Blue Prism

LOGICAL ACCESS MODEL (LAM) GUIDE

Version: 1.4

For more information please contact:

info@blueprism.com | UK: +44 (0) 870 879 3000 | US: +1 888 7577476
www.blueprism.com
Revision History

Date Revision Author Description

28/08/2018 1.0 GB Initial Draft

31/08/2018 1.1 JT Multi-Team Environments added
13/09/2018 1.2 GB Realigned with version 6.3
14/09/2018 1.3 JT Minor grammatical changes
24/06/2019 1.4 BA Hypercare Group section added

Commercial in Confidence
®Blue Prism is a registered trademark of Blue Prism Limited Page 2 of 12
Contents
1. Introduction ............................................................................................................................................................. 4
2. Logical Access Model Benefits ................................................................................................................................. 5
3. Creating/Updating the Logical Access Model (LAM) Process ................................................................................. 6
3.1. Download the Logical Access Model (LAM) Template .................................................................................. 6
3.2. Creating or Updating the LAM ...................................................................................................................... 7
3.3. Approving the LAM ...................................................................................................................................... 11
3.4. Implementing the LAM ................................................................................................................................ 11
3.5. Testing the LAM ........................................................................................................................................... 11
3.6. Publishing the LAM ...................................................................................................................................... 11

The information contained in this document is the proprietary and confidential information of Blue Prism Limited and should not be
disclosed to a third party without the written consent of an authorised Blue Prism representative. No part of this document may be
reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying without the written
permission of Blue Prism Limited

© Blue Prism Limited, 2001 - 2018

All trademarks are hereby acknowledged and are used to the benefit of their respective owners.
Blue Prism is not responsible for the content of external websites referenced by this document.

Blue Prism Limited, Centrix House, Crow Lane East, Newton-le-Willows, WA12 9UY, United Kingdom
Registered in England: Reg. No. 4260035. Tel: +44 870 879 3000. Web: www.blueprism.com

Commercial in Confidence
®Blue Prism is a registered trademark of Blue Prism Limited Page 3 of 12
1. Introduction
This document outlines the usage of the Blue Prism Logical Access Model (LAM) template.

Any organisation wishing to utilise the Blue Prism application should use this guide to create their own Logical
Access Model (LAM).

Based on the Robotic Operating Model (ROM) roles defined, Blue Prism has developed LAM recommendations to
be used as a starting point. These are documented in LAM templates, detailed in the following chapters.

Commercial in Confidence
®Blue Prism is a registered trademark of Blue Prism Limited Page 4 of 12
2. Logical Access Model Benefits

The creation and maintenance of a Logical Access Model for Blue Prism access in an organisation is imperative due
to the following reasons:

• Promotes the segregation of duties and prevents an “everybody admin” scenario, while defining clear
responsibilities within Blue Prism across all environments
• The LAM is a documented record of the users or teams that have access to Blue Prism functionality
• The LAM can be used to check that the permissions or access rights applied within Blue Prism match what
is defined in the LAM
• The LAM is a documented record of user or team access in Blue Prism that can be reviewed by the RPA
Governance Board
• Provides an offline overview of the permissions or access rights to Blue Prism, without the need to
manually access each Blue Prism environments one by one
• Offers the opportunity to align the LAM for Blue Prism to the security policies and standards in your
organisation and to enforce the security requirements
• Results in a documented reference useful for audit purposes and incident management

Commercial in Confidence
®Blue Prism is a registered trademark of Blue Prism Limited Page 5 of 12
3. Creating/Updating the Logical Access Model (LAM) Process

Blue Prism recommends each organisation creates and implements their own Logical Access Model immediately
after a Blue Prism environment is created. This should be included as part of any Blue Prism environment set-up.

The default user roles defined within the product should be replaced with user roles defined by the organisation’s
own Logical Access Model (LAM), derived from the Robotic Operating Model (ROM). This action should be carried
out for each Blue Prism environment, with the differences in permission requirements i.e. Development, UAT and
Production, being considered. Note that the Runtime Resource and System Administrator user roles cannot be
changed.

The process of creating or updating the LAM should involve all stakeholders including the Head of RPA, the RPA
Governance Board and IT team, while considering the segregation of duties in the organisation. This process at a
high level will look something like this:

Your Blue Prism LAM should be approved by the RPA Governance Board and should comply to the organisation’s
security and standards.

As the RPA organisation grows, the LAM will need to be reviewed and updated before applying any access changes
to the environments, by using either the suggested process or by using the chosen internal standard change
management methodology, thus ensuring the LAM definition reflects the environments setup.

In the case of Blue Prism upgrade from a previous version, an appropriate review and update of the LAM is also
recommended as part of the upgrade project, due to the potential impact of permission/access right changes in
newer versions of Blue Prism.

Your Logical Access Model (LAM) should document all user accounts and roles defined across all environments.

The following chapters describe the suggested process steps in more detail.

3.1. Download the Logical Access Model (LAM) Template

The Blue Prism Logical Access Model (LAM) template can be downloaded from the Blue Prism Portal. It can be
found in Documents area by searching for “Logical Access Model (LAM)” You will need to ensure you use the
template for the version of Blue Prism you are using.

Before starting work on your own Logical Access Model (LAM), read the Instructions sheet of the downloaded
template and familiarise yourself with the template itself, the Blue Prism user roles and permissions. If you are
using V6.3 or later of Blue Prism, you should also familiarise yourself with the access rights that can be applied to
groups.

Commercial in Confidence
®Blue Prism is a registered trademark of Blue Prism Limited Page 6 of 12
3.2. Creating or Updating the LAM

The following sub chapters walk you through using the Blue Prism Logical Access Model (LAM) template.

3.2.1 User Access

Blue Prism access is role-based and configured independently for

each environment, allowing specific users to have different access
dependent on the environment.

This further supports the ability to restrict any user having

ubiquitous access across all environments.

User roles should only be granted enough permissions to perform

their role effectively. Allowing more permissions than is necessary
is a security risk.

Users given more than one role will accumulate the maximum
permission of all those roles.

Please review the Blue Prism help for details on how to create
user accounts.

The Users sheet in the Blue Prism Logical Access Model (LAM)
template can be used for defining user accounts set up in
different environments. The roles in the template are standard
Robotic Operating Model (ROM) roles and they should be
replaced with the user roles defined by your ROM if they differ.

Note that the Runtime Resource and System Administrator user roles cannot be changed within Blue Prism.

If a user account needs to be granted multiple roles, please review the segregation of duties. Blue Prism
recommends assigning only one role to each user account.

Commercial in Confidence
®Blue Prism is a registered trademark of Blue Prism Limited Page 7 of 12
3.2.2 Logical Access Permissions

Blue Prism supports using a mixture of bespoke and out-of-the-box security roles to allow each user to be granted
the appropriate access in each environment.

It is necessary to establish any logical access restrictions that will be implemented to provide an appropriate level
of control and governance across the various environments.

These may include:

Further guidance on establishing appropriate logical access permissions is provided as part of the Blue Prism
Robotic Operating Model documentation available on the Portal.

The Role Permissions spreadsheet in Blue Prism’s Logical Access Model (LAM) template defines the permissions of
each user role within Blue Prism, across each environment.

The provided template LAM is a “standard” and recommended set of user roles and Blue Prism permissions
associated across each environment. Additional roles and changes to your LAM can be applied, ensuring your LAM
reflects your organisation roles and complies to your internal security policies and standards.

When defining the user roles’s permissions, reflection on the seggregation of duties is strongly recommended.

Commercial in Confidence
®Blue Prism is a registered trademark of Blue Prism Limited Page 8 of 12
You should update the Roles Permissions spreadsheet in your own LAM to reflect the intended roles and roles
permissions in your organisation.

Along with your defined roles, your LAM should also include the Runtime Resource and System Administrator roles.
This ensures your Blue Prism environments and LAM are syncronised, and is useful for audit purposes. These roles
should be only assigned to the appropriate user accounts.

For information on how to create user roles and select permissions, please review the Blue Prism help.

3.2.3 Multi-Team Environments

If you are using version 6.3 or later of Blue Prism you have the option of using the Multi-Team Environments
feature.

The Multi-Team Environment concept of Blue Prism version 6.3 brings a greater level of access control, allowing
defining Access Rights in addition to roles permissions.

In previous versions, roles defined system-wide permissions for users, whereas in version 6.3, all Processes, Objects
and Resources reside in groups, and the access rights can refine permissions for groups. For other functionality
unrelated to groups, role permissions continue to fully define access.

Please note, the roles permissions in the Blue Prism product were adjusted from version 6.3 onwards, therefore a
review and update of your own LAM should be part of your upgrade to version 6.3 project, even if you decide not
to use the new Multi Team feature.

Commercial in Confidence
®Blue Prism is a registered trademark of Blue Prism Limited Page 9 of 12
For more information on multi-team environments and on how to make use of the feature, the following
documentation available on the customer portal should be reviewed:

- V6.3 User Guide – Multi-Team Environments

- Multi-team environment – Implementation Overview
Note, a new Web Service Consumer role is pre-defined in version 6,3 with access to only the Execute Process as
Web Service and Execute Business Object as Web Service permissions. This role has been created to simplify the
ability to apply the correct permissions to user accounts that will be used to consume Blue Prism Processes and
Objects exposed as Web Services. This role grants the necessary execute permissions without providing access to
areas of the interface, such as Control Room. The role can be used in conjunction with the capabilities of Multi-
Team Environments to restrict which exposed Objects and Processes can be accessed by user accounts assigned to
this role.

If bespoke user roles are needed for technical purposes such as this, remember to document them in your LAM
following review by the RPA Governance Board.

A separate LAM template exists for version 6.3 or later and is available on the portal. It contains Instructions, Role
Permissions and Users sheets but also sheets outlining what a multi-team setup might look like for each
environment; development, UAT and production. The Instructions sheet of this template explains the multi-team
sheets in more detail.

If you choose to use Multi-Team Environments, the users sheet should reflect which team(s) each user is a member
of.

The Implement LAM chapter of this guide details how the permissions and access rights will be applied for each
environment as defined in your own LAM.

3.2.4 Hypercare Group

Commercial in Confidence
®Blue Prism is a registered trademark of Blue Prism Limited Page 10 of 12
Go-lives of complex processes often pose a number of risks that must be recognised and minimised. Intensive
support and supervision in the production environment during the stabilisation phase is crucial for the success of
the go-live. This is precisely where it is often agreed to establish Hypercare support. The Hypercare phase is
typically a short-term provision of professional support resources.

The Hypercare group should only be created to place processes or business objects that need emergency fixes
applied to them. This group should offer a set of recommended permissions to deliver efficient support with
minimal run-in time during and after the go-live.

The Hypercare group should be used as it strengthens the audit trail, and approval should be given before moving
something in/out of the group. Items are only in this group temporarily until stable running is confirmed before
being placed back into its appropriate location. Developers can’t edit anything in production except for the items
in this group – maintaining security but providing flexibility.

3.3. Approving the LAM

After your own Logical Access Model (LAM) document is created or updated, it should be approved by your RPA
Governance Board and should comply to your organisation’s security and standards.

3.4. Implementing the LAM

After defining your LAM and having the approval of the RPA Governance Board, the user roles within Blue Prism
should be updated accordingly. Please reference the Blue Prism help for more details, by searching for “User
Permissions”, “User Roles” or “User Settings”.

In the first step, the user roles and their permissions will be updated in System/Security/User Roles section of the
product, to reflect the Role Permissions sheet within your LAM. This needs to take place for each Blue Prism
environment.

As the second step, the user accounts and their assignment to user roles will be defined in System/Security/Users
section of the product, according to the Users sheet of your LAM, across all environments.

If you are using Blue Prism version 6.3 or later and are using the Multi-Team Environments feature, the defined
access rights in your LAM will need to be applied to the respective environments.

3.5. Testing the LAM

After your LAM is implemented in all environments, the defined user accounts and user roles should be tested
across all environments. You should ensure each user role has enough permissions to perform their role effectively.
It is recommended to test at least one user account for each user role across all environments.

3.6. Publishing the LAM

Commercial in Confidence
®Blue Prism is a registered trademark of Blue Prism Limited Page 11 of 12
When the Logical Access Model implementation is successful tested, the LAM document must be communicated
and published appropriately in your organisation.

Any planned changes to the LAM should follow the described process and be reviewed before implementation by
the RPA Governance Board, while adhering to your internal change management methodology.

Commercial in Confidence
®Blue Prism is a registered trademark of Blue Prism Limited Page 12 of 12