- Getting started
- Best practices
- Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Storing Robot Credentials in CyberArk
- Storing Unattended Robot Passwords in Azure Key Vault (read only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read only)
- Storing Unattended Robot Credentials in AWS Secrets Manager (read only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- Account types
- Default roles
- Migrating from break inheritance to union of privileges
- Managing custom roles
- Configuring access for accounts
- Configuring automation capabilities
- Solutions
- Audit
- Settings
- Cloud robots
- Folders Context
- Automations
- Processes
- Jobs
- Apps
- Triggers
- Monitoring
- Queues
- Assets
- Business Rules
- Storage Buckets
- MCP Servers
- Indexes
- Orchestrator testing
- Resource Catalog Service
- Integrations
- Troubleshooting
Orchestrator user guide
The union of privileges access model improves access control across all users. It grants users access levels by combining explicit and group-level access. As a result, each time you add or remove a privilege to or from a group, all users who are part of that group become subject to the updated privilege check.
The break inheritance model refers to a scenario where any changes to the associated set of privileges at the group level are not automatically propagated to the users who are members of that group. This means that, once inheritance is broken, updates made to the group’s privileges do not reflect in the user's access, unless the user is removed and re-added to the group, or the user is recreated in Orchestrator.
- UI Profile settings (No UI access, Personal Workspace only, Standard Interface)
- Update policy settings
- Enable user to run automations
- Create a personal workspaces for this user
Permissions already work in the union of privileges model.
After migrating from the break inheritance model to the union of privileges model, users no longer receive access only from directly assigned roles. Now, users inherit both roles and profile settings from their groups. This shift ensures a more unified and predictable access experience.
- Previously, users received only the roles from their groups.
- Now, they also inherit settings such as interface access level or attended robot permissions.
- If a setting is explicitly configured for a user, it overrides the inherited group setting.
- Several permissions are now displayed as drop-downs instead of checkboxes.
- The Robot Settings section was renamed to Advanced robot settings and repositioned.
- Direct settings are displayed in the left pane, while inherited settings are summarized on the right side in the Summary card.
Once the migration is complete, check the new behavior as follows:
A new Summary card interface is available in the updated access control experience. You can easily check the following settings from this card:
- All effective roles and settings for a user.
- Sources of those privileges (for example, direct or inherited)
- A clear summary of how the current configuration.
The Summary card allows an immediate overview of all user permissions and their sources. This helps avoid misconfiguration or redundant role assignments.
