User permissions

Blue Prism provides a high level of control to system administrators wishing to limit the actions that may be performed by ordinary users. Indeed, in many parts of Blue Prism, an administrator may specify not only which sections of the system a user may access, but may specify precisely which buttons a user may press within that section.

Set a user's permissions

A user with permission to access System Manager may set the roles and permissions of another user from the Security - Users screen.

To edit the permissions of a user:

  1. Select a user from the list view and click Edit in the top right-hand side.

    The User Settings configuration dialog displays.

  2. Navigate to the Roles and Permissions tab and select/deselect the required permissions in the right-hand side tree view.
  3. Click OK to save the changes.

Use of roles to set permissions

When a Blue Prism role exists, a user may be assigned permissions conveniently simply by selecting/deselecting permissions associated with the list of roles on the left-hand side. This will automatically enable the actions contained in that permission. This feature is especially convenient when setting the permissions of many users one after the other. For information about how to create custom roles, see Blue Prism user roles.

Permissions

The permissions are grouped into different categories:

Analytics

Permission

Description

Create/Edit/Delete Tiles

Users can create, edit or delete tiles on the tile library screen.

Design Global Dashboards

Users can create, edit, delete or copy global dashboards. Without this permission or one of the other permissions to design dashboards users can only view the default dashboard on the home page.

Design Personal Dashboards

Users can create, edit, delete or copy personal dashboards. Without this permission or one of the other permissions to design dashboards users can only view the default dashboard on the home page.

Design Published Dashboards

Users can create, edit, delete or copy published dashboards. Without this permission or one of the other permissions to design dashboards users can only view the default dashboard on the home page.

Import Global Dashboard

Users can import releases that contain global dashboards. If a release contains a global dashboard and the user does not have this permission, the release cannot be imported.

To import a release, users must also have Import Release.

Import Published Dashboard

Users can import releases that contain published dashboards. If a release contains a published dashboard and the user does not have this permission, the release cannot be imported.

To import a release, users must also have Import Release.

Import Tile

Users can import releases that contain tiles. If a release contains a tile and the user does not have this permission, the release cannot be imported.

To import a release, users must also have Import Release.

View Dashboards

Users can view the Dashboard tab in Analytics. Without this permission, or one of the permissions to design dashboards, users can only view the default dashboard on the home page.

Control Room

Permission

Description

Data Gateways – Control Room

Users can access the Data Gateways area of the Control Room to check the status of the Data Gateways engine and start and stop the process as required.

Full Access to Queue Management

Users can access and work with queues in the Queue Management and Active Queues areas of the Control Room.

Read Access to Queue Management

Users can access the Queue Management and Active Queues areas of Control Room but cannot perform any actions on work queue items and can only access existing work queue filters.

Object Studio

Permission

Description

Create Business Object

Users can create business objects in Studio.

Delete Business Object

Users can delete business objects in Studio.

Edit Business Object

Users can edit business objects in Studio. Users with Create Business Object permission can create and edit a business object, even if they don't have the Edit Business Object permission.

Edit Object Groups

Users can create, delete, or rename an object group. Users can also move groups with this permission if they have the appropriate access rights to the target folder. Used in conjunction with Manage Business Object Access Rights, this permission allows users to retire and unretire business objects.

Execute Business Object

Users can execute items but cannot open or edit them. Execute does not automatically grant permission to view definitions, this would require view permissions. Users with the Execute permission who do not have View Business Object Definition or Edit Business Object permissions cannot step into the item while debugging an object or process.

Execute Business Object as Web Service

Users can call an object that has been exposed as a web service from outside Blue Prism, such as when executing an object via a SOAP request.

Export Business Object

Users can export a business object via the File menu.

Import Business Object

Users can import a business object via the File menu. If a business object being imported already exists in the database, users must also have the Edit Business Object permission to overwrite that process during import.

Manage Business Object Access Rights

Users can edit the access rights for business object groups. A user with this permission cannot grant access rights that are denied by the permissions set for a user role. For example, if a role allows a user to edit objects, that permission can be removed for a group. If the role does not allow a user to delete business objects, that permission cannot be granted for that role at group level.

Users cannot update this permission for their own user role.

View Business Object Definition

Users can view an object but cannot run or edit it. This also prevents users from successfully running a process that references an object for which they only have the right to view the definition. Providing the user has the permissions to view and run the process, it will stop running only when it reaches a prohibited object.

Process Alerts

Permission

Description

Configure Process Alerts

Users can configure process alert settings from the Windows system tray icon or from the Blue Prism System > Security – Users screen.

Users require the Security – Users permission to access user settings in Blue Prism.

Subscribe to Process Alerts

Users can view process alerts from the Windows system tray icon or from the Blue Prism System > Security – Users screen.

Users require the Security – Users permission to access user settings in Blue Prism.

Process Studio

Permission

Description

Create Process

Users can create processes in Studio.

Delete Process

Users can delete processes in Studio.

Edit Process

Users can edit processes in Studio. Users with Create Process permission can create and edit processes, even if they don't have the Edit Process permission.

Edit Process Groups

Users can create, delete or rename a process group. Users can also move groups with this permission if they have the appropriate access rights to the target folder. Used in conjunction with Manage Process Access Rights, this permission allows users to retire and unretire processes.

Execute Process

Users can execute items but cannot open or edit them. Execute does not automatically grant permission to view definitions, this would require view permissions. Users with the Execute permission who do not have View Process Definition or Edit Process permissions cannot step into the item while debugging an object or process.

Execute Process as Web Service

Users can call a process that has been exposed as a web service from outside Blue Prism, such as when executing a process via a SOAP request.

Export Process

Users can export a process by using the File menu.

Import Process

Users can import a process by using the File menu. If a process being imported already exists in the database, users must also have the Edit Process permission to overwrite that process during import.

Manage Process Access Rights

Users can edit the access rights for process groups. A user with this permission cannot grant access rights that are denied by the permissions set for a user role. For example, if a role allows a user to edit processes, that permission can be removed for a group. If the role does not allow a user to delete processes, that permission cannot be granted for that role at group level.

Users cannot update this permission for their own user role.

View Process Definition

Users can view a process but cannot run or edit it. This also prevents users from successfully running a process that references an object for which they only have the right to view the definition. Providing the user has the permissions to view and run the process, it will stop running only when it reaches a prohibited object.

Release Manager

Permission

Description

Create Release

Users can export a release via the File menu but cannot access the Releases tab.

Create/Edit Package

Users can create or edit a package via the Releases Manager screen.

Delete Package

Users can delete a package via the shortcut menu in the Release Manager screen.

Import Release

Users can import a release from the Release Manager screen or via the File menu.

If the user is importing a release that contains either processes or objects, the user will also need the appropriate permissions such as Import Process and Import Business Object.

View Release Manager

Users can view the Release Manager screen.

Resources

Permission

Description

Authenticate as Resource

Users can start up a runtime resource in the context of a user (using the /user /sso startup parameter).

Configure Resource

Users can retire or unretire a resource, set the logging level, and toggle writing activity to logs via the System > Resources – Management screen.

Control Resource

Users can run a process on a resource.

Edit Resource Groups

Users can create, remove, and delete groups. They can also move groups in the tree view in the System > Resources – Management screen.

Manage Resource Access Rights

Users can edit access rights relating to a resource or resource group. The access rights screen is read only if the user does not have this permission. This can be accessed by right-clicking a group or resource in the System > Resources – Management screen.

View Resource

Users can access the Session Management screen in Control Room.

View Resource Screen Captures

If Allow latest runtime resource screen capture is selected in System –Settings, users with this permission can view a runtime resource screen capture. The Show latest screen capture option is accessed by right‑clicking a resource.

Scheduler

Permission

Description

Create Schedule

Users can create, edit and unretire a schedule.

Delete Schedule

Users can delete a schedule via the shortcut menu or a command line.

Edit Schedule

Users can create and edit existing schedules. Without this permission, the shortcut menu for schedules or tasks isn't available, preventing users from being able to retire, run now, or clone an existing schedule or task.

Retire Schedule

Users can retire or unretire a schedule.

System – Scheduler

Users can access the System > System – Scheduler screen.

This permission is the same as the System – Scheduler permission under the System Manager category. If either of these permissions are turned off, the user will not be able to access the System > System – Scheduler screen.

View Schedule

Users can view a schedule, but cannot edit it's details.

Skill

Permission

Description

Import Skill

Users can import a release that contains skills. If the user does not have this permission, the release cannot be imported.

Manage Skill

Users with this or the View Skill permission can view the System > Skills – Management screen. Users can also enable, disable, or delete a skill if they have this permission.

View Skill

Users with this or the Manage Skill permission can view the System > Skills – Management screen.

System Manager

Permission

Description

Audit – Alerts

Users can access the System > Audit – Alerts screen.

Audit – Audit Logs

Users can access audit logs in the System > Audit – Audit Logs screen.

Audit – Business Object Logs

Users can access object logs in the System > Audit – Object Logs screen.

Audit – Configure Design Controls

Users can access the System > Audit – Design Control screen and edit all options.

Audit – Process Logs

Users can access process logs in the System > Audit – Process Logs screen.

Audit – Statistics

Users can access the System > Audit – Statistics screen.

Audit – View Design Control

This permission is not used. The Configure Design Control screen cannot be viewed unless the user has the Audit – Configure Design Controls permission.

Business Objects – Configure Environment Variables

Users can add and remove variables, or find references. They can still view the screen without this if they have the Business Objects – View Environment Variables permission.

Business Objects – Exception Types

Users can access the System > Objects – Exception Types screen.

Business Objects – Exposure

Users can access the System > Objects – Exposure screen.

Business Objects – External

Users can access the System > Objects – External screen.

Business Objects – History

Users can access the System > Objects – History screen.

Business Objects – Management

Users can access the System > Objects – Management screen.

Business Objects – SOAP Web Services

Users can access the System > Objects – SOAP Web Services screen.

Business Objects – View Environment Variables

Gives users read-only access to the System > Objects – Environment Variables screen.

Users need the Business Objects – Configure Environment Variables permission to add, edit or remove environment variables.

Business Objects – Web API Services

Users can access the System > Objects – Web API Services screen.

Business Objects – Web Connection Settings

Users that also have Business Objects – Web API Services permission can access the System > Objects – Web Connection Settings screen.

Data Gateways – Advanced Configuration

Users can access the Edit advanced output screen from the Output configuration preview screen of the Data Gateways output wizard, accessed from the System > Data Gateways > Configuration screen.

The user can configure Data Gateways settings and add and manage outputs (the same as Data Gateways – Configuration). They can also create and edit advanced outputs and custom configurations. This permission should only be granted to expert users who have the knowledge to edit output and configuration code.

Data Gateways – Configuration

Users can access the System > Data Gateways > Settings and the System > Data Gateways > Configuration screens.

The user can configure Data Gateways settings and add and manage outputs. They cannot create or edit advanced outputs or custom configurations.

Processes – Configure Environment Variables

Users can view and edit environment variables in the System > Process –Environment Variables screen.

Processes – Exception Types

Users can access the System > Process – Exception Types screen.

Processes – Exposure

Users can access the System > Process – Exposure screen.

Processes – Grouping

This permission is not actively used by any Blue Prism function having been superseded by the Edit Process Groups permission.

This permission will be removed in a future release.

Processes – History

Users can access the System > Process – History screen.

Processes – Management

Users can access the System > Process – Management screen.

Processes – View Environment Variables

This permission is not used. The Environment Variables screen cannot be viewed unless the user has the Processes – Configure Environment Variables permission.

Resources – Pools

Users can access the System > Resources – Pools screen.

Security – Manage Credentials

Users can access the System > Security – Credentials screen.

Security – Manage Encryption Schemes

Users can add, edit or delete an encryption scheme. They can still view the screen without these capabilities if they have the permission Security – View Encryption Scheme Configuration.

Security – Sign-on Settings

Users can access the System > Security – Sign-on Settings screen.

Security – User Roles

Users can access the System > Security – User Roles screen. This permission also allows users to manage Blue Prism Roles via the related hyperlink in System > Security – Users screen.

Security – Users

Users can access the System > Security – Users screen.

Security – View Encryption Scheme Configuration

Users can access the System > Security – Encryption Schemes screen.

The screen will be in read-only mode unless users also have the Security – Manage Encryption Schemes permission.

System – Archiving

Users can access the System > System – Archiving screen.

System – Calendars

Users can access the System > System – Calendar screen.

System – Fonts

Users can access the System > System – Fonts screen.

System – License

Users can access the System > System – License screen.

System – Reporting

Users can access the System > System – Reporting screen.

System – Scheduler

Users can access the System > System – Scheduler screen.

This permission is the same as the System – Scheduler permission under the Scheduler category. If either of these permissions are turned off, the user will not be able to access the System > System – Scheduler screen.

System – Settings

Users can access the System > System – Settings screen.

Workflow – Environment Locking

Users can access the System > Workflow – Environment Locking screen.

Workflow – Work Queue Configuration

Users can access the System > Workflow – Work Queue Configuration screen.

Multi-team environments (MTE)

User permissions may also be affected by Multi-Team Environment (MTE) settings which require permissions for specific processes, objects, and resources. For more information, see Multi-team environments.