UiPath loose AD integration

UiPath loose AD integration

Posted by Pekka Jalonen on 3.6.2021

UiPath poorly defined AD integration

I recently upgraded UiPath Orchestrator to version 2020.10.8.

With this new version of Orchestrator, UiPath we decided to go with AD integration which "sounded" great as it will give possibility to use AD groups to maintain users, especially when there are many modern Folder in use and lots of users.

Issue findings:

We know that there were some limitations as UiPath has documented those here https://docs.uipath.com/orchestrator/v2020.10/docs/about-users#known-issues, example "Auto-provisioned users do not inherit alert subscription settings from the parent group, nor do they receive any alerts by default. To have access to alerts, you are required to grant the corresponding permissions to the user explicitly." BUT, what we did not know was a limitation which UiPath had not documented and have not fixed in the new 2021.4 FTS version either, is that we cannot use "user specific assets" for any user that is inheriting accesses from AD groups. This is a major issue and I cannot get around why they have decided to approve such downgrade in functionality before shipping it.

I contacted UiPath and the answer was "That is done by design, it needs to be explicitly added to that folder if the asset is per-user." of course, it would have been nice to have it documented... So that bug/open issue which was not documented, is now "by design". C'mon UiPath, you can do better.

Problem is that the Orchestrator, when "Developer X" is logging in, checks your group membership against the AD. And then user inherits the rights which are assigned to group and keeps those for the duration of the user session. So, when user session finishes, there is no more "Developer X" in the Orchestrator, but just the group and therefore, you cannot assign per user assets for the user. Root cause for this is probably related to de-coupling of Orchestrator and IdentitySever, but more likely just the release backlog and time pressure even thought it is not fixed in the 2021.4 either.

Solution:

Unfortunately, I do not have working solution for this at this stage and UiPath either (It is not like you don't have tools for it to sync the user information, example listing used "last 30 day seen robots" as that is stored in Orchestrator).

I probably need to start looking for some robot license free solution to sync users from AD groups, so we can keep managing them without Orchestrator. Most likely the powershell and Orchestrator API would be a good combination. Also, UiPaths Sync AD Users to Orchestrator(https://marketplace.uipath.com/listings/sync-ad-users-to-orchestrator) does not help here as it does not work with Folders at the time of writing.