Authorization and access control
Control Room Authorization Model
Users access Control Room via login or by using Access Credentials. Organizations and Workspaces are Control Room specific terms that describe the authorization layer. Robocorp Workforce Agent and Robocorp Assistant are the applications that execute tasks.
User is used to log into Control Room via cloud.robocorp.com, or users may use Control Room via her or his access credentials. For optimal security, do not use shared accounts but allow each Control Room user to register with her or his account.
Access credentials grant programmatic access to Control Room and can perform actions such as uploading and downloading task packages. For security purposes, it is important to note that these credentials should be treated with as much secrecy as login credentials, as they grant an equal amount of access to a Robocorp account. A user can have multiple Access Credentials.
Users can be a part of multiple Organizations that host many Workspaces. Other users can be added to an organization. Upon joining, the users can have access to all of the workspaces under the organization. One user can be a member of multiple organizations. Workspaces are smaller units inside an organization.
Robocorp Workforce Agent is always connected to a specific workspace and can access resources within that workspace. The same Robocorp Workforce Agent cannot be in multiple Workspaces simultaneously.
Robocorp Assistants link to Cloud users so that the Assistant user can see Assistants defined in all workspaces they have been invited to.
Role-based Access Control (RBAC) in Control Room
Control Room allows fine-grained role-based access control (RBAC) mechanisms on both the Organization and Workspace levels. These roles can be combined and leveraged to create efficient and secure ways of working with activities and processes in Control Room.
Organization
Owner
Owners have the most access over a Robocorp account. Most notably, they can access billing features and demote or promote other organization accounts to Admins or Owners. For optimal security, it is recommended not to use the Owner account for other tasks than account setup. It is good to consider the Owner account in an organization as the master or root account.
Each organization must have at least one account with the Owner role attached to it.
Admin
An Admin account can perform administrative actions in Control Room, such as create new workspaces and add users. Any Admin user can also promote other organization Members to Admins.
The Admin role cannot access features such as billing and compliance, which means it is better suited for daily activities than the owner role.
Member
The Member account has the least access in an organization. Users with the Member role can only view Workspaces they have been explicitly invited to in an Organization. If they are promoted to be a Workspace Administrator for a Workspace, they can add other Organization users to that specific Workspace.
The Member role is suitable for developers or consultants who do not need visibility into the configurations and other users in an Organization.
Data Analyst
The Data Analyst has the same permissions as the organization Member, but with the addition of being able to see the Organization Dashboard.
Auditor
The Auditor role is a special role available only for the enterprise tier. This role has view-only rights across users, dashboards and audit logs for external auditing purposes.
| Member | Data Analyst | Admin | Owner | Auditor | |
|---|---|---|---|---|---|
| View workspaces | โ* | โ* | โ | โ | |
| Add org users to workspaces | โ** | โ** | โ | โ | |
| View organization dashboards | โ | โ | โ | โ | |
| View organization users | โ | โ | โ | ||
| Edit and view workspaces and permissions | โ | โ | |||
| Add and remove users to organization | โ | โ | |||
| Promote and demote member to Admin | โ | โ | |||
| Promote and demote Admin to Owner | โ | ||||
| Management, compliance | โ | ||||
| Plan & Billing | โ | ||||
| View audit logs | โ | โ |
* Only workspaces user has been added to
** Only when set as workspace administrator
Workspace
Workspace Administrator
Workspace Administrators have the most power over a Workspace and can invite new users, alter Workspace permissions for users, edit processes, unattended workers, and run processes.
The Administrator role in a Workspace is not equal to the Admin role in an Organization. To follow the principle of least privilege, your should assign to your Workspace Administrator the role of Member in the Organization.
Workspace Developer
The Workspace Developer cannot add users or modify permissions, but they can otherwise view and edit everything within the context of a Workspace. The Developer role should be used for task packages developers whose task is to maintain and develop task packages for unattended or attended automation, and users who require more access than run processes or view their results.
Workspace Controller
The Workspace Controller role is available under the enterprise tier plan.
Workspace Operator
The Workspace Operator is a role suitable for users who need to run or schedule tasks and view the results of the processes, or run attended automations via the assistant application. The Operator role in a Workspace cannot alter any settings or invite new users, making it a good role to be used for daily tasks for running a premade process.
Assistant User
The Assistant User role is available under the enterprise tier plan. Users with this role can only run assistants in order to make their jobs easier without having to create or maintain these attended automations.
Workspace Auditor
The Workspace Auditor role is available under the enterprise tier plan. This role is meant for auditing purposes.
In the context of a Workspace:
| Assistant User | Operator | Controller | Developer | Administrator | Auditor | |
|---|---|---|---|---|---|---|
| View processes | โ | โ | โ | โ | โ | |
| Edit processes | โ | โ | โ | |||
| Run, stop and schedule processes | โ | โ | โ | โ | ||
| View process runs | โ | โ | โ | โ | โ* | |
| View work items | โ | โ | โ | โ | โ | |
| Edit work items | โ | โ | โ | โ | ||
| View task packages | โ | โ* | โ | โ | โ | |
| Edit task packages | โ | โ | ||||
| View Assistants | โ | โ | โ | โ | โ | โ |
| Run Assistants | โ | โ | โ | โ | โ | |
| Edit Assistants | โ | โ | โ | |||
| View storage assets | โ | โ | โ | โ | ||
| Edit storage assets | โ | โ | โ | |||
| View and edit API keys | โ | โ | ||||
| View and edit vault | โ | โ | ||||
| View Workers | โ | โ | โ | โ | ||
| Edit Workers | โ | โ | ||||
| Read webhooks | โ | โ | โ | |||
| Edit webhooks | โ | โ | ||||
| View workspace permission | โ | โ | ||||
| Edit workspace permissions | โ | |||||
| View users | โ | โ | ||||
| Add or remove users | โ | |||||
| Edit user roles | โ | |||||
| Import Assistant Only Users | โ | |||||
| Add runtime link token | โ | |||||
| View audit logs | โ | โ |
* Workspace operators can access the task packages for running assistants, but cannot see the task packages page in UI
* Workspace auditors can see process runs but cannot view the artifacts of the runs