Management Console user roles

Built-in roles

In Management Console, user permissions are calculated based on the roles that are mapped to security groups that a user is a member of. You can modify built-in roles and add additional roles.

A user cannot assign roles with permissions that the user does not have. For example, a Project Administrator cannot assign Kapplet Administrator, Kapplet User, and Process Discovery Client roles.

All service roles are only for use in API applications and cannot be used for interactive login to Management Console in a browser.

Project Administrator: Administrates one or multiple projects and has a right to assign a role to a group for these projects. This user has rights to view RoboServer and cluster settings without changing them. Project Administrator is not a member of the RPA Administrators group (for more information, see Built-in admin superuser.)
Developer: Has a right to upload, download, and view all resource types in the repository. This role gives rights to create, edit, and delete schedules, run robots, and view run logs and clusters.
Viewer: Can view Schedules, Repository, Data view, Log view, and some Settings. This role gives restricted access under the Admin section and does not give rights to change or run robots.
API (A service role): Gives rights to use the repository API to read from and write to the repository. This role does not permit to run robots using REST but allows running robots using RQL.
Service Authentication API (A service role): Uses the repository API to read from and write to the repository. A user logs in using an OAuth authentication method.
RoboServer (A service role): Can only read from the repository. This role is used by RoboServers when accessing a cluster, retrieving repository items, and requesting passwords from the Vault.
Kapplet Administrator: Grants a read/write access to projects in Management Console from Kapplets. In Kapplets, users with this role can manage Kapplets and create and manage Kapplet templates for the projects that contain the robots required for these templates.

A user with this role cannot access Management Console if this user has no other rights.

For more information, see Kapplets user management and Users and User Groups.
Kapplet User: Grants a read-only access to projects in Management Console from Kapplets. In Kapplets, users with this role can only view and run Kapplets for robots belonging to the projects for which they have access.

A user with this role cannot access Management Console if this user has no other rights.

For more information, see Kapplets user management and Users and User Groups.
Kapplets Service User (A service role): Can only read from the repository. This role is used only to retrieve information about available robots, types, snippets, and resources for the given project and thus is used only for communication purposes between Kapplets and Management Console. This role is automatically applied to all Management Console projects.
Vault Client: This add-on role gives permission to access the Vault in Management Console. The role is provided on top of other roles, such as the Developer role.
DAS Client User (A service role): A user with this role is created for remote Desktop Automation Service (DAS) clients, and can only access the DAS API. The DAS client user has a right to announce a DAS to Management Console and retrieve DAS configurations.
VCS Service User (A service role): Gives a special set of rights for the Synchronizer. This role grants a right to add, modify, and delete resources. This is the only role that can deploy on behalf of another user to use the "deployer" feature in the VCS. Additionally, users with this role can view Management Console functions through the API (not from a browser).
Process Discovery Client (A service role): This role allows Process Discovery components to interact with Management Console.
TotalAgility Client (A service role): This role allows TotalAgility components to interact with the Management Console.

Built-in admin superuser

The admin superuser has access to everything. The admin superuser is not a member of the RPA Administrators group and cannot be a member of any group. The default admin user password is available to this user. This user can change the admin user name and password.

In an LDAP integration setup, the admin group is defined as part of the LDAP configuration. The admin can log in and define which LDAP groups should be mapped to the Developer, Project Administrator, RoboServer, and other roles.

In an internal user setup, the admin superuser is created at first start and can log in to create Administrators, Developers, and other users.

In addition to being the initial user, the admin superuser has special rights:

In the RoboServers section, the admin superuser can click a RoboServer node and request a stack trace from the corresponding RoboServer.
Only the admin superuser can create and import backups.

When you restore a Management Console backup, the default admin superuser is replaced with a superuser from the backup. Use credentials specified in the restored Management Console.

Built-in admin group

Users belonging to the RPA Administrators group have all rights for all projects, excluding special admin superuser rights. RPA Administrators create new administrators and users for any project. To make a user an administrator, add the user to this group.

The RPA Administrators group is visible when the internal user management is enabled, and it is empty by default.
RPA Administrators do not have access to the following Management Console Admin functions:
- High availability nodes
- Service authentication
- Backups
- License
When restoring a backup created in RPA versions prior to 10.7, users with Administrator role become members of the RPA Administrators group.