ixp
latest
false
- Introduction
- Access control and administration
- Licensing
- Frequently asked questions
IXP overview guide
Last updated Mar 11, 2026
Managing access
This section addresses to Automation Cloud users and contains information on how to manage access in the IXP service.
Roles and their underlying permissions
This section contains an overview of the different roles and the underlying permissions they grant in the UiPath® IXP service.
In the Manage Access tab from the Administration page, you can assign roles to specific users. Each role comes with a predefined set of permissions, so you cannot assign individual permissions. Instead, you must assign the main role, which includes all associated permissions.
Note:
All users can view other users in projects and tenants, but only administrators can modify users.
The following table contains a list of all roles and permissions, as well as a description of each role:
| Role | Scope | Permissions | Role description |
|---|---|---|---|
| IXP Service Admin | Tenant | Audit Log - Read Tenant - Manage | Grants full rights to the IXP service. |
| IXP Audit Log Viewer | Tenant | Audit Log - Read | You can view audit logs for the tenant through the Audit API. |
| IXP Project Admin | Project | Alert - Write Appliance Configuration - Write Bucket - Append Bucket - Write Comment - Manage Dataset - Export Dataset - Manage Integration - Write Source - Manage Stream - Consume Stream - Manage | You can manage everything within a project such as users, integrations, sources, datasets, models, streams, and alerts. You cannot create or delete projects. |
| IXP Analyst | Project | Alert - Write Dashboard - Write Dataset - Read Integration - Read Source - Read Stream - Read | You can view everything within a project and can create, update, and delete dashboards and alerts. You cannot import, export, or review and label data. Also, you cannot modify or consume streams or set up integrations. |
| IXP Automation User | Project | Comment - Manage Dataset - Read Project - Execute Source - Read Stream - Consume Stream - Read | You can upload data and consume predictions from Communications Mining datasets in this project. This role also allows Agents to consume runtime predictions from Unstructured and Complex Documents projects. |
| IXP Developer | Project | Alert - Read Appliance Configuration - Write Bucket - Append Bucket - Read Comment - Manage Dataset - Export Integration - Write Model - Manage Source - Manage Stream - Consume Stream - Manage | You can view everything within a project, upload or export data, configure integrations, pin model versions, manage streams, and consume predictions from them. You cannot review and label data. Also, you cannot create, update, or delete datasets or alerts. |
| IXP Model Trainer | Project | Alert - Read Dataset - Review Dataset - Write Integration - Read Source - ReadSensitive Stream - Read | You can view everything within a project, review and label data, and pin model versions. You can also create and update datasets, but you cannot delete them. |
| IXP Viewer | Project | Alert - Read Dataset - Read Integration - Read Source - Read Stream - Read | You can view everything within a project. You cannot create, update, or delete anything. |
Note:
Since permissions are granted at the project level, users might need different permissions for different projects.
Permission types
Define the level of access granted to users for specific actions or resources.
| Permission type | Description |
|---|---|
| Service permissions | Allows you to view audit logs and manage projects and users for a tenant. |
| Sources permissions | Refer to the data your company uploaded for analysis. |
| Datasets permissions | Grant access to datasets, that is, a named collections of labels, general fields, and training data. |
| Streams permissions | Grant access to streams, which allow you to take actions on newly ingested data. |
| Buckets permissions | Grant access to buckets, which are containers of raw data items that you can upload. |
| Integration permissions | Grant access to integrations, which allow you to connect other services to the platform. |
| Utility permissions | Include any permissions that do not belong to any of the other categories. |
Note:
Buckets, integration, and utility permissions are typically only granted to programmatic users such as development engineers. In addition, these permissions are not required for the daily use of the platform.
Permissions
Note:
The Modify users, View users, and Upload file permissions are deprecated because they are no longer required as standalone permissions outside of the available roles.
In the Manage Access tab from the Administration page, you can assign roles to specific users. Each role comes with a predefined set of permissions, so you cannot assign individual permissions. Instead, you must assign the main role, which includes all associated permissions.
| Permission type | Permission | Permission description |
|---|---|---|
| Service (only non-project) | Tenant - Manage | Create, modify, and delete projects and users for a tenant. Additionally, all admins on UiPath® Automation Cloud also receive this permission in the IXP platform automatically. |
| Service (only non-project) | Audit Log - Read | View audit logs. |
| Sources | Source - Read | View sources and the messages they contain. This is required to view individual messages on the platform. |
| Sources | Source - ReadSensitive Grants Source - Read | View any user properties marked as sensitive, in addition to others. |
| Sources | Source - Manage Grants Source - ReadSensitive | Create, modify, and delete sources. You must create sources via the API. |
| Sources | Comment - Manage | Create, update, and delete messages in a source via the API. |
| Datasets | Dataset - Read* | View pinned and predicted labels on the datasets of the user. This is required to view individual messages on the platform. |
| Datasets | Dataset - Manage Grants Dataset - Write, Dataset - Read, Dataset - Review | Create, update, and delete datasets. |
| Datasets | Dataset - Write | Create datasets and update their properties, for example, their description, sources and general fields, as well as enabling Quality of Service and Tone analysis. |
| Datasets | Dataset - Review Grants Dataset - Read | Create, edit, and delete labels, and pin them to messages in the dataset of the user. Add pre-trained labels. |
| Datasets | Dataset - Export | Export datasets via the user interface. |
| Datasets | Model - Manage | Pin model versions. |
| Datasets | Dashboard - Write | Create or modify dashboards. |
| Streams | Stream - Read | View streams and their configuration. |
| Streams | Stream - Manage | Create, modify, and delete streams. |
| Streams | Stream - Consume | Fetch and advance the output of a stream. |
| Buckets | Bucket - Read | View information on raw data buckets. |
| Buckets | Bucket Item - Read | Download items from raw data buckets. |
| Buckets | Bucket - Write | Add or remove raw data buckets. |
| Buckets | Bucket - Append | Upload data to buckets. |
| Integrations | Integration - Read | View information on external integrations. |
| Integrations | Integration - Write | Add or remove integrations with external services. |
| Utility | Alert - Read | View alerts, and issues raised by them. |
| Utility | Alert - Write | Create, modify and delete alerts. |
| Utility | Appliance Configuration - Read | Fetch appliance configs. |
| Utility | Appliance Configuration - Write | Upload new or replace existing appliance configs. |
Note:
*To view any data related to a source, dataset, or message in the platform, both Source - Read and Dataset - Read, or their parent roles, are required.
Custom roles
Apart from the default IXP roles, you can also create and manage custom roles. Adapting custom roles to the specific needs and permissions of users, helps you align more closely with the needs of your organization.
Custom roles are available at tenant level, or project level.
Tenant-level roles
The tenant-level roles can grant the following permissions:
Standard permissions:
- Authorization / Action: Read Users can read the actions or permissions when creating a custom role or when viewing a role.
- Authorization / Role: Read, Update, Create, Delete Depending on the selected permission, users can view, update, or delete existing roles, as well as create new custom roles.
- Authorization / Role Assignment: Read, Update, Create, Delete Depending on the selected permission, users can view, update, or delete existing role assignments. In addition, users can assign roles through the Create permission.
- IXP: Audit Log - Read Users can view the IXP audit logs.
Additional permissions:
- Authorization / Role Assignment: Export role assignment data Users can extract and download information about role assignments, including which roles are assigned to which identities, such as users, groups, or service accounts. To export role assignment data, go to Automation Cloud, select Admin, then Accounts and local groups, and then Download role assignments.
- IXP: Can perform service-level administration tasks, manage quotas, and create and delete projects.
Project-level roles
The project-level roles can grant the following permissions:
Standard permissions:
- Authorization / Action: Read Users can read the actions or permissions when creating a custom role or when viewing a role.
- Authorization / Role: Read, Update, Create, Delete Depending on the selected permission, users can view, update, or delete existing roles, as well as create new custom roles.
- Authorization / Role Assignment: Read, Update, Create, Delete Depending on the selected permission, users can view, update, or delete existing role assignments. In addition, users can assign roles through the Create permission.
- IXP:
- Alert - Read, Write
- Appliance Configuration - Read, Write
- Bucket - Read, Write
- Bucket Item - Read
- Dashboard - Write
- Dataset - Read, Write
- Integration - Read, Write
- Source - Read
- Stream - Read, Write
Additional permissions:
- Authorization / Role Assignment: Export role assignment data Users can extract and download information about role assignments, including which roles are assigned to which identities, such as users, groups, or service accounts. To export role assignment data, go to Automation Cloud, select Admin, then Accounts and local groups, and then Download role assignments.
- IXP:
- Upload items to raw data buckets.
- Create, update, and delete messages in a source via the API or the UI, including CSV upload.
- Export datasets via the UI.
- Create and delete datasets. Grants all other dataset permissions except dataset export.
- Create, edit, and delete labels, and pin them to messages in the user's datasets.
- Pin and unpin trained models and update their tags.
- Create, modify, and delete sources.
- View any user properties which have been marked as sensitive, in addition to others.
- Fetch and advance the output of a stream.
- Create, modify, and delete streams.
Creating a custom role
To create a custom role, proceed as follows:
- Go to the Administration page, and select Manage Access.
- Select Service, and then the Roles tab.
- Select Create role, and fill in the following fields:
- Role name - Give your role a descriptive name.
- Description - Optionally, provide a description.
- Category - Choose between:
- Tenant - You can assign this role at tenant-level, and consists of tenant-level permissions.
- Project - You can assign this role to existing or new projects and consists of project-level permissions.
- Select Next to proceed to the permissions page.
- In the Standard permissions and Additional permissions tabs, select the permissions to assign to the custom role.
- Select Create.
Viewing a custom role
To view a custom role, proceed as follows:
- Navigate to the Administration page, and select Manage Access.
- Select Service, or a project folder, and then the Roles tab.
- Select the ellipsis for the custom role you want to view.
- Select View.
Editing a custom role
To edit a custom role, proceed as follows:
- Go to the Administration page, and select Manage Access.
- Select Service, or a project folder, and then the Roles tab.
- Select the ellipsis for the custom role you want to edit.
- Select Edit to modify the description and permissions of the custom role.
- After making the changes, select Update.
Duplicating a custom role
To duplicate a custom role, proceed as follows:
- Navigate to the Administration page, and select Manage Access.
- Select Service, or a project folder, and then the Roles tab.
- Select the ellipsis for the custom role you want to duplicate.
- Select Duplicate & customize, to create a copy of the role and modify its description and permissions.
- After making the changes, select Create.
Removing a custom role
To remove a custom role, proceed as follows:
- Go to the Administration page, and select Manage Access.
- Select Service, or a project folder, and then the Roles tab.
- Select the ellipsis for the custom role you want to edit.
- Select Delete.
Note:
Deleting a custom role also removes all associated role assignments.