> ## Documentation Index
> Fetch the complete documentation index at: https://conductorone-docs-cxp-655.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up a UiPath Orchestrator connector

> C1 provides identity governance for UiPath Orchestrator. Integrate your UiPath Orchestrator instance with C1 for unified visibility and governance over user access.

## Capabilities

| Resource | Sync                                                          | Provision |
| -------- | ------------------------------------------------------------- | --------- |
| Users    | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Roles    | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |

## Gather UiPath Orchestrator credentials

<Warning>
  Use a confidential UiPath External Application with Orchestrator API access and
  application scopes. The current read-only connector requests
  `OR.Users.Read OR.Administration.Read`, which map to the Users and Roles read
  surface used by the connector.
</Warning>

<Steps>
  <Step>
    In UiPath, open **Admin** > **Tenant** > **External Applications**.
  </Step>

  <Step>
    Create or select a confidential External Application.
  </Step>

  <Step>
    Add **Orchestrator API Access** and grant application scopes
    `OR.Users.Read` and `OR.Administration.Read`. In tenant Swagger or the
    UiPath permissions reference, verify that the application can call the
    Users and Roles read endpoints.
  </Step>

  <Step>
    Copy the application App ID and App Secret. The secret is shown only at
    registration time.
  </Step>

  <Step>
    Copy the full Orchestrator OData URL ending in `/odata`.
  </Step>

  <Step>
    Copy the OAuth2 token endpoint URL for the UiPath organization.
  </Step>
</Steps>

## Configuration fields

| Field                     | Required | Description                                                                                                                  |
| ------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------- |
| `uipath-orchestrator-url` | Yes      | Full UiPath Orchestrator OData base URL ending in `/odata`.                                                                  |
| `uipath-token-url`        | Yes      | Full OAuth2 token endpoint URL. For Automation Cloud, use `https://cloud.uipath.com/{organization}/identity_/connect/token`. |
| `uipath-client-id`        | Yes      | External Application App ID.                                                                                                 |
| `uipath-client-secret`    | Yes      | External Application App Secret.                                                                                             |
| `uipath-scopes`           | Yes      | Space-delimited OAuth scope list. Use `OR.Users.Read OR.Administration.Read` for the current connector surface.              |

## Synced resource types

* **Users**: UiPath users and directory users from `/odata/Users`.
* **Roles**: UiPath tenant roles from `/odata/Roles`.
* **Role assignments**: direct user-role grants from
  `/odata/Users?$expand=RolesForUser`.

## Special notes

* Provisioning is not supported in the current build.
* The connector authenticates with OAuth 2.0 client credentials and sends the
  resulting bearer token to Orchestrator.
* Robot account rows are filtered out.
* The connector models direct user-role assignments only. Group, account,
  inherited directory, and folder-scoped assignments are not synced.
* Standalone Orchestrator deployments can use different URL shapes than
  Automation Cloud. Verify the OData and token URLs before configuring the
  connector.

## Configure the UiPath Orchestrator connector

<Tabs>
  <Tab title="Cloud-hosted">
    Follow these instructions to use a built-in, no-code connector hosted by C1.

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **UiPath Orchestrator** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new UiPath Orchestrator connector.
      </Step>

      <Step>
        Set the owner for this connector.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        Find the **Settings** area of the page and click **Edit**.
      </Step>

      <Step>
        Paste the UiPath credentials into the relevant fields:

        * **Orchestrator OData URL**: The full OData URL ending in `/odata`.
        * **OAuth2 token URL**: The organization-scoped token endpoint.
        * **Client ID**: The External Application App ID.
        * **Client secret**: The External Application App Secret.
        * **OAuth scopes**: The space-delimited scopes granted to the application.
      </Step>

      <Step>
        Click **Save**.
      </Step>

      <Step>
        The connector's label changes to **Syncing**, followed by
        **Connected**. You can view the logs to ensure that information is
        syncing.
      </Step>
    </Steps>

    **Done.** Your UiPath Orchestrator connector is now pulling access data into C1.
  </Tab>

  <Tab title="Self-hosted">
    Follow these instructions to run the UiPath Orchestrator connector in your
    own environment.

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **Baton** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new UiPath Orchestrator connector, set the
        owner, and click **Next**.
      </Step>

      <Step>
        In the **Settings** area, click **Edit**, then click **Rotate** to
        generate a new Client ID and Client Secret. Store these values
        securely for your deployment.
      </Step>

      <Step>
        Configure C1 credentials and UiPath credentials as environment
        variables:

        ```bash theme={null}
        BATON_CLIENT_ID=<C1 client ID>
        BATON_CLIENT_SECRET=<C1 client secret>
        BATON_HOST_ID=baton-uipath
        BATON_UIPATH_ORCHESTRATOR_URL=<Full Orchestrator OData URL ending in /odata>
        BATON_UIPATH_TOKEN_URL=<OAuth2 token endpoint URL>
        BATON_UIPATH_CLIENT_ID=<External Application App ID>
        BATON_UIPATH_CLIENT_SECRET=<External Application App Secret>
        BATON_UIPATH_SCOPES="OR.Users.Read OR.Administration.Read"
        ```
      </Step>

      <Step>
        Deploy the connector using the Public ECR image:

        ```bash theme={null}
        public.ecr.aws/conductorone/baton-uipath:<version>
        ```

        Use a version tag without the leading `v`, such as `0.0.3`.
      </Step>
    </Steps>

    **Done.** Your UiPath Orchestrator connector is now pulling access data into C1.
  </Tab>
</Tabs>