UiPath Documentation
orchestrator
2022.4
false
  • Getting started
    • Introduction
    • User Options
    • Logging in to Orchestrator
    • Resetting Your Password
    • My Profile
    • Robots
      • Robot Statuses
      • Robot Settings
    • Auto Updating Client Components
    • Orchestrator Configuration Checklist
  • Best practices
    • Organization Modeling in Orchestrator
    • Managing Large Deployments
    • Automation Best Practices
    • Optimizing Unattended Infrastructure Using Machine Templates
    • Organizing Resources With Tags
  • Tenant
    • About the Tenant Context
    • Searching for Resources in a Tenant
    • Robots
      • Managing Robots
      • Connecting Robots to Orchestrator
      • Setup Samples
      • Storing Robot Credentials in CyberArk
      • Setting up Attended Robots
      • Setting up Unattended Robots
      • Storing Unattended Robot Passwords in Azure Key Vault (read-only)
      • Storing Unattended Robot Credentials in HashiCorp Vault (read-only)
      • Deleting Disconnected and Unresponsive Unattended Sessions
      • Robot Authentication
      • Robot Authentication With Client Credentials
      • SmartCard Authentication
    • Folders
      • Managing Folders
      • Classic Folders Vs Modern Folders
      • Migrating From Classic Folders to Modern Folders
      • Administration of Modern Folders
      • Personal Workspaces
      • Managing Personal Workspaces
    • Monitoring
      • Unattended Sessions
      • User Sessions
      • License
    • Managing Access and Automation Capabilities
      • Assigning Roles
      • Managing Roles
      • Default Roles
      • FAQ
    • Machines
      • Managing Machines
      • Assigning Machine Objects to Folders
      • Configuring Account-machine Mappings
    • Packages
      • Managing Packages
      • About Libraries
      • Managing Libraries
    • Audit
    • Credential Stores
      • Managing Credential Stores
      • CyberArk® Integration
      • CyberArk® CCP Integration
      • Azure Key Vault Integration
      • HashiCorp Vault Integration
      • BeyondTrust Integration
    • Webhooks
      • Types of Events
      • Managing Webhooks
    • Licensing
      • Managing Your Licenses
    • Alerts
      • Setting Up Alert Emails
    • Settings
      • General Tab
      • Deployment Tab
      • Robot Security Tab
      • Scalability Tab
      • Non-Working Days Tab
  • Resource Catalog Service
    • About Resource Catalog Service
  • Folders Context
    • About the Folders Context
    • Home
  • Automations
    • About Automations
  • Processes
    • About Processes
    • Managing Processes
    • Managing Package Requirements
    • About Recording
  • Jobs
    • About Jobs
    • Managing Jobs
    • Job States
    • Working with long-running workflows
  • Triggers
    • About Triggers
    • Managing Triggers
    • Using Cron Expressions
  • Logs
    • About Logs
    • Managing Logs in Orchestrator
    • Logging Levels
    • Orchestrator Logs
  • Monitoring
    • About Monitoring
    • Machines
    • Processes
    • Queues
    • Queues SLA
    • Exporting usage data
  • Queues
    • About Queues and Transactions
      • Queue Item Statuses
      • Business Exception Vs Application Exception
      • Studio Activities Used With Queues
    • Bulk Uploading Queue Items Using a CSV File
    • Managing Queues in Orchestrator
    • Managing Queues in Studio
    • Managing Transactions
      • Editing Transactions
      • Field Descriptions for the Transactions .csv File
    • Review Requests
  • Assets
    • About Assets
    • Managing Assets in Orchestrator
    • Managing Assets in Studio
    • Storing Assets in Azure Key Vault (read-only)
    • Storing Assets in HashiCorp Vault (read-only)
  • Storage Buckets
    • About Storage Buckets
      • CORS/CSP Configuration
    • Managing Storage Buckets
    • Moving Bucket Data Between Storage Providers
  • Orchestrator testing
    • Test Automation
    • Test Cases
      • Field Descriptions for the Test Cases Page
    • Test Sets
      • Field Descriptions for the Test Sets Page
    • Test Executions
      • Field Descriptions for the Test Executions Page
    • Test Schedules
      • Field Descriptions for the Test Schedules Page
    • Test Data Queues
      • Managing Test Data Queues in Orchestrator
      • Managing Test Data Queues in Studio
      • Field Descriptions for the Test Data Queues Page
      • Test Data Queue Activities
  • Other Configurations
    • Increasing the Size Limit of Package Files
    • Setting up Encryption Key Per Tenant
    • GZIP Compression
  • Integrations
    • About Input and Output Arguments
      • Example of Using Input and Output Arguments
  • Classic Robots
    • Robots
      • Managing Robots
      • Robot Statuses
      • Setup Samples
    • Environments
      • Managing Environments
    • Jobs
    • Triggers
    • Monitoring
      • Robots
    • Resources
  • Host administration
    • About the host level
    • Managing system administrators
    • Managing tenants
    • Configuring host authentication settings
      • Reconfiguring authentication after upgrade
      • Allowing or restricting basic authentication
      • Configuring SSO: SAML 2.0
        • ADFS Authentication
        • Google Authentication
        • Okta Authentication
        • PingOne Authentication
        • Custom Mapping
        • Self-signed Certificates
        • Private Key Certificates
      • Configuring SSO: Google
      • Configuring SSO: Azure Active Directory
      • Configuring the Active Directory Integration
        • Switching between Active Directory adapters
    • Managing your host license
      • Allocating Licenses to Tenants
    • Configuring system email notifications
    • Configuring other host settings
      • Customizing the Login page
      • Session Policy
      • Orchestrator host settings
    • Audit logs for the host portal
    • Maintenance Mode
  • Organization administration
    • About organizations
    • Managing organization administrators
    • Configuring organization authentication
      • Allowing or restricting basic authentication
      • Setting up the Azure AD integration
      • Configuring the SAML integration
    • Configuring security options
    • Licensing
      • Activating your license
    • Accounts and Groups
      • About accounts and groups
      • Managing accounts and groups
      • Managing access
    • Registering External Applications
      • Managing External Applications
    • Overriding System Email Settings
    • Audit Logs
  • Troubleshooting
    • About Troubleshooting
    • Frequently Encountered Orchestrator Errors
    • Cron Expressions
    • Upgrade troubleshooting
UiPath logo, featuring letters U and I in white
OUT OF SUPPORT

Orchestrator user guide

Last updated Dec 16, 2025

CyberArk® Integration

Before you can begin to use CyberArk® credential stores in Orchestrator, you must first set up the corresponding application and safe settings in the CyberArk® PVWA (Password Vault Web Access) interface.

Prerequisites

  • The CyberArk® plugin is set in your Orchestrator UiPath.Orchestrator.dll.config file as described here.
  • CyberArk® Enterprise Password Vault must be installed on a machine that can communicate directly with the one where Orchestrator is installed.

  • CyberArk® AAM (Application Access Manager) must be installed on the same machine as Orchestrator. For multi-node Orchestrator configurations, an AAM instance must be installed on each Orchestrator node.

    Note: If upgrading an Orchestrator instance with an existing CyberArk® configuration in the UiPath.Orchestrator.dll.config file, a credential store CyberArk Robot Credentials with those settings will be automatically created in all tenants and set as the default store for robots. Your existing robots are migrated to this new credential store.

For more information about installing and configuring CyberArk® applications, please visit their official page.

Configuring the Integration

From the CyberArk® PVWA, you must perform the following steps:

  1. Create an application for your Orchestrator instance and add allowed machines;
  2. Create a Safe and add members to it to ensure proper permissions.

Creating an Orchestrator Application

  1. In CyberArk®’s PVWA, log in with a user with permissions to manage applications (it requires Manage Users authorization).
  2. In the Applications tab, click Add Application. The Add Application page is displayed.
    Figure 1. Add Application page

  3. Specify the following information:
    • Name field - a custom name for the application, such as Orchestrator.
    • Description - a short description to help you specify the purpose of the new application.
    • Business owner section - optionally, add information about the application's Business owner.
    • Location - the path of the application within the Vault hierarchy. If a Location is not specified, the application is added in the same location as the user who is creating this application.
  4. Click Add. The application is added, and its details are displayed on the Application Details page.
  5. In the Authentication tab, select the Allow extended authentication restrictions checkbox.

    Supported authentication methods:

  6. Configure the authentication method. For example, in the Allowed Machines tab, click Add. The Add allowed machine window is displayed. Here you should add information about the machine or machines on which Orchestrator is installed.
  7. In the Address field, specify the address of a machine using the IP/hostname/DNS format.
  8. Click Add. The IP address is listed in the Allowed machines tab. This information enables the Credential Provider to ensure that only applications that run on the specified machines can access their passwords.
  9. Perform steps 6 - 8 as many times as needed to ensure that the servers allowed include all mid-tier servers or all endpoints where the AAM Credential Providers were installed. This might be the case if you installed Orchestrator on multiple nodes.

Creating an Orchestrator Safe

Safes are required to help you better manage your accounts. Also, you can add safe members to ensure proper authorization. CyberArk® recommends adding a credential provider (a user with full rights over the credentials can add and manage them) and the previously created application as safe members. The latter enables Orchestrator to find and retrieve the passwords stored in the safe.

  1. In the Policies tab, under the Access Control (Safe) section, click Add Safe. The Add Safe page is displayed.
    Figure 2. Add Safe page

  2. Fill in the Safe Name field and Description fields.
  3. Click Save. The Safe Details window is displayed.
    Figure 3. Safe Details page

  4. In the Members section, click Add Member. The Add Safe Member window is displayed.
  5. Search for the previously created application (steps 2-5) so you can add it.
  6. Add a credential provider, and select the following permissions for it:
    • View Safe Members
    • Retrieve accounts
    • List accounts

    • Access Safe without Confirmation - Only if you are using a dual control environment and a v7.2 or lower PIM-PSM.

      If you install multiple credential providers for this integration, it is recommended to create a group for them and add the group to the Safe once with the above authorization.

  7. Click Add. A confirmation message is displayed in the Add Safe Member window.
  8. Add the previously created application as a safe member, with the Retrieve accounts permission.
  9. Click Add. A confirmation message is displayed in the Add Safe Member window.

Your integration is complete, and you can begin provisioning CyberArk® credential stores in Orchestrator. For details on storing Robot credentials, see here.

  • Prerequisites
  • Configuring the Integration
  • Creating an Orchestrator Application
  • Creating an Orchestrator Safe

Was this page helpful?

Connect

Need help? Support

Want to learn? UiPath Academy

Have questions? UiPath Forum

Stay updated