User accounts, remote access, and security

There are a number of interactions for which user accounts are required as part of a Blue Prism implementation. Examples of these interactions include:

• The user accounts used by the runtime resources to authenticate against the network or workgroup.
• The user accounts the runtime resources will use to access and automate the line of business applications.
• The user accounts used by Blue Prism controllers, and process developers to configure, develop, release, deploy processes and the associated queues, schedules and settings.

Security should also be considered in reference to:

• Access (including remote access) to the various Blue Prism components (e.g. application server, runtime resources, interactive clients, database server etc.)
• The logical access permissions granted to each user in relation to the actions available to them within a given Blue Prism environment.

User accounts: runtime resource network authentication

Considerations for the user accounts to be used when runtime resources are authenticated to the domain or workgroup include:

• Whether auto-login is required, and how this will be achieved.
• The authentication methods required for the applications that are to be automated (e.g. whether they use Active Directory integrated authentication commonly referred to as Single Sign-On (SSO)).
• Whether the out of the box functionality is to be implemented that allows Blue Prism to automatically manage the credentials used; including periodically resetting these user account passwords (whilst adhering to password complexity and history policies).

Further information is provided in relation to the user accounts and auto-login options in Blue Prism Runtime Resource.

User accounts: line of business applications

It is necessary for the Blue Prism runtime resources to have appropriate access to each of the line of business or third-party applications that are automated within Blue Prism processes. It is recommended that a user account with appropriate permissions is made available for each of the Blue Prism runtime resources that will have a concurrent connection to a given application although there is support for Blue Prism runtime resources to use shared credentials if required.

The credentials for the user accounts used as part of a Blue Prism process should be securely stored, independently of the process definition, within a centralized Credential Management repository.

Access to specific credentials should be restricted to specific runtime resources, processes and users in order to prevent authorized use within the environment.

Blue Prism processes can be configured to periodically change the line of business application password(s), taking account of necessary password complexity requirements, which ensures that the credentials are not known by any human operator.

User accounts: Blue Prism users (controllers / process developers)

By default, Blue Prism’s native authentication is used to manage user access to the Blue Prism application and for assigning appropriate controls and permissions to each user.

Alternatively, Blue Prism can be integrated with Active Directory Domain Services for controlling and configuring user access and control. See Active Directory Integration for more information.

Irrespective of the type of authentication selected, user access is role-based and configured independently for each environment allowing specific users to have different access dependent on the environment. This further supports the ability to restrict any one user having ubiquitous access across all environments.