Skip to main content

Automation Anywhere Control Room Roles Explained with Real-World Examples

  • July 6, 2026
  • 1 reply
  • 35 views

amankumar236

Enterprise Governance: A Complete Guide to Automation Anywhere Control Room Roles

Managing user access is one of the most critical responsibilities of an Automation Anywhere Control Room administrator. Assigning incorrect permissions not only creates severe security vulnerabilities but can also stall development pipelines or disrupt production schedules.

This guide provides an enterprise-grade breakdown of predefined Control Room roles, their operational scope, and a critical look at a common mistake developers and administrators make during deployment.

Predefined Control Room Roles by Operational Function

To manage a scalable RPA environment, roles are broadly categorized into Administration, Development, Execution, and Specialized features.

1. System & Security Administration

Role Operational Purpose Enterprise Use Case
Administrator Global, unrestricted access to the entire Control Room tenant. Held exclusively by IT Platform Owners responsible for initial setup, licenses, and emergency recovery.
Control Room Administrator Management of users, custom roles, devices, credentials, and packages. Assigned to infrastructure administrators maintaining day-to-day environment health.
Credential Vault Administrator Isolated authority to create and manage credential lockers, attributes, and access control lists (ACLs). Assigned to InfoSec or Security team members managing application passwords and encryption keys without granting them access to bot execution.
Auditor Read-only access to audit logs, event histories, and system configurations. Held by Compliance Officers or internal risk auditors reviewing automated activity for regulatory compliance.

2. Development & Execution

Role Operational Purpose Enterprise Use Case
Bot Creator Entitlement to author, edit, and debug bots locally, upload/download packages, and check code into the public repository. Assigned to core RPA Developers building and testing automation workflows (e.g., invoice processing).
Citizen Developer Restricted development access, typically limited to low-code or web-based recording interfaces with strict repository guardrails. Assigned to business business users creating localized, non-critical departmental automations.
Bot Runner Non-interactive execution license optimized for running unsupervised automations. Assigned strictly to unattended production Virtual Machines (VMs) or service accounts designated for bot execution.

3. Workload Management (WLM) & Device Pooling

Role Operational Purpose Enterprise Use Case
Device Pool Administrator Global authority to cluster Bot Runners into high-availability device pools. Used by infrastructure teams allocating a massive farm of Bot Runner machines across distinct business units.
Device Pool Owner Localized management of specific assigned device pools. A Finance Department lead managing the specific schedules and priorities of their department's dedicated runners.
Queue Administrator Full lifecycle control over Workload Management (WLM) queues, including schema definitions and SLA configurations. Assigned to Business Analysts or Track Leads managing the intake queues for transactional processes like Accounts Payable.
Queue Producer Permission to inject work items (JSON payload/data rows) into a specific queue. Assigned to a "feeder" bot that extracts data from a shared mailbox and pushes it into the processing queue.
Queue Consumer Permission to checkout and process work items from a specific queue. Assigned to production processing bots that pick up work items, execute the transaction, and update the item status.

4. Specialized Components & Integration

Role Operational Purpose Enterprise Use Case
Scheduler Authority to configure time-based and event-based triggers for bot execution. Assigned to operations teams scheduling a payroll automation to run every Friday at 8 PM.
Automation Co-Pilot (AARI) User Interaction with human-in-the-loop interfaces to trigger or input data into a bot. Assigned to front-office HR staff submitting onboarding requests through a simplified web form without back-end Control Room access.
Document Automation User Access to IDP (Intelligent Document Processing) dashboards to train models, validate extractions, and handle exceptions. Used by Operations teams correcting low-confidence OCR extractions on invoices and purchase orders.
API User Programmatic, non-interactive authentication for external systems communicating with the Control Room. Assigned to service accounts linking external orchestration tools (like ServiceNow or Jira) to the Control Room via REST APIs.
Insights User Access to operational dashboards, business analytics, and performance KPIs. Assigned to Operations Managers monitoring bot ROI, transaction success rates, and processing bottlenecks.

🛑 The Common Mistake: "Role Creep" & Developer Over-Privilege

One of the most frequent mistakes RPA developers and administrators make during the transition from development to production is combining the Bot Creator and Bot Runner roles on a single user identity, or assigning administrative permissions to active developer accounts.

Why it Happens:

During a tight deployment window, a developer might face access restrictions when debugging a bot on a testing VM. To bypass the issue quickly, the administrator grants the developer temporary execution or admin rights, which are subsequently forgotten and left active.

The Impact:

  • Segregation of Duties (SoD) Violation: If a developer has both Creator (code modification) and Runner/Admin (code execution in production) privileges, they possess the ability to bypass the code review lifecycle. They could technically write a malicious or unverified script, check it in, and execute it directly on a production server.

  • License Waste & System Conflicts: Assigning a Bot Runner role to a physical user identity can cause session conflicts when that user tries to develop code while an automated schedule attempts to trigger a background process on their ID.

  • Audit Failure: During compliance audits (such as SOX or ISO 27001), having developers with administrative or production execution capabilities will result in an immediate security red flag.

Best Practices for Control Room Governance

  • Enforce the Principle of Least Privilege (PoLP): Grant users the bare minimum access required to complete their daily tasks. If a user only views dashboards, they should strictly receive the Insights User role.

  • Isolate Environments completely: A user who is a Bot Creator in the Development Control Room should only have standard user or AARI User access in the Production Control Room.

  • Leverage Custom Roles: Predefined roles are excellent baselines, but enterprise environments usually require custom roles. Create tailored roles that combine specific permissions (e.g., combining Queue Producer with a custom read-only device view) rather than stacking multiple predefined roles.

  • Conduct Scheduled Access Reviews: Audit user-to-role mappings quarterly. Revoke elevated permissions immediately after emergency troubleshooting windows close.

Conclusion

Selecting the appropriate Control Room role is fundamental to maintaining a secure, governed, and operationally stable digital workforce. By strictly mapping your team to these predefined functional boundaries and avoiding common pitfalls like role creep, you protect your enterprise automation ecosystem from both internal compliance failures and external security vulnerabilities.

1 reply

Aaron.Gleason
Automation Anywhere Team
Forum|alt.badge.img+6
  • Automation Anywhere Team
  • July 6, 2026

​@amankumar236 Please post questions here, not blog posts. If you want to make a blog post, please contact community@automationanywhere.com.