Skip to main content

Default roles

This page displays the permissions included for each default role in Orchestrator.

You can view and edit the permissions for each role from the Roles page by clicking the More Actions icon on the right end of a row.

If a role cannot be edited, you have the option to duplicate and customize it as a new role instead (not available for mixed roles).

Administrator role

A role that has all tenant- and folder-level permissions.

This is a mixed role and includes both tenant and folder permissions and is no longer available for new tenants. To replicate its permissions, use the following role combination:

  • Orchestrator Administrator at the tenant level.
  • Folder Administrator at the folder level.

With mixed roles, for a global operation, only the user's tenant permissions are taken into consideration; for a folder-specific operation, if a custom role is defined, folder permissions are applied in favor of any tenant permissions present.

It includes the following permissions, which cannot be changed.

Tenant Permissions

Table 1. Tenant permissions

PermissionViewEditCreateDelete
Alerts
App Versions
Audit
Background tasks
Libraries
License
Machines
ML Logs
ML Packages
ML Skills
Packages
Robots
Roles
Settings
Solution deployments
Solution packages
Tags
Folders
Users
Webhooks

Folder Permissions

Table 2. Folder permissions

PermissionViewEditCreateDelete
Agent Memory
Apps
Assets
Storage Files
Storage Buckets
Business Rules
Connections
Environments
Execution Media
Folder Packages
Indexes
Jobs
Logs
MCP Servers
Monitoring
Processes
Queues
Live stream & Remote control
Resource Overwrites
Triggers
Subfolders
Action Assignment
Action Catalogs
Actions
Test Case Execution Artifacts
Test Data Queue Items
Test Data Queues
Test Set Executions
Test Sets
Test Set Schedules
Transactions

Robot role

important

This is a deprecated mixed role and is no longer available for new tenants. To replicate its permissions, use the following role combination:

  • Allow to be Automation User at the tenant level
  • Automation User at the folder level The Robot role can still be used in any existing tenants. For more information on deprecated features and capabilities, check the Deprecation timeline page.

All permissions required to execute processes.

This is a mixed role and includes both tenant and folder permissions. With mixed roles, for a global operation, only the user's tenant permissions are taken into consideration; for a folder-specific operation, if a custom role is defined, folder permissions are applied in favor of any tenant permissions present.

note

As robot accounts can write logs without the explicit assignment of the Create permission on Logs, Orchestrator skips the check on this permission.

By default, the role has the following permissions, which can be changed.

Tenant Permissions

Table 3. Tenant permissions

PermissionViewEditCreateDelete
Alerts
App Versions
Audit
Background tasks
Libraries
License
Machines
ML Logs
ML Packages
ML Skills
Packages
Robots
Roles
Settings
Solution deployments
Solution packages
Tags
Folders
Users
Webhooks

Folder Permissions

Table 4. Folder permissions

PermissionViewEditCreateDelete
Apps
Assets
Storage Files
Storage Buckets
Connections
Environments
Execution Media
Folder Packages
Jobs
Logs
Monitoring
Processes
Queues
Live stream & Remote control
Resource Overwrites
Triggers
Subfolders
Action Assignment
Action Catalogs
Actions
Test Case Execution Artifacts
Test Data Queue Items
Test Data Queues
Test Set Executions
Test Sets
Test Set Schedules
Transactions

Personal Workspace Administrator Role

This is a folder role and it includes the following permissions by default, which cannot be edited.

Table 5. Folder permissions for Personal Workspace Administrator role

PermissionViewEditCreateDelete
Agent Memory
Apps
Assets
Storage Files
Storage Buckets
Business Rules
Connections
Environments
Execution Media
Folder Packages
Indexes
Jobs
Logs
MCP Servers
Monitoring
Processes
Queues
Live stream & Remote control
Resource Overwrites
Triggers
Subfolders
Action Assignments
Action Catalogs
Actions
Test Case Execution Artifacts
Test Data Queue Items
Test Data Queues
Test Set Executions
Test Sets
Test Set Schedules
Transactions

Standard roles

The following roles are pre-configured with the permissions for the tenant level or the folder level that are required to work in folders.

These roles cannot be changed, but you can duplicate and customize them as a new role if needed.

Below you can see the permissions granted for each standard role.

Orchestrator Administrator

This role is granted all tenant-level permissions, and should be assigned at the tenant level to any users in charge with the management of all tenant entities.

note

The Orchestrator Administrator role holds the same Orchestrator permissions as the Tenant Administrator role.

We recommend this role over Administrator, which is not relevant in a modern folder infrastructure.

This is a tenant role and includes the following permissions by default, which cannot be changed.

Table 6. Orchestrator Administrator permissions

PermissionsViewEditCreateDelete
Alerts
App Versions
Audit
Background tasks
Libraries
License
Machines
ML Logs
ML Packages
ML Skills
Packages
Robots
Roles
Settings
Solution deployments
Solution packages
Tags
Folders
Users
Webhooks

Allow to Be Folder Administrator

A role with the minimum tenant-level permissions needed to manage their own folders and subfolders.

Accounts that have the Allow to be Folder Administrator tenant role should also have the Folder Administrator folder role assigned to them at the folder level.

This is a tenant role and includes the following permissions by default, which cannot be changed.

Table 7. Allow to Be Folder Administrator permissions

PermissionViewEditCreateDelete
Alerts
App Versions
Audit
Background tasks
Libraries
License
Machines
ML Logs
ML Packages
ML Skills
Packages
Robots
Roles
Settings
Solution deployments
Solution packages
Tags
Folders
Users
Webhooks

Folder Administrator

A user with the minimum folder-level permissions needed to manage their own folders and subfolders.

Accounts that have the Folder Administrator folder role should also have the Allow to be Folder Administrator tenant role assigned to them at the tenant level.

This is a folder role and includes the following permissions by default, which cannot be changed.

Table 8. Folder Administrator permissions

PermissionViewEditCreateDelete
Agent Memory
Apps
Assets
Storage Files
Storage Buckets
Business Rules
Connections
Environments
Execution Media
Folder Packages
Indexes
Jobs
Logs
MCP Servers
Monitoring
Processes
Queues
Live stream & Remote control
Resource Overwrites
Triggers
Subfolders
Action Assignment
Action Catalogs
Actions
Test Case Execution Artifacts
Test Data Queue Items
Test Data Queues
Test Set Executions
Test Sets
Test Set Schedules
Transactions

Allow to be Automation User

A user with the minimum folder level permissions needed to execute processes from Assistant, as well as unattended automations.

Accounts that have the Allow to be Automation User tenant role should also have the Automation User folder role assigned to them at the folder level.

This is a tenant role and includes the following permissions by default, which cannot be changed.

Table 9. Allow to be Automation User permissions

PermissionViewEditCreateDelete
Alerts
App Versions
Audit
Background tasks
Libraries
License
Machines
ML Logs
ML Packages
ML Skills
Packages
Robots
Roles
Settings
Solution deployments
Solution packages
Tags
Folders
Users
Webhooks

Automation User

A user with the minimum folder level permissions needed to execute processes from Assistant, as well as unattended automations.

We recommend that accounts that have the Automation User folder role also have the Allow to be Automation User tenant role assigned to them at the tenant level.

This is a folder role and includes the following permissions by default, which cannot be changed.

Table 10. Automation User permissions

PermissionViewEditCreateDelete
Agent Memory
Apps
Assets
Storage Files
Storage Buckets
Business Rules
Connections
Environments
Execution Media
Folder Packages
Indexes
Jobs
Logs
MCP Servers
Monitoring
Processes
Queues
Live stream & Remote control
Resource Overwrites
Triggers
Subfolders
Action Assignment
Action Catalogs
Actions
Test Case Execution Artifacts
Test Data Queue Items
Test Data Queues
Test Set Executions
Test Sets
Test Set Schedules
Transactions

Allow to be Automation Publisher

A user who can publish processes to Orchestrator.

This role can be assigned on top of Allow to be Automation User to allow a user to both publish and execute a process.

Accounts that have the Allow to be Automation Publisher tenant role should also have the Automation Publisher folder role assigned to them at the folder level.

This is a tenant role and includes the following permissions by default, which cannot be changed.

Table 11. Allow to be Automation Publisher permissions

PermissionViewEditCreateDelete
Alerts
App Versions
Audit
Background tasks
Libraries
License
Machines
ML Logs
ML Packages
ML Skills
Packages
Robots
Roles
Settings
Solution deployments
Solution packages
Tags
Folders
Users
Webhooks

Automation Publisher

A user who can publish processes to Orchestrator.

This role can be assigned on top of Automation User to allow a user to both publish and execute a process.

Accounts that have the Automation Publisher folder role should also have Allow to be Automation Publisher tenant role assigned to them at the tenant level.

This is a folder role and includes the following permissions by default, which cannot be changed.

Table 12. Automation Publisher permissions

PermissionViewEditCreateDelete
Agent Memory
Apps
Assets
Storage Files
Storage Buckets
Business Rules
Connections
Environments
Execution Media
Folder Packages
Indexes
Jobs
Logs
MCP Servers
Monitoring
Processes
Queues
Live stream & Remote control
Resource Overwrites
Triggers
Subfolders
Action Assignment
Action Catalogs
Actions
Test Case Execution Artifacts
Test Data Queue Items
Test Data Queues
Test Set Executions
Test Sets
Test Set Schedules
Transactions

Allow to be Automation Developer

A user who creates automation projects, but does not have direct access to complex and expensive resources, such as storage buckets.

Accounts that have the Allow to be Automation Developer tenant role should also have the Automation Developer folder role assigned to them at the folder level.

This is a tenant role and includes the following permissions by default, which cannot be changed.

Table 13. Allow to be Automation Developer permissions

PermissionViewEditCreateDelete
Alerts
App Versions
Audit
Background tasks
Libraries
License
Machines
ML Logs
ML Packages
ML Skills
Packages
Robots
Roles
Settings
Solution deployments
Solution packages
Tags
Folders
Users
Webhooks

Automation Developer

A user who creates automation projects, but does not have direct access to complex and expensive resources, such as storage buckets.

Accounts that have the Automation Developer folder role should also have the Allow to be Automation Developer tenant role assigned to them at the tenant level.

This is a folder role and includes the following permissions by default, which cannot be changed.

Table 14. Automation Developer permissions

PermissionViewEditCreateDelete
Agent Memory
Apps
Assets
Storage Files
Storage Buckets
Business Rules
Connections
Environments
Execution Media
Folder Packages
Indexes
Jobs
Logs
MCP Servers
Monitoring
Processes
Queues
Live stream & Remote control
Resource Overwrites
Triggers
Subfolders
Action Assignment
Action Catalogs
Actions
Test Case Execution Artifacts
Test Data Queue Items
Test Data Queues
Test Set Executions
Test Sets
Test Set Schedules
Transactions

Solutions Administrator

A user who can create, edit, and delete solution packages and manage solution deployments.

This is a tenant role and includes the following permissions by default, which cannot be changed.

Table 15. Solutions Administrator permissions

PermissionViewEditCreateDelete
Alerts
App Versions
Audit
Background tasks
Libraries
License
Machines
ML Logs
ML Packages
ML Skills
Packages
Robots
Roles
Settings
Solution deployments
Solution packages
Tags
Folders
Users
Webhooks

Solutions Contributor

A user who can view, edit, and create solution packages and package versions.

This is a tenant role and includes the following permissions by default, which cannot be changed.

Table 16. Solutions Contributor permissions

PermissionViewEditCreateDelete
Alerts
App Versions
Audit
Background tasks
Libraries
License
Machines
ML Logs
ML Packages
ML Skills
Packages
Robots
Roles
Settings
Solution deployments
Solution packages
Tags
Folders
Users
Webhooks