewer

Organization Administrator

Global tenant roles

Note: A global tenant role can be created using the custom role functionality.

Tenant

Cross-service roles

Tenant Administrator

Service

Service roles

Orchestrator Administrator

Folder or project roles

Folder Administrator

Groups and roles

In the following table you can view the roles that are assigned to accounts when they are added to a group. For example, adding an account to the Administrators default group grants them the Organization Administrator role for the organization and the Administrator role within your services. This user can manage both organization-level roles from Admin, then select Accounts and Groups, as well as service-level roles.

Group membershipOrganization-level roleService-level roles for Orchestrator
AdministratorsOrganization AdministratorAdministrator
Automation UsersUserAutomation User at folder level 1 Allow to be Automation User at tenant level
Automation DevelopersUserAutomation User at folder level 1
Folder Administrator at folder level 1
Allow to be Automation User at tenant level
Allow to be Folder Administrator at tenant level
EveryoneUserNo roles.
Automation ExpressUserAllow to be Automation User at tenant level
[Custom group]UserNo roles by default, but you can add roles to the group as needed.

1 The roles are assigned to the Shared modern folder, if it exists.

Note:

For information about roles across UiPath services, refer to Role management.

Organization-level roles

The organization level represents the highest level of scope.

At organization level, the Organization Administrator, User, and Insights Dashboard Viewer roles are available. You cannot change these roles.

Organization administrators have permission to modify organization-level settings, such as security, Single Sign-On (SSO), and licensing settings. Therefore, the number of organization-level roles is limited. Additionally, organization administrators can grant organization-level permissions, as well as cascade down to tenant-, service-, and folder-level permissions.

Organization-level roles also include organization-level service permissions for services such as Apps and AutomationOps.

Organization administrator role

This role grants access to every organization- and service-level feature within the organization. An account with this role can perform all administrative actions for the organization, such as creating or updating tenants, managing accounts, viewing organization audit logs, and so on. There can be multiple accounts with this role.

The organization administrator and the Tenant Admin roles are the only roles that allow access to the Admin section.

The first organization administrator for any given organization is appointed when the organization is created.

Note:

The organization administrator role is not an assignable role. To have this role assigned to you, you need to be part of the Administrators group.

To grant this role to others, the organization administrator can add user accounts to the Administrators group, which is one of the default groups.

The organization administrator role includes the following organization-level permissions, which cannot be changed, as described in the following table:

Areas subject to permissionsViewEditCreateDelete
Usage charts and graphs
Tenants
Accounts and groups
Security settings
External applications
Licenses
API keys
Resource center (Help)
Audit logs
Organization settings

User role

This is the basic level of access within the UiPath ecosystem. Local user accounts automatically become members of the Everyone group, which grants them the User role.

This role is granted to all accounts that are in the default groups Everyone, Automation Users, or Automation Developers.

This role provides read-only access to pages, such as the Home page, Resource Center (if available).

The users can view and access the provisioned services for their current tenant. However, the content they can view and the actions they can perform within each service depends on the service-level roles assigned to their account.

Note:

All platform users are part of the Everyone group by default, regardless if they are local or directory users.

To grant access to everyone to a specific service, the users need to have the Everyone group mapped at service level. For example, if you want to grant all users access to view ideas in Automation Hub, you can assign the Everyone group to a role in Automation Hub.

The available services that currently incorporate this mapping into roles and grant minimal rights within them are:

  • Studio Web
  • Apps
  • Test Manager

User management role

The User Management role is a custom organization-level role that lets organization administrators delegate identity management to other users without granting them full organization administrator rights. To create a User Management role, an organization administrator creates a custom role at organization scope and selects identity permissions for users, robot accounts, and local groups. You can include any combination of Read, Create, Update, and Delete for each resource, depending on the operations you want to allow. For the list of available identity permissions, see Custom roles > Platform-related permissions.

Warning:

Creating and assigning a custom role with identity permissions lets the assigned user add others to groups. This is an operation that typically requires elevation of administrative privileges. A confirmation prompt appears both when you create the role and when you assign it.

A user assigned this role gains access to the Admin section and can navigate to Accounts & Groups. Regardless of which permissions are included, the following restrictions apply:

  • Organization administrator accounts are not editable.
  • Users and robot accounts cannot be added to the Administrators group.
  • The Administrators group cannot be modified or deleted.

To create and assign the User management role, follow these prerequisites and steps:

Prerequisites
  • You have the Organization Administrator role.
  • The user you want to assign the role to already exists in the organization.
Creating the role
  1. Navigate to Admin at the organization level.
  2. Select Manage access.
  3. In the Roles tab, select Create role.
  4. Enter a name for the role.
  5. Set the scope to Organization.
  6. Under Identity, select the permissions you want to include for Users, Robot accounts, and Groups. You can select any combination of Read, Create, Update, and Delete for each resource. Read must be included for other permissions on the same resource to take effect.
  7. Select Create.

A warning appears indicating that the selected permissions let accounts perform operations that typically require elevation of administrative privileges. Select Continue to confirm.

Assigning the role
  1. In Manage access, select the Role assignments tab.
  2. Select Assign role.
  3. In the Names field, search for the user or user group you want to assign the role to.
  4. In the Roles field, select the role you created.
  5. Select Assign.

Tenant-level roles

Tenant-level roles control the access rights of accounts within the tenant settings and configuration area. They also define the permitted actions within each of the UiPath services in a given tenant.

Most of the tenant-level roles in the platform are cross-service roles as they grant permissions across multiple services within a particular tenant.

Currently, Tenant Administrator is the only built-in role available at the tenant level.

Tenant Administrator role

The Tenant Administrator role allows you to effectively delegate responsibilities. The role grants access to manage all resources1 in the tenant, allowing operations such as role assignment, licensing management, and service provisioning.

The Tenant Administrator role can be assigned to multiple accounts.

1The following services support the Tenant Administrator role:

  • Orchestrator (includes Actions, Processes, Integration Service)
  • Data Service
  • Document Understanding
  • Test Manager
Tenant Administrator role permissions

The following tables describe the Tenant Administrator role permissions:

Resource Permissions Description
View Create Delete Read Update
Centralized Access Administration page Grants permissions to centralized access, roles and role assignments.
Role
Role assignments
Resource Permissions Description
View Create Delete Read Update Edit Manage
Data Fabric Permission Grants administrator permissions and is equivalent to the Data Fabric Administrator role.
Resource Permissions Description
Create Delete Read Update
Document Understanding Classifier Grants administrator permissions and is equivalent to the Document Understanding Administrator role.
Data Set Export
Documents
Document Type
Extractor
Monitor Processed Documents
Monitor Processed Documents Detail
Monitor Project Performance
Project
Project Version
Project Version Label
Tenant Settings
Resource Permissions Description
View Create Delete Read Update Edit Manage
Licensing Quota Grants permissions to manage quotas.
Resource Permissions Description
View Create Delete Edit
Orchestrator Action Design Grants administrator permissions and is equivalent to the Orchestrator Administrator role.
Alerts
App Versions
Audit
Background Tasks
Libraries
License
Machines
Packages
Robots
Roles
Settings
Solution Deployments
Solution Packages
Tags
Units
Users
Webhooks
Resource Permissions Description
View Create Delete Read Update Edit Assign Toggle AutomatedExecution CreateAndUnlinkDefects ExecutePerformanceTest ManualExecution OverrideTestResult SmartTestGeneration TestExecutionAssignment
Test Manager Performance Scenarios Grants administrator permissions and is equivalent to the Test Manager administrator role.
Project
Project Settings
Prompt
Requirement
Role
Task Permissions
Test Case
Test Execution
Test Set

To view the available Tenant Administrator role permissions, take the following steps:

  1. Navigate to Admin.

  2. Select Manage access at organization level.

  3. Select the Roles tab.

  4. In the Role Name column, select the Tenant Administrator role. You can now view the Tenant Administrator role permissions in the expanded panel.

Known limitations

The following known limitations affect the tenant-level roles:

  • The rest of the tenant-level services are currently not supported, and users that only hold the Tenant Administrator role cannot access these services.
  • The Tenant Administrator cannot access organization-level menus from the interface.
  • On the Admin > Tenants > Services screen, the Tenant Administrator can view enabled services, but cannot add or remove services.
  • On the Admin > Tenants > Manage access screen, the Tenant Administrator can view tenants they do not administer. However, if they access these tenants, they cannot perform any actions.

Service-level roles

Service-level roles control access rights and permitted actions within each of your UiPath services, such as the Orchestrator service, or Data Service. The permissions for each service are managed within the service itself, not from the organization Admin page.

To grant permissions for a service to accounts, you can perform the following actions:

  • In the selected service, assign service-level roles to a group to grant those roles to all member accounts.
  • Add accounts to a group that already has the required service-level roles by navigating to Admin, then select Accounts and Groups.
  • In the selected service, assign roles to an account.

For the following services, you can create and manage some services-level roles that are external to the service, at platform level:

  • Apps
  • Automation Ops
  • Document Understanding

Folder- or project-level roles

The folder or project is a scope you manage at service level.

Folder- and project-level roles define the set of permissions assigned to users, determining their ability to access, manage, and interact with specific resources and functionalities within automation workflows.

Depending on the service you use, you can assign folder- or project-level roles, as follows:

  • Folder roles:
    • Orchestrator
  • Project roles:
    • Document Understanding
    • Test Manager

Custom roles

docs image

Custom service roles

Custom service roles are user-defined permission sets that allow you to tailor access controls to your specific needs, offering more granular control than default roles.

To create custom roles at service level, navigate to Manage access at service level, where you can define roles, and select your preferred scope and permissions.

Currently, you can create custom service roles for the following services:

  • Apps
  • Document Understanding

Custom cross-service roles

Custom cross-service roles are user-defined roles that grant tailored permissions across multiple UiPath services, allowing you to enforce consistent, fine-grained access control platform-wide.

To create custom roles at tenant level, navigate to Manage access at tenant level, where you can define roles, and select your preferred scope and permissions.

When creating custom roles, in addition to service-specific permissions, you can assign permissions related to platform-level functionality, such as Authorization, or Licensing.

Platform-related permissions are available for custom roles created at both the organization and tenant levels.

The following sections list the available platform permissions.

Organization-level platform permissions
Standard permissions
  • Authorization/Action: Allows users to view the available authorization actions (permissions) when creating or viewing a custom role.
  • Authorization/Role: Allows users to view, create, edit, or delete custom roles on the Roles tab in Manage access.
  • Authorization/Role assignment: Allows users to view, create, update, or delete role assignments on the Role assignments tab in Manage access.
  • Identity/Group: Allows users to view, create, rename, delete, and manage membership of local groups at the organization level. Read, Create, Update, and Delete permissions are configurable independently.
  • Identity/Robot Account: Allows users to view, create, edit, and delete robot accounts at the organization level. Read, Create, Update, and Delete permissions are configurable independently.
  • Identity/User: Allows users to view, invite, edit, and remove user accounts at the organization level. Read, Create, Update, and Delete permissions are configurable independently.
Additional permissions
  • Authorization/Roles assignment: Allows users to export role assignment data from the user interface.
Tenant-level platform permissions
Standard permissions
  • Authorization/Action: Allows users to view the available authorization actions (permissions) when creating or viewing a custom role.
  • Authorization/Role: Allows users to view, create, edit, or delete custom roles on the Roles tab in Manage access.
  • Centralized access: Allows users to access both Roles and Role assignments tabs within a tenant.
  • Authorization/Role assignment: Allows users to view, create, update, or delete role assignments on the Role assignments tab in Manage access.
Additional permissions
  • Authorization/Roles assignment: Allows users to export role assignment data from the user interface at the tenant level.
  • Licensing - Manage quotas for a tenant in Licensing: Allows users to view and manage tenant licensing quotas, such as license allocation limits and usage.

Was this page helpful?

Connect

Need help? Support

Want to learn? UiPath Academy

Have questions? UiPath Forum

Stay updated