Skip to main content

Please resolve my confusion among different users/roles/permissions that we have in the locker and what is the difference between each of them?

(1) I do not understand the significance and difference between each of these 4 terms in the locker, viz. Locker OWNER, Locker MANAGER, Locker PARTICIPANT, Locker CONSUMER. Please explain the difference between each of these, using a practical example/story, right from when we create the credential, then add it to the locker, then ask for user provided values of these credentials, etc. So, in this practical example/story, please explain the roles and significance of each of the terms from Locker OWNER, Locker MANAGER, Locker PARTICIPANT, Locker CONSUMER, and at which point of time during the example/story, are these terms used ..

(2) Also, I have a confusion especially between the Locker PARTICIPANT and the Locker CONSUMER. In this case, who is the BOT Developer and who is the person from the business from whom we just need their login id and password. Is the Bot Developer/Bot Runner analogous to the Locker PARTICIPANT or the Locker CONSUMER.

 

(3) Also, in case of Locker OWNERS, MANAGERS, PARTICIPANTS, we have the option to add USERS, but why in the case of Locker CONSUMERS, we have the option to add ROLES??? Why is the difference here in case of CONSUMERS, versus the others.

 

(4) Also, please enlighten on the difference between these terms/roles/permissions that I asked above, versus the "Locker_Admin" role and do these overlap in any scenario?

Hi @SahilM1 ,

 

Below are the key differences between these roles in a nutshell. 

 

  • Locker Owner: A locker owner can edit, view, and delete a locker, and can add or remove other owners.

  • Locker Manager: A locker manager has access to all the functions of a locker owner, but does not have permission to add owners, managers, or participants to the locker.

  • Locker Participants: A locker participant has access to view a locker and its participants, and can also add their own credentials to a locker. A locker participant can not access or view credentials created by other users.

  • Locker Consumers: Locker consumers have access to view a locker and input a credential attribute value (if the attribute is configured for user-input). When you select one or more user-defined roles, the users who have these selected roles become consumers of the locker.

 

Please refer here for further details on this.

 


@Padmakumar Thanks for responding, but this information that you posted is already available on the documentation and the reason why I have asked this question on this forum, is that I am unable to understand this from the documentation.

As I have requested in the question, if you could please explain all these roles/permissions using a practical example/story/use case, and then explain the roles and significance of each of the terms from Locker OWNER, Locker MANAGER, Locker PARTICIPANT, Locker CONSUMER, and at which point of time during the example/story/use case, are these terms used, then your response will answer my query and sort out these confusions.


Hi @Shehbaz 4744 ,

 

See the below example which I think will give a better picture on this.

 

I have a locker called, Apparel Portals to which, I have added 3 credentials (showing under the Selected section). 

 

All the Users who have Locker_admin role assigned can create/manage Lockes.

 The manager can be ignored.

 

The Participants will be those who are actually adding new credentials and they can’t remove credentials from it. Also, in order to access these saved credentials, they must be a Consumer.

 

I have created a custom role called Locker_Cosnumer and I have assigned that to all the Runners.

 

 

The Locker_consumer role should be having the below mentioned features selected.

 

  1. View dashboards.
  2. View my activity.
  3. Manage my credentials and lockers.
  4. Create standard attributes for a credential.
  5. Create standard attributes for a credential.
  6. View and manage my Bot runners, Bot creators and device pools.

 

 

I hope this will help.


Thank you so much @Shehbaz 4744 for giving clarity to my question and helping me to ask it in a more better way. Kudos and thumbs up to you!

Thank you so much @Padmakumar for your response and for your latest reply to this question, with supporting screenshots.

@Padmakumar Your latest answer helped me understand most of it in a better way. But still, there are few confusions that I have. Please answer these.

(1) I have a confusion especially between the Locker PARTICIPANT and the Locker CONSUMER. In this case, who is the BOT Developer and who is the person from the business from whom we just need their login id and password. Is the Bot Developer/Bot Runner analogous to the Locker PARTICIPANT or the Locker CONSUMER.

(2) To support the above point, let us understand from the point of view of a BOT DEVELOPER. Suppose I am a Bot Developer, and I am developing the entire logic for the bot. Now, within my bot, suppose I need to login to salesforce account, and for this I need the login credentials from the BUSINESS TEAM(who are purely from business side, and not much technically aware of A360. So, as per my understanding, I simply assign them the role of CONSUMER and ask them for USER-PROVIDED credentials, which will automatically send an email to them asking for the credentials.)               (2.1) Apart from this, what are the other authorities and capabilities that a CONSUMER has        (2.2) As a BOT DEVELOPER, which role/permission needs to be given to the BOT DEVELOPER. Does he require the PARTICIPANT permission, or the CONSUMER permission and why?

(3) Also, in case of Locker OWNERS, MANAGERS, PARTICIPANTS, we have the option to add USERS, but why in the case of Locker CONSUMERS, we have the option to add ROLES??? Why is the difference here in case of CONSUMERS, versus the others.


Thank you so much @Shehbaz 4744 for giving clarity to my question and helping me to ask it in a more better way. Kudos and thumbs up to you!

Thank you so much @Padmakumar for your response and for your latest reply to this question, with supporting screenshots.

@Padmakumar Your latest answer helped me understand most of it in a better way. But still, there are few confusions that I have. Please answer these.

(1) I have a confusion especially between the Locker PARTICIPANT and the Locker CONSUMER. In this case, who is the BOT Developer and who is the person from the business from whom we just need their login id and password. Is the Bot Developer/Bot Runner analogous to the Locker PARTICIPANT or the Locker CONSUMER.

(2) To support the above point, let us understand from the point of view of a BOT DEVELOPER. Suppose I am a Bot Developer, and I am developing the entire logic for the bot. Now, within my bot, suppose I need to login to salesforce account, and for this I need the login credentials from the BUSINESS TEAM(who are purely from business side, and not much technically aware of A360. So, as per my understanding, I simply assign them the role of CONSUMER and ask them for USER-PROVIDED credentials, which will automatically send an email to them asking for the credentials.)               (2.1) Apart from this, what are the other authorities and capabilities that a CONSUMER has        (2.2) As a BOT DEVELOPER, which role/permission needs to be given to the BOT DEVELOPER. Does he require the PARTICIPANT permission, or the CONSUMER permission and why?

(3) Also, in case of Locker OWNERS, MANAGERS, PARTICIPANTS, we have the option to add USERS, but why in the case of Locker CONSUMERS, we have the option to add ROLES??? Why is the difference here in case of CONSUMERS, versus the others.

 

 

 

(1) I have a confusion especially between the Locker PARTICIPANT and the Locker CONSUMER. In this case, who is the BOT Developer and who is the person from the business from whom we just need their login id and password. Is the Bot Developer/Bot Runner analogous to the Locker PARTICIPANT or the Locker CONSUMER.

 

Ans: Locker Participant can be anyone who is creating the Credentials which are then saving inside the locker. Once they are added as Participant, they will get notification for putting the credentials in the locker. The notification will be either through mail or once they login to CR through their account, they can see it under Manage → Credentials → Credential Request. As I have mentioned in previous comment, Locker Participants can only add Credentials but won’t be able to remove.

 

(2) To support the above point, let us understand from the point of view of a BOT DEVELOPER. Suppose I am a Bot Developer, and I am developing the entire logic for the bot. Now, within my bot, suppose I need to login to salesforce account, and for this I need the login credentials from the BUSINESS TEAM(who are purely from business side, and not much technically aware of A360. So, as per my understanding, I simply assign them the role of CONSUMER and ask them for USER-PROVIDED credentials, which will automatically send an email to them asking for the credentials.)               (2.1) Apart from this, what are the other authorities and capabilities that a CONSUMER has        (2.2) As a BOT DEVELOPER, which role/permission needs to be given to the BOT DEVELOPER. Does he require the PARTICIPANT permission, or the CONSUMER permission and why?

 

Ans: The Business user can be considered as a Locker Participant as they are only dealing with putting credentials to the locker. But for you as BOT Developer, for testing during the development, in order to use that saved credentials, you should be having the Locker_Consumer role assigned. Similarly, the same will be required for BOT runner to access the same credentials. 

 

Note: Here, the Locker_consumer role is a custom created one and don't mix it with the Locker Consumer part in the Locker creation. 

 

(3) Also, in case of Locker OWNERS, MANAGERS, PARTICIPANTS, we have the option to add USERS, but why in the case of Locker CONSUMERS, we have the option to add ROLES??? Why is the difference here in case of CONSUMERS, versus the others.

 

Ans: Simply put, it is the AA concept. Usernames won’t be showing under Locker Consumer section, but the Roles do. For better understanding, consider the Owner, Manager and Participant as Users and Locker Consumer as role. You need to create Custom Role or can enable the mentioned features in my previous comment to an already existing custom role. Later, just add to the Consumer part. 

 

Note: Only those Users who have this custom role assigned will be having the ability to access the credentials from the locker.

 

 

Hope this will give a better clarity.


Thanks @Padmakumar for your detailed answer.
Just one more remaining query on this. In the above answer you have said “Locker_consumer role is a custom created one and don't mix it with the Locker Consumer part in the Locker creation. ”.

  • Could you please elaborate more about this role “Locker_consumer” that you have created, and what all permissions have you given to this role, and WHY(reason behind each permission), and also, to whom all do you give this role in your A360 project ?
  • Also, could you share the screenshot from your Control Room, of where have you given these permission. Where can we find all these permissions and select/enable them for our consumer role.
  • My query is related to the concept of RBAC discussed in this documentation link, "https://docs.automationanywhere.com/bundle/enterprise-v2019/page/enterprise-cloud/topics/security-architecture/cloud-rbac-in-credential-vault-credentials-management.html".

    Please explain me this concept, especially the table given at the end of this article in above link, where in addition to the locker permissions, there are also some "credential" permissions listed. Also, what is meant by the last 2 permission columns in that table, viz. "User-provided value" and "Standard value"


 


Thanks @Padmakumar for your detailed answer.
Just one more remaining query on this. In the above answer you have said “Locker_consumer role is a custom created one and don't mix it with the Locker Consumer part in the Locker creation. ”.

  • Could you please elaborate more about this role “Locker_consumer” that you have created, and what all permissions have you given to this role, and WHY(reason behind each permission), and also, to whom all do you give this role in your A360 project ?
  • Also, could you share the screenshot from your Control Room, of where have you given these permission. Where can we find all these permissions and select/enable them for our consumer role.
  • My query is related to the concept of RBAC discussed in this documentation link, "https://docs.automationanywhere.com/bundle/enterprise-v2019/page/enterprise-cloud/topics/security-architecture/cloud-rbac-in-credential-vault-credentials-management.html".

    Please explain me this concept, especially the table given at the end of this article in above link, where in addition to the locker permissions, there are also some "credential" permissions listed. Also, what is meant by the last 2 permission columns in that table, viz. "User-provided value" and "Standard value"


 

 

 

The custom created Locker_Consumer role has below features enabled. As their names implies, these are for viewing & managing credentials.

 

Below are the Users to which the role has been assigned.

 

 

Standard value: This type of credentials are setting by the Credential owner while creating the Locker. The same value should use by all Locker_consumers.

 

User-provided value: This type of credentials are setting by the Locker participants. In such cases, they will get Mail notification (if that feature is enabled for the user) upon creating the Locker and given Participant access. After that, User can login to his/her account and set up the Credentials through Manage→ Credentials→ Credential Request option.

 


Reply