Credential Management in RPA Hub

  • Release version: Yokohama
  • Updated January 30, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Credential Management in RPA Hub

    Credential Management in RPA Hub streamlines how robots access and use credentials during automation processes. Instead of defining credentials repeatedly for each bot process, you can createcredential groupsthat bundle robot, application, and external credentials. These groups can then be associated with multiple unattended bot processes, simplifying management and improving security. Additionally, you can configure anexternal credential vaultto securely retrieve credentials and Time-based One-time Password (TOTP) seeds from external sources, enhancing credential protection.

    Show full answer Show less

    Key Features

    • Credential Groups: Combine robot and application credentials to reuse across multiple bot processes, reducing configuration errors and increasing efficiency.
    • Robot Credentials: Enable robots to log into Windows machines to execute automation tasks. Access is role-based, with release managers and administrators having full control, while developers and users have restricted permissions.
    • Application Credentials: Store usernames and passwords for specific applications used during automation. Role-based access controls allow creators to manage their own credentials while restricting others.
    • TOTP Authentication: Support MFA-enabled applications by managing TOTP seeds, allowing unattended robots to authenticate securely. TOTP records cannot be updated once created; they must be retired and recreated if changes are needed.
    • External Credential Vault: Retrieve credentials and TOTP seeds securely from external systems instead of ServiceNow records, supporting centralized and secure credential management.

    Role-Based Access Controls

    Credential management enforces precise permissions based on user roles:

    • RPA Release Manager and Administrator: Full capabilities to create, view, update, or delete credentials, credential groups, TOTP authenticators (except update), and external credential vault records (cannot delete).
    • RPA Developer: Can create and manage credentials and credential groups they own or that are assigned to their bot processes, but cannot modify others' credentials or delete external credentials.
    • RPA Robot User: Typically has view-only access to credentials and credential groups but cannot create, update, or delete them.
    • RPA Support and Business Users: Have limited view or creation permissions for credentials, depending on their role and assignment, but generally cannot delete or update credentials they do not own.

    Practical Benefits for ServiceNow Customers

    • Efficiency: Define credentials once and reuse them, simplifying bot process setup and maintenance.
    • Error Reduction: Minimize mistakes by managing credentials centrally rather than duplicating configurations.
    • Security: Centralized credential management and external vault integration enhance protection of sensitive information.
    • MFA Support: Enable secure unattended automation with TOTP-based multi-factor authentication.

    Streamline the credentials that robots use to perform the automation that you defined in the bot process. Instead of creating the same set of credentials for each bot process, you can create a credential group that includes a robot credential, application credentials, and external credentials. You can then associate the credential group to multiple bot processes.

    Credential management overview

    If you're an RPA release manager, RPA administrator, or RPA developer, you can create and associate credential groups to an unattended bot process. You can also set up an external credential vault to retrieve the robot credentials, application credentials, or a Time-based One-time Password (TOTP) seed from an external source. The seed is the secret key of the authenticator that is used to generate the TOTP. An external credential vault is a secure storage system often used to store and manage sensitive information such as user names, passwords, and other access credentials for various applications, services, or systems.

    Benefits of credential management

    With credential management, you can do the following tasks:
    • Define the credentials once and reuse them in multiple bot processes to improve the overall productivity of your resources.
    • Reduce the number of errors that occur when you're configuring the same credential groups for different bot processes.
    • Improve how credentials are accessed with centralized credential management.
    • Securely retrieve the credentials from an external storage system by configuring the external credential vault.

    Robot credentials

    By creating robot credentials, you can enable robots to log in to a Windows machine and perform the automation. For more information, see Create a robot credential in RPA Hub.

    In the following table, learn what users with different roles can do or can't do.

    Table 1. Access control list for robot credentials
    Role Can do Can't do
    RPA release manager and RPA administrator Create, view, update, or delete the robot credentials. -
    RPA developer
    • Create the robot credentials.
    • View the robot credentials that are created by them or the robot credentials that are mapped to the bot processes that they’re assigned to.
    • Update or delete the robot credentials that are created by them.
    		 Can't view, update, or delete the robot credentials of the bot process that they aren’t assigned to or robot credentials that aren’t created by them.
    RPA robot user View all robot credentials. Can't create, update, and delete the robot credentials.
    RPA support user View the robot credentials that are mapped to the bot processes that they’re assigned to. Can't create, update, or delete the robot credentials.

    Application credentials

    By creating application credentials, you can add the user name and password that the robot can use to log in to a specific application at the time of the automation execution. For more information, see Create an application credential in RPA Hub.

    In the following table, learn what users with different roles can do or can't do.

    Table 2. Access control list for application credentials
    Role Can do Can't do
    RPA release manager and RPA administrator Create, view, update, or delete the application credentials. -
    RPA developer
    • Create or view the application credentials.
    • Update or delete the application credentials that are created by them.
    		 Can't view the application credentials that aren’t created by them.
    RPA business user
    • Create the application credentials.
    • View the application credentials that are created by them or the application credentials that are mapped to the bot processes that they’re assigned to.
    • Update or delete the application credentials that are created by them.
    		 Can't add the external credentials.
    RPA robot user View or edit all the application credentials. Can't create or delete the application credentials.
    RPA support user View the application credentials that are mapped to the bot processes that they’re assigned to. Can't create, update, or delete the robot credentials.

    TOTP authentication

    By setting up Time-based One-time Password (TOTP) seeds, you can enable the unattended robots to authenticate seamlessly against multi-factor authentication (MFA)-enabled applications. MFA-enabled applications provide additional security for users and their accounts.

    You can't edit a TOTP authenticator record. If changes are required to an existing TOTP authenticator record, you must retire an existing record and then create a TOTP authenticator record. For more information, see TOTP authentication in RPA Hub and Create a TOTP authenticator in RPA Hub.

    In the following table, learn what users with different roles can do or can't do.

    Table 3. Access control list for TOTP authentication
    Roles Can do Can't do
    RPA release manager and RPA administrator Create, view, or delete the TOTP authenticators. Can't update the TOTP authenticators.
    RPA developer
    • Create the TOTP authenticators.
    • View the TOTP authenticators that are created by them or TOTP authenticators that are mapped to the bot processes that they’re assigned to.
    		 Can't update or delete the TOTP authenticators.
    RPA robot user View all TOTP authenticators. Can't create, update, or delete the TOTP authenticators.

    Credential groups

    By configuring the credential groups, you can map the application credentials and a robot credential to one or more bot processes. For more information, see Create a credential group in RPA Hub.

    In the following table, learn what users with different roles can do or can't do.

    Table 4. Access control list for credential groups
    Roles Can do Can't do
    RPA release manager and RPA administrator Create, view, update, or delete the credential groups. -
    RPA developer
    • Create the credential groups.
    • View the credential groups that are created by them or the credential groups that are mapped to the bot processes that they’re assigned to.
    • Update or delete the credential groups that are created by them.
    		 Can't view, update, or delete the credential groups of the bot process that they aren’t assigned to or the credential groups that aren’t created by them.
    RPA robot user View all the credential groups. Can't create, update, or delete the credential groups.
    RPA support user View the credential groups that are mapped to the bot processes that they’re assigned to. Can't create, update, or delete the credential groups.

    External credential vault

    By configuring an external credential vault, you can retrieve a robot credential, application credentials, or Time-based One-time Password (TOTP) seed from an external source instead of a ServiceNow credentials record. For more information, see External credential vault in RPA Hub and Create an external credential vault record in RPA Hub.

    In the following table, learn what users with different roles can do or can't do.

    Table 5. Access control list for the external credential vault
    Roles Can do Can't do
    RPA release manager and RPA administrator Create, view, or update the external credentials. Can't delete external credentials.
    RPA developers View the external credentials. Can't create, update, or delete the external credentials.
    RPA support user View the external credentials. Can't create, update, or delete the external credentials.
    RPA business user View the external credentials. Can't create, update, or delete the external credentials.