Manage sub-accounts and assign licenses-Robotic Process Automation(RPA)-阿里云帮助中心

Overview

Super Admin

For public cloud deployments of Alibaba Cloud RPA, the Super Admin corresponds to your Alibaba Cloud account. Therefore, to perform operations that require Super Admin privileges, you must log in to the console with your Alibaba Cloud account.

Sub-accounts

The following table describes the permissions required for different phases.

Phase	Required permissions
Developer: Develop automation processes	Log in to the editor: The sub-account must be assigned an editor license in the console. For more information, see Assign editor licenses. Develop projects (Cloud projects) and manage asset variables (Create asset variables) Publish applications, and publish and use custom components
User: Run automation processes	On-premises robot. Log in to the robot. The sub-account must be assigned a robot license in the console. Specify which applications the account can run. Specify the scope of on-premises robots the account can use. Service-based robot. Currently, all service-based robots can run any published application within the enterprise. Permission management is determined by your upstream system.
Management	Assign an administrator role to a sub-account. In Member Management, you can set sub-account roles and create custom roles. For more information, see Manage console roles. Important By default, only your Alibaba Cloud account can use the Member Management feature. To grant administrator permissions to a sub-account for the RPA console, see Grant a sub-account administrator permissions for the RPA console.

Manage sub-accounts (public cloud)

Alibaba Cloud RPA supports two account management systems for public cloud deployments: Alibaba Cloud RAM and Alibaba Cloud IDaaS. You can choose the one that best fits your needs.

Account system	Use cases
Alibaba Cloud RAM (default)	Use case 1: Robots primarily run as services, triggered by OpenAPI calls, schedules, or MCP. Use case 2: A small number of users manually run robots from the client.
Alibaba Cloud IDaaS	Use case 1: A large number of users manually run robots from the client. Use case 2: User accounts need to be managed through a unified corporate identity system, such as synchronization with DingTalk or Active Directory (AD).

Use Alibaba Cloud RAM to manage sub-accounts

Create an Alibaba Cloud RAM user. Before you add a sub-account in the RPA Console Member Management menu, you must first create a RAM user in the Alibaba Cloud RAM console. As shown in the following figure.
Important
To ensure compatibility with Alibaba Cloud RPA, use the following settings when you create a RAM user:
- Access mode: Select Console Access.
- Multi-factor authentication (MFA): We recommend selecting 'Not required'.
  - If enabled, you must authenticate when logging in to the robot or editor client with the RAM user.
  - If your corporate security policy requires MFA, you can use the Dynamic Login Code method to log in to the client and meet compliance requirements.

Return to the Member Management page in the Alibaba Cloud RPA console, click Create Account, as shown in the following figure.

Main field	Description
Member account	Select an existing RAM user to bind.
Member nickname	Enter a nickname for the account. The nickname can be 1 to 16 characters long and can include letters, numbers, and the following special characters: @ . - _
Department	The highest-level department in the organization management tree is selected by default. To change the department, first create an organization tree.
Role	Select a role for the account from the drop-down list. The role defines the account's permissions and what it can see in the console. To create a new role or modify an existing one, go to System Settings > Role List.
Email	Enter the email address associated with the account.
Robot license	An account must have a robot license to log in to the robot client. For more information about the assignment process, see the following sections.
Editor license	An account must have an editor license to log in to the editor client. For more information about the assignment process, see the following sections.

Manage sub-accounts using Alibaba Cloud IDaaS

For more information, see Manage sub-accounts using Alibaba Cloud IDaaS.

Change the account management system

Public Cloud RPA provides two account systems for managing sub-accounts: Alibaba Cloud RAM and Alibaba Cloud IDaaS.

The account system stores account information, such as usernames, passwords, and other logon methods. Public Cloud RPA links these accounts to the RPA service.
Only one account system can be active at a time.
To switch the account system, go to the Member Management page and click "Settings" in the upper-right corner.
Important
Impact of switching the account system:
- All sub-accounts in RPA are deleted. Only the main account remains. This does not affect account information previously created in Alibaba Cloud RAM or Alibaba Cloud IDaaS.
- All licenses for bound RPA editors and robots are released. The corresponding clients will become unusable.
- After the switch, re-create the sub-accounts in the selected account system and bind the licenses for the editors and robots.

Assign editors and on-premises robots

After creating sub-accounts, use an account with Member Management permissions to assign robot licenses and permissions to the sub-accounts. A super administrator account is an example of an account with these permissions.

Assign editors

After you assign an editor license to an account, you can use that account to log on to the editor client and develop automation processes. You can assign editor licenses in two ways.

Method 1: Select a member, either an Alibaba Cloud account or a sub-account, and then add or modify their license.
Method 2: Assign licenses in a batch. Select multiple members from the member list and assign licenses to them in a single operation. Batch operations support only Professional Edition editor licenses and Professional Edition robot licenses.

Assign on-premises robots

Assign on-premises robot licenses

After you assign a robot license to an account, you can use that account to log on to the robot client and run automation processes. The steps are the same as for assigning editors.

Configure on-premises robots for an account

In the Member Management menu, configure which on-premises robots an account can use.

Note

If some on-premises robots are missing from the list in the specified scope, log back in to the on-premises robot client and try again.

This configuration lets you do the following:

Run on-premises robots

	Scope setting: All	Scope setting: Specified scope
Manually run a robot from the client	Runs only on the robot where this account is logged in.	Runs only on the robot where this account is logged in.
Remotely call a robot (scheduled execution, API-triggered execution, MCP Tool call)	All on-premises robots	The robot where this account is logged in + added on-premises robots

Manage on-premises robots. From the Robot Monitoring page in the console, the account can view and manage only the on-premises robots that it has permission to use.

Log on to the client

After you create sub-accounts and assign licenses, you can log on to the client. The following table summarizes the logon methods for different account types. For more information, see Log on to the client.

Account type	Supported client logon methods
Alibaba Cloud account	Logon methods supported by Alibaba Cloud accounts RPA dynamic logon code
Sub-account (Alibaba Cloud RAM)	Logon methods supported by Alibaba Cloud RAM, such as account and password RPA dynamic logon code
Sub-account (Alibaba Cloud IDaaS)	Logon methods supported by Alibaba Cloud IDaaS, such as account and password RPA dynamic logon code

Department management

If you need to manage many member accounts, you can create sub-departments. You can create member accounts in these sub-departments. You can also change an account's department in the account list.

Manage console roles

Three built-in roles are provided by default. You can view them in System Settings - Role List:

Super Admin: This role is only for your Alibaba Cloud account. It cannot be assigned to sub-accounts.
administrator: This role does not have Member Management permissions, unlike the Super Admin. To make a sub-account an administrator, see Add RPA console administrator permissions to a sub-account.
Employee: This role is for business users. It only lets them request and use RPA applications.

You can also add custom roles in System Settings - Role List.