automation-cloud-public-sector

latest

false

Automation Cloud Public Sector admin guide

Last updated Jul 17, 2025

Roles

Roles are a collection of permissions and represent a more granular layer for managing user access, following the broader option of maintaining access through groups. You can add roles to either groups so that all member accounts inherit them, or to individual accounts.

Roles can include several permissions at either the organization level, or at the service level, so there are:

organization-level roles: these roles control the permissions that accounts have on organization-wide options. They are available in the Automation Cloud^TM Public Sector portal by default and you cannot change them, nor can you add new ones.
service-level roles: these roles control the access rights and actions that accounts can perform in each UiPath® service you own. They are managed from within each service and can include default roles which you cannot change, as well as custom roles that you create and manage in the service.

Accounts and groups typically have an organization-level role and one or more service-level roles.

Groups and roles

In the following table you can view the roles that are assigned to accounts when they are added to a group. For example, adding an account to the Administrators default group grants them the Organization Administrator role for the organization and the Administrator role within your services. This user can manage both organization-level roles from Admin, then select Accounts and Groups, as well as service-level roles.

Group membership	Organization-level role	Service-level roles for Orchestrator
Administrators	Organization Administrator	Administrator
Automation Users	User	Automation User at folder level ¹ Allow to be Automation User at tenant level
Automation Developers	User	Automation User at folder level ¹ Folder Administrator at folder level ¹ Allow to be Automation User at tenant level Allow to be Folder Administrator at tenant level
Everyone	User	No roles.
Automation Express	User	Allow to be Automation User at tenant level
[Custom group]	User	No roles by default, but you can add roles to the group as needed.

¹ The roles are assigned to the Shared modern folder, if it exists.

Note: For information about roles across UiPath services, refer to Role management.

Organization-level roles

The organization level represents the highest level of scope.

At organization level, the Organization Administrator, User, and Insights Dashboard Viewer roles are available. You cannot change these roles or add new roles at the organization level.

Organization administrators have permission to modify organization-level settings, such as security, Single Sign-On (SSO), and licensing settings. Therefore, the number of organization-level roles is limited. Additionally, organization administrators can grant organization-level permissions, as well as cascade down to tenant-, service-, and folder-level permissions.

Organization-level roles also include organization-level service permissions for services such as Apps and AutomationOps.

Organization administrator role

This role grants access to every organization- and service-level feature within the organization. An account with this role can perform all administrative actions for the organization, such as creating or updating tenants, managing accounts, viewing organization audit logs, and so on. There can be multiple accounts with this role.

The organization administrator and the Tenant Admin roles are the only roles that allow access to the Admin section.

The first organization administrator for any given organization is appointed when the organization is created.

Note: The organization administrator role is not an assignable role. To have this role assigned to you, you need to be part of the Administrators group.

To grant this role to others, the organization administrator can add user accounts to the Administrators group, which is one of the default groups.

The organization administrator role includes the following organization-level permissions, which cannot be changed, as described in the following table:

Areas subject to permissions	View	Edit	Create	Delete
Usage charts and graphs
Tenants
Accounts and groups
Security settings
External applications
Licenses
API keys
Resource center (Help)
Audit logs
Organization settings

User role

This is the basic level of access within the UiPath ecosystem. Local user accounts automatically become members of the Everyone group, which grants them the User role.

This role is granted to all accounts that are in the default groups Everyone, Automation Users, or Automation Developers.

This role provides read-only access to pages, such as the Home page, Resource Center (if available).

The users can view and access the provisioned services for their current tenant. However, the content they can view and the actions they can perform within each service depends on the service-level roles assigned to their account.

Note: All platform users are part of the Everyone group by default, regardless if they are local or directory users.

To grant access to everyone to a specific service, the users need to have the Everyone group mapped at service level. For example, if you want to grant all users access to view ideas in Automation Hub, you can assign the Everyone group to a role in Automation Hub.

The available services that currently incorporate this mapping into roles and grant minimal rights within them are:

Studio Web
Apps
Test Cloud

Tenant-level roles

About tenant-level roles

Tenant-level roles control the access rights of accounts within the tenant settings and configuration area. They also define the permitted actions within each of the UiPath services in a given tenant.

Most of the tenant-level roles in the platform are cross-service roles as they grant permissions across multiple services within a particular tenant.

Currently, Tenant Administrator is the only role available at the tenant level.

Tenant Administrator role

The Tenant Administrator role allows you to effectively delegate responsibilities. The role grants access to manage all resources in the tenant, allowing operations such as role assignment, licensing management, and service provisioning.

The Tenant Administrator role can be assigned to multiple accounts.

Known limitations

Tenant-level roles are currently affected by the following known limitations:

Only the following services support the Tenant Administrator role: Orchestrator (includes Actions, Processes, Integration Service), Data Service, Document Understanding, Task Mining, Test Manager. The rest of the tenant-level services are currently not supported, and users with only the Tenant Administrator role cannot access these services.
The Tenant Administrator cannot access organization-level menus from the interface.
On the Admin > Tenants > Services screen, the Tenant Administrator can view enabled services, but cannot add or remove services.
On the Admin > Tenants > Manage access screen, the Tenant Administrator can view tenants they do not administer. However, if they access these tenants, they cannot perform any actions.

Tenant Administrator role

The Tenant Administrator role allows you to effectively delegate responsibilities. The role grants access to manage all resources¹ in the tenant, allowing operations such as role assignment, licensing management, and service provisioning.

The Tenant Administrator role can be assigned to multiple accounts.

¹The following services support the Tenant Administrator role:

Orchestrator (includes Actions, Processes, Integration Service)
Data Fabric
Document Understanding
Task Mining
Test Manager

Tenant Administrator role permissions

The following tables describe the Tenant Administrator role permissions:

Resource		Permissions					Description
Resource		View	Create	Delete	Read	Update	Description
Centralized Access	Administration page						Grants permissions to centralized access, roles and role assignments.
	Role
	Role assignments

Resource		Permissions							Description
Resource		View	Create	Delete	Read	Update	Edit	Manage	Description
Data Fabric	Permission								Grants administrator permissions and is equivalent to the Data Fabric Administrator role.

Resource		Permissions				Description
Resource		Create	Delete	Read	Update	Description
Document Understanding	Classifier					Grants administrator permissions and is equivalent to the Document Understanding Administrator role.
	Data Set Export
	Documents
	Document Type
	Extractor
	Monitor Processed Documents
	Monitor Processed Documents Detail
	Monitor Project Performance
	Project
	Project Version
	Project Version Label
	Tenant Settings

Resource		Permissions							Description
Resource		View	Create	Delete	Read	Update	Edit	Manage	Description
Licensing	Quota								Grants permissions to manage quotas.

Resource		Permissions				Description
Resource		View	Create	Delete	Edit	Description
Orchestrator	Action Design					Grants administrator permissions and is equivalent to the Orchestrator Administrator role.
	Alerts
	App Versions
	Audit
	Background Tasks
	Libraries
	License
	Machines
	Packages
	Robots
	Roles
	Settings
	Solution Deployments
	Solution Packages
	Tags
	Units
	Users
	Webhooks

Resource		Permissions				Description
Resource		View	Assign	Remove	Edit	Description
Task Mining	Manage Access					Grants administrator permissions and is equivalent to the Task Mining Administrator role.
Task Mining	Role

Resource		Permissions															Description
Resource		View	Create	Delete	Read	Update	Edit	Assign	Toggle	AutomatedExecution	CreateAndUnlinkDefects	ExecutePerformanceTest	ManualExecution	OverrideTestResult	SmartTestGeneration	TestExecutionAssignment	Description
Test Manager	Performance Scenarios																Grants administrator permissions and is equivalent to the Test Manager administrator role.
	Process Heat Map
	Process Heat Map Settings
	Project
	Project Settings
	Prompt
	Requirement
	Role
	Task Permissions
	Test Case
	Test Execution
	Test Set

To view the available Tenant Administrator role permissions, take the following steps:

Navigate to Admin.
Select Manage access at organization level.
Select the Roles tab.
In the Role Name column, select the Tenant Administrator role.

You can now view the Tenant Administrator role permissions in the expanded panel.

Known limitations

The following known limitations affect the tenant-level roles:

The rest of the tenant-level services are currently not supported, and users that only hold the Tenant Administrator role cannot access these services.
The Tenant Administrator cannot access organization-level menus from the interface.
On the Admin > Tenants > Services screen, the Tenant Administrator can view enabled services, but cannot add or remove services.
On the Admin > Tenants > Manage access screen, the Tenant Administrator can view tenants they do not administer. However, if they access these tenants, they cannot perform any actions.

Service-level roles

Service-level roles control access rights and permitted actions within each of your UiPath services, such as the Orchestrator service, or Data Service. The permissions for each service are managed within the service itself, not from the organization Admin page.

To grant permissions for a service to accounts, you can perform the following actions:

In the selected service, assign service-level roles to a group to grant those roles to all member accounts.
Add accounts to a group that already has the required service-level roles by navigating to Admin, then select Accounts and Groups.
In the selected service, .

For the following services, you can create and manage some services-level roles that are external to the service, at platform level: