Credential Management in RPA Hub

  • Release version: Zurich
  • Updated July 31, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Credential Management in RPA Hub

    Credential management in RPA Hub Zurich release enables ServiceNow customers to streamline and securely manage the credentials robots use to automate processes. Instead of duplicating credentials across bot processes, you can create credential groups that bundle robot, application, and external credentials, then associate these groups with multiple unattended bot processes. This approach centralizes credential handling, reduces errors, and improves security by optionally integrating with an external credential vault for sensitive data retrieval, including Time-based One-time Password (TOTP) seeds for MFA-enabled applications.

    Show full answer Show less

    Key Features

    • Robot Credentials: Allow robots to log into Windows machines to perform automation. Access permissions vary by role, with release managers and administrators having full control, while developers and other roles have restricted viewing or editing capabilities.
    • Application Credentials: Store application-specific usernames and passwords for robot login during automation. Role-based access controls ensure only authorized users can create, view, or modify credentials.
    • TOTP Authentication: Supports multi-factor authentication by managing TOTP seeds for unattended bots. TOTP records cannot be edited; updates require retiring and recreating records. Role-based permissions govern creation and visibility.
    • Credential Groups: Combine robot and application credentials into groups that can be assigned to multiple bot processes, simplifying credential management and reuse. Role permissions control creation and modification scope.
    • External Credential Vault: Enables secure retrieval of credentials and TOTP seeds from external storage systems instead of ServiceNow records, enhancing security. Role-based access allows creation and updating by release managers and administrators, with others having view-only access.

    Role-Based Access Control

    Credential management enforces strict role-based permissions to balance security and operational needs:

    • RPA Release Manager and Administrator: Full creation, viewing, updating, and deletion rights for most credential types and groups, except deletion of external credentials is restricted.
    • RPA Developer: Can create credentials and credential groups, but can only view and modify those they created or are linked to assigned bot processes.
    • RPA Robot User and Support User: Primarily have viewing rights, with robotic users unable to create or modify credentials.
    • RPA Business User: Can create and manage application credentials they own or that are linked to assigned bots but cannot manage external credentials.

    Practical Benefits for ServiceNow Customers

    • Eliminates redundant credential creation by enabling reuse across multiple bot processes.
    • Reduces configuration errors and improves operational efficiency through centralized management.
    • Enhances security by integrating with external vaults and supporting MFA via TOTP.
    • Supports compliance and governance by enforcing role-based access controls and auditability of credential use.

    Streamline the credentials that robots use to perform the automation that you defined in the bot process. Instead of creating the same set of credentials for each bot process, you can create a credential group that includes a robot credential, application credentials, and external credentials. You can then associate the credential group to multiple bot processes.

    Credential management overview

    If you're an RPA release manager, RPA administrator, or RPA developer, you can create and associate credential groups to an unattended bot process. You can also set up an external credential vault to retrieve the robot credentials, application credentials, or a Time-based One-time Password (TOTP) seed from an external source. The seed is the secret key of the authenticator that is used to generate the TOTP. An external credential vault is a secure storage system often used to store and manage sensitive information such as user names, passwords, and other access credentials for various applications, services, or systems.

    Benefits of credential management

    With credential management, you can do the following tasks:
    • Define the credentials once and reuse them in multiple bot processes to improve the overall productivity of your resources.
    • Reduce the number of errors that occur when you're configuring the same credential groups for different bot processes.
    • Improve how credentials are accessed with centralized credential management.
    • Securely retrieve the credentials from an external storage system by configuring the external credential vault.

    Robot credentials

    By creating robot credentials, you can enable robots to log in to a Windows machine and perform the automation. For more information, see Create a robot credential in RPA Hub.

    In the following table, learn what users with different roles can do or can't do.

    Table 1. Access control list for robot credentials
    Role Can do Can't do
    RPA release manager and RPA administrator Create, view, update, or delete the robot credentials. -
    RPA developer
    • Create the robot credentials.
    • View the robot credentials that are created by them or the robot credentials that are mapped to the bot processes that they’re assigned to.
    • Update or delete the robot credentials that are created by them.
    		 Can't view, update, or delete the robot credentials of the bot process that they aren’t assigned to or robot credentials that aren’t created by them.
    RPA robot user View all robot credentials. Can't create, update, and delete the robot credentials.
    RPA support user View the robot credentials that are mapped to the bot processes that they’re assigned to. Can't create, update, or delete the robot credentials.

    Application credentials

    By creating application credentials, you can add the user name and password that the robot can use to log in to a specific application at the time of the automation execution. For more information, see Create an application credential in RPA Hub.

    In the following table, learn what users with different roles can do or can't do.

    Table 2. Access control list for application credentials
    Role Can do Can't do
    RPA release manager and RPA administrator Create, view, update, or delete the application credentials. -
    RPA developer
    • Create or view the application credentials.
    • Update or delete the application credentials that are created by them.
    		 Can't view the application credentials that aren’t created by them.
    RPA business user
    • Create the application credentials.
    • View the application credentials that are created by them or the application credentials that are mapped to the bot processes that they’re assigned to.
    • Update or delete the application credentials that are created by them.
    		 Can't add the external credentials.
    RPA robot user View or edit all the application credentials. Can't create or delete the application credentials.
    RPA support user View the application credentials that are mapped to the bot processes that they’re assigned to. Can't create, update, or delete the robot credentials.

    TOTP authentication

    By setting up Time-based One-time Password (TOTP) seeds, you can enable the unattended robots to authenticate seamlessly against multi-factor authentication (MFA)-enabled applications. MFA-enabled applications provide additional security for users and their accounts.

    You can't edit a TOTP authenticator record. If changes are required to an existing TOTP authenticator record, you must retire an existing record and then create a TOTP authenticator record. For more information, see TOTP authentication in RPA Hub and Create a TOTP authenticator in RPA Hub.

    In the following table, learn what users with different roles can do or can't do.

    Table 3. Access control list for TOTP authentication
    Roles Can do Can't do
    RPA release manager and RPA administrator Create, view, or delete the TOTP authenticators. Can't update the TOTP authenticators.
    RPA developer
    • Create the TOTP authenticators.
    • View the TOTP authenticators that are created by them or TOTP authenticators that are mapped to the bot processes that they’re assigned to.
    		 Can't update or delete the TOTP authenticators.
    RPA robot user View all TOTP authenticators. Can't create, update, or delete the TOTP authenticators.

    Credential groups

    By configuring the credential groups, you can map the application credentials and a robot credential to one or more bot processes. For more information, see Create a credential group in RPA Hub.

    In the following table, learn what users with different roles can do or can't do.

    Table 4. Access control list for credential groups
    Roles Can do Can't do
    RPA release manager and RPA administrator Create, view, update, or delete the credential groups. -
    RPA developer
    • Create the credential groups.
    • View the credential groups that are created by them or the credential groups that are mapped to the bot processes that they’re assigned to.
    • Update or delete the credential groups that are created by them.
    		 Can't view, update, or delete the credential groups of the bot process that they aren’t assigned to or the credential groups that aren’t created by them.
    RPA robot user View all the credential groups. Can't create, update, or delete the credential groups.
    RPA support user View the credential groups that are mapped to the bot processes that they’re assigned to. Can't create, update, or delete the credential groups.

    External credential vault

    By configuring an external credential vault, you can retrieve a robot credential, application credentials, or Time-based One-time Password (TOTP) seed from an external source instead of a ServiceNow credentials record. For more information, see External credential vault in RPA Hub and Create an external credential vault record in RPA Hub.

    In the following table, learn what users with different roles can do or can't do.

    Table 5. Access control list for the external credential vault
    Roles Can do Can't do
    RPA release manager and RPA administrator Create, view, or update the external credentials. Can't delete external credentials.
    RPA developers View the external credentials. Can't create, update, or delete the external credentials.
    RPA support user View the external credentials. Can't create, update, or delete the external credentials.
    RPA business user View the external credentials. Can't create, update, or delete the external credentials.