Question
Robot activities audit with Non-Human credentials in RPA environment
If we follow the best practice, each robot in RPA environment would have a machine name as Pega operator ID.
However, there is more rigid requirement which we might have to address.
The requirements are;
- The respective robot user IDs should not be anonymous. The ID should stand for which organization, which purpose. Ideally the ID should be associated with Human operator ID.
- Once robots are configured in VM and go-live, each robot ID and environment should be secured.
- The audit log should be recorded precisely and can be submitted to any governmental agency.
Please share with us your idea how we should address these requirements or past case study you experienced.
Thanks,
Nobuyuki Tateno
Let's go through these requirements one by one:
- The respective robot user IDs should not be anonymous. The ID should stand for which organization, which purpose. Ideally the ID should be associated with Human operator ID.
You are right - robot should not use anonymous ID to log on to business applications. The format of IDs used by robot is limited by the requirements to the IDs dictated by the systems which the robot need to access. For example some legacy systems require IDs just 5 characters long - in this case you would need to accept some convention and encode required information (organization, purpose, robot instance etc) into these 5 characters. Other systems support SSO and in this case you need to encode the same information in the Windows ID. Also consider giving meaningful names to the VMs or desktops where Robotic Runtime is installed - machine name is used by robot to register at Robot Manager and can be used by you to audit the cases processed by the robot installed on the certain VM/desktop.
- Once robots are configured in VM and go-live, each robot ID and environment should be secured.
After go-live access to the VM must be restricted to Robotic ID and Administrator. At the same time you must keep the VM screen unlocked (read the PDN article regarding this https://pdn.pega.com/technical-article-using-credential-store).
- The audit log should be recorded precisely and can be submitted to any governmental agency. You can use the following logging: