Integrate UiPath Automation Plugin with Password Safe Cloud
UiPath is a robotic process automation tool used for large-scale end-to-end automation. It allows organizations to automate and orchestrate various processes that would normally require a human worker. Robotic Process Automation, or RPA, allows organizations to free human workers from repetitive tasks like data entry so they can focus on less repetitive and more productive activities.
For more information, please see BeyondTrust Integration.
UiPath provides software robots to automate tasks, for example, data entry via SAP GUI.
Automating data entry in a solution like SAP begins with authentication. UiPath Automation Cloud supports BeyondTrust Password Safe, Password Safe Cloud, and Secrets Safe (formerly known as Team Passwords). Support for Password Safe managed accounts allows UiPath software robots to check out fresh credentials that are managed by Password Safe for operations (e.g. root account for Linux OS). Support for Secrets Safe allows UiPath users to create and delegate access to pools of credentials that are separate from operational accounts. Secrets Safe allows the grouping of credentials under both local and directory (Active Directory, LDAP) groups, leveraged as secrets. Access to credentials can be granted to individual team members.
The dual support of operational and team-managed credentials allows maximum flexibility from an automation perspective, removing delays and allowing collaborative sharing of credentials while maintaining corporate oversight. Secrets Safe helps improve the user experience for UiPath users.
BeyondTrust privileged access management solutions deliver the visibility and control you need to reduce risk, achieve least privilege, and gain operational efficiency.
Configure UiPath Orchestrator Service Account in Password Safe
Create an API Registration
- In the BeyondInsight Console, go to Configuration > General > API Registrations.
- Click the Create New API Registration button.
- Type UiPath in the API Registration Name field.
- Click the Create API Registration button.
- Add an IP Rule to allow Orchestrator to call the Web Service API (REST) for Password Safe.
- In the UiPath Details pane, under Authentication Rules, click the Add Authentication Rule button.
- Under IP Rule, select Single IP Address as the Type.
- Provide the IP Address of your UiPath server or instance.
- Click Create Rule.
Create a New Group with API Access
Once the API Registration is created, you must assign it to a group. To create a new group:
- In the BeyondInsight Console, go to Configuration > Role Based Access > User Management > Groups > Create New Group > Create a New Group.
- Add a Group Name and Description, and then click Create Group. The Group Details page is displayed.
- Under Group Details, select API Registrations. Click the check box next to the UiPath API Registration created above to assign it to the group.
You must turn on API access for a Password Safe managed account to be accessible to the API methods.
- Select Managed Accounts.
- Click the vertical ellipsis button for a managed account, and then select Edit Account.
- Expand Account Settings, and then click the toggle to set the API Enabled option to yes.
- Click Update Account.
Create a New User
Create a new user to add to the group. Delegation is by group only, and not directly with users.
- In the BeyondInsight Console, go to Configuration > Role Based Access > User Management > Users > Create New User > Create a New User.
- On the pop-out screen, provide Identification, Credentials, Contact Information, User Status, and Authentication Options as needed.
- Click Create User.
- Return to the Group Details page to add the new user to the group:
- Go to Configuration > Role Based Access > User Management > Groups.
- Find the group, and then right click on the ellipsis to the right of that group. Select View Group Details.
- Under Group Details, select Users.
- Under the Show dropdown list, select Users Not Assigned. Filter by the name of the user just created, then click the check box to the left of the username.
- Click the Assign User button to assign the user to the group.
Assign Smart Rules to the Group
Several Smart Groups with Read Only permissions must be added to the newly created group:
- Go to Configuration > Role Based Access > User Management > Groups. Find the group and click on the corresponding ellipsis to the right of the group.
- Select View Group Details from the list.
- On the next screen, select Smart Groups located under Group Details.
- Under Smart Group Permissions, a list of All Smart Groups is displayed. Check the box next to the following Smart Groups to assign them:
- All Assets in Password Safe
- All Managed Accounts
- All Managed Systems
- Once the Smart Groups are selected, click the Assign Permissions button, and then select Assign Permissions Read Only.
All Managed Accounts and All Managed Systems Smart Groups are added to include subsets of Managed Accounts and Managed Systems.
Add Requestor Role and Access Policy
The All Managed Accounts Smart Group must include a requestor role and an access policy:
- Right click on the ellipsis to the right of the All Managed Accounts Smart Group. Select Edit Password Safe Roles.
- Click the Requestor check box.
- Select an Access Policy for Requestor from the dropdown list.
- Click Save Roles.
Add Information Security Administrator Role for Assets
- Right click on the ellipsis to the right of the All Assets in Password Safe Smart Group. Select Edit Password Safe Roles.
- Click on the Information Security Administrator check box.
- Click Save Roles.
Add Secrets Safe (Team Passwords) Feature
To add the Secrets Safe feature to your new group:
- Navigate to your group. Right click on the ellipsis to the right of the group and select View Group Details.
- Under Group Details, click on Features.
- Under the Show dropdown list, select All Features.
- Filter by Feature Name.
- Type Secrets Safe in the Feature Name text box.
- Click the check box next to Secrets Safe, and then click the Assign Permissions button. Select Assign Permissions Full Control.
If including the Secrets Safe feature, you will need to assign ownership or permissions to all Secrets Safe (Team Passwords) credentials available in UiPath.
Integrate Password Safe with UiPath
The images below demonstrate how to use the integration from UiPath UI via examples. These images show where to find the integration and how to use it.
This image shows examples of credential stores created with the integration.
This image displays Password Safe local accounts.
For local account support, select system from the Managed Account Type dropdown list.
This example uses domainlinked accounts instead of local Managed Accounts. A domainlinked account exists under a directory Managed System, but the account must be linked under an asset (e.g. Windows Server) to be available for UiPath to checkout.
This image displays Secrets Safe (Team Passwords) support.
You can create assets in UiPath to act as pointers to credentials managed by Password Safe.
This image shows an asset example for a local account.
This image shows an asset example for a linked account (Active Directory). Managed systems explicitly specified with a forward slash delimiter ( / ) indicate that they are configured in Credential Store.
This image shows an example of a Secrets Safe (Team Passwords) credential asset.
This image demonstrates a test workflow to check out and display Password Safe assets credentials.