a week ago - last edited a week ago
Hello,
What is the difference between "Runtime Resource" and "Anonymous Runtime Resource" in the Access Rights list of Credential Manager?
I'm having trouble figuring out how to use these two items.
I remember that "Anonymous Runtime Resource" did not exist in 6.x, only "Runtime Resource" existed.
Wednesday
In Blue Prism, "Runtime Resource" and "Anonymous Runtime Resource" determine how robots (runtime resources) can access credentials stored in Credential Manager.
RR: Best for secure environments where you need detailed control over access.
ARR: It’s useful in test setups or places where security isn’t as strict.
In older versions (like 6.x), all robots needed to log in with a username, so "Anonymous Runtime Resource" wasn’t necessary. Blue Prism added it in 7.x to give you more flexibility.
Here You can find more info about the security roles:
https://docs.blueprism.com/en-US/bundle/blue-prism-enterprise-7-4/page/frmManageRoles.htmRuntime
Runtime Resources—The permissions assigned to this role cannot be changed, and the role cannot be deleted. It is now obsolete and might be removed in a future release.
Anonymous Runtime Resources – The permissions assigned to this role cannot be changed and the role cannot be deleted. This role allows system administrators to configure the credentials to which anonymous runtime resources can have access, so they do not have access to sensitive information that is unnecessary for their operation. This role is assigned the same permissions as the Runtime Resources role. If an anonymous runtime resource does not have access to a specific credential, an exception is triggered at runtime.
The Anonymous Runtime Resources role only displays on the System > Security - User Roles, it does not display on the Roles and permissions tab of a user's details screen, and it cannot be assigned by using the Manage role membership option on the Security - User Roles screen.
Thursday
Hello @Brigianakopec ,
Thank you for your detailed reply.
"It is now obsolete" means that checking the "Runtime Resources" item on the user roles screen is currently of no use?
Thursday - last edited Thursday
@sumire I believe that is correct that it is now no longer used. (Edit: Just to be clear, I mean that it isn't used by Blue Prism for the same purpose that it was before, which was to allow runtime resources access to credentials when they are anonymous, and that now Blue Prism does not intend for it to be relied on or used. The user role could still be currently used for things like Multi-Team Environments, I suppose, and I'm sure there are other ways someone theoretically could have been using it.) I imagine they didn't remove it from the product because it may be tangled in there a bit as it's been baked into Blue Prism for a long time.
One thing I want to correct from Brigiana's reply is the part about "Anonymous Runtime Resources" not being needed in the past. I can understand how it might look like that for sure. But anonymous Runtime Resources have been a thing for a while, and I believe it is actually the most common way organizations have their environments set up because it is the default way. It is more difficult to get it set up so that each Runtime Resource connects with authentication.
My guess is that Blue Prism decided to make it clear with the wording "Anonymous Runtime Resources" and then put the responsibility on the customer to choose to give credentials access to anonymous runtime resources. Because many customers already use this Runtime Resources user role, they may not be able to easily change the default behavior to have this unchecked. It would mean flipping that checkbox off for all customers, and that may be used for other purposes. Anyway, from what I can see, there's no real difference from before, and it's just genuinely more clear now about what its purpose is. And I like that the "Anonymous Runtime Resources" user role cannot be assigned to users. This seems like a good way to have implemented this.