Orchestrator user guide

DELIVERY:

Last updated Aug 26, 2025

Migrating from break inheritance to union of privileges

The union of privileges access model improves access control across all users. It grants users access levels by combining explicit and group-level access. As a result, each time you add or remove a privilege to or from a group, all users who are part of that group become subject to the updated privilege check.

The break inheritance model refers to a scenario where any changes to the associated set of privileges at the group level are not automatically propagated to the users who are members of that group. This means that, once inheritance is broken, updates made to the group’s privileges do not reflect in the user's access, unless the user is removed and re-added to the group, or the user is recreated in Orchestrator.

Note: This change impacts the following set of privileges:

UI Profile settings (No UI access, Personal Workspace only, Standard Interface)
Update policy settings
Enable user to run automations
Create a personal workspaces for this user

Permissions already work in the union of privileges model.

Using the migration tool

To perform the migration, apply the following steps:

Under the Manage Access tab, select Users migration.
Select Get report, then Request report to export a list of the users that will be migrated to the new model.
Note:
- Only users that receive more access post-migration will appear in the report.
- To view the report content, select My reports in Orchestrator. Alternatively, check your email, and download the generated report. For more details, check The exported report.
When you are ready, select Start migration.
The Migration completed message appears on the same page once the migration is finished. Now, access inheritance rules change to the union of privileges. A new access model applies for consistent permissions, roles, and settings platform-wide.

Post-migration behavior

Once the migration is complete, check the new behavior as follows:

Go to the Manage Access tab.
Select the Access Rules tab, then Users, and then select the Assign user button.
The Assign access rules page is displayed.
Search for a user. On the right side of the page, the Summary card displays with the current permissions of the selected user.
If the account already has access rules assigned at the tenant level, select the Edit button to modify access rules.
Under Configuration, in the Additional roles field, assign additional existing roles to the user, or select New role to create and assign a new role.
Under Settings, UI Profile has the Standard default option.
For Personal automation setup, choose one of the following:
- None
- Enable user to run automations
- Enable user to run automations + Personal workspace
For Client binaries (Robot, Assistant and Studio) auto-update policy, choose one of the following:
- None
- Latest patch
- Latest version
- Specific version
The following options are available only for users and robot accounts.
Under Unattended setup - Unattended robot setup, choose one of the following options:
- None
- Unattended robot using predefined VM credentials
- Unattended robot using custom Windows credentials
For Advanced robot options, configure any of the following options:
- Logging Level
- Allow Development Logging
- Login To Console
- Resolution Width
- Resolution Height
- Resolution Depth
- Font Smoothing
- Auto Download Processes
Select Update to finish the user configuration.

On this page

Migrating from break inheritance to union of privileges
Using the migration tool
Post-migration behavior

Was this page helpful?

PREVIOUSDefault roles

NEXTManaging custom roles

Support and Services

Get The Help You Need

UiPath Academy

Learning RPA - Automation Courses

UiPath Forum

UiPath Community Forum

Trust and Security

Cookies Policy