SECURE MANAGEMENT OF A ROBOTIC PROCESS AUTOMATION ENVIRONMENT

Abstract

The present invention is directed towards the secure management of authorization data and automated processing of instructions in a robotic process automation environment, which allows the management of secrets within such a platform. Secrets may be credentials, access rights, passwords, keys or the like. The underlying message flow can be implemented as a computer implemented software protocol in a distributed RPA (robotic process automation) environment. The invention is furthermore directed towards a respectively arranged system arrangement along with a computer program product and a computer-readable medium.

Claims

1. A method for secure management of authorization data and automated processing of instructions in a robotic process automation environment, comprising: transmitting a certificate data item issued by a certificate providing server to an orchestration server and at least one robot entity; linking the at least one robot entity with the orchestration server; transmitting link token data from the certificate providing server to the at least one robot entity; linking the at least one robot entity with a vault server and sending credential data from the vault server to the at least one robot entity upon request by the respective at least one robot entity; and using the sent credential data by respectively each of the at least one robot entity to authenticate and authorize each of the respective at least one robot entity at a number of legacy systems to perform tasks assigned to each of the at least one robot entity by the orchestration server after linking.

2. The method of claim 1, characterized in that the certificate data item comprises a public key for authentication of the at least one robot entity.

3. The method of claim 1, characterized in that linking the at least one robot entity with the orchestration server comprises setting up a communication session.

4. The method of claim 1, characterized in that the link token data specifies rights valid for at least one robot entity to access the vault server, an expiration date, a vault server address and/or access rights.

5. The method of claim 1, characterized in that the vault server provides a secured and trusted environment comprising a key management infrastructure.

6. The method of claim 1, characterized in that the credential data comprises a private key for authentication and authorization of the at least one robot entity at one or more of the legacy systems, an authentication secret, an authorization secret, a password and/or access data.

7. The method of claim 1, characterized in that the orchestration server divides a process to be accomplished into single tasks and assigns them to the at least one robot entity for its accomplishment.

8. The method of claim 1, characterized in that the legacy systems are accessed by the at least one robot entity using predefined interfaces.

9. The method of claim 1, characterized in that the at least one robot entity is deployed remotely from the orchestration server, the certificate providing server and/or the vault server.

10. The method of claim 1, characterized in that the orchestration server, the certificate providing server and/or the vault server are operated in a cloud server.

11. The method of claim 1, characterized in that the at least one robot entity comprises a software agent, a set of control instructions, a physical robot, a software robot and/or an autonomous artificial intelligence agent.

12. The method of claim 1, characterized in that the method is implemented as a software protocol in a distributed environment.

13. A system arrangement for secure management of authorization data and automated processing of instructions in a robotic process automation environment, comprising: a certificate providing server arranged to transmit a certificate data item issued by the certificate providing server to an orchestration server and at least one robot entity; an interface unit arranged to link the at least one robot entity with the orchestration server; a further interface unit arranged to transmit link token data from the certificate providing server to the at least one robot entity; a communication unit arranged to link the at least one robot entity with a vault server and send credential data from the vault server to the at least one robot entity upon request by the respective at least one robot entity; and an authorization unit arranged to use the sent credential data by respectively each of the at least one robot entity to authenticate and authorize each of the respective at least one robot entity at a number of legacy systems to perform tasks assigned to each of the at least one robot entity by the orchestration server after linking.

14. (canceled)

15. A non-transitory computer-readable medium having stored thereon instructions that, if executed by one or more processors, cause the one or more processors to perform operations comprising: transmitting a certificate data item issued by a certificate providing server to an orchestration server and at least one robot entity; linking the at least one robot entity with the orchestration server; transmitting link token data from the certificate providing server to the at least one robot entity; linking the at least one robot entity with a vault server and sending credential data from the vault server to the at least one robot entity upon request by the respective at least one robot entity; and using the sent credential data by respectively each of the at least one robot entity to authenticate and authorize each of the respective at least one robot entity at a number of legacy systems to perform tasks assigned to each of the at least one robot entity by the orchestration server after linking.

16. The non-transitory computer-readable medium of claim 15, characterized in that the credential data comprises a private key for authentication and authorization of the at least one robot entity at one or more of the legacy systems, an authentication secret, an authorization secret, a password and/or access data.

17. The non-transitory computer-readable medium of claim 15, characterized in that the operations are implemented as a software protocol in a distributed environment.

18. The non-transitory computer-readable medium of claim 15, characterized in that the at least one robot entity comprises a software agent, a set of control instructions, a physical robot, a software robot and/or an autonomous artificial intelligence agent.

19. The non-transitory computer-readable medium of claim 15, characterized in that the legacy systems are accessed by the at least one robot entity using predefined interfaces.

20. The system of claim 13, characterized in that the credential data comprises a private key for authentication and authorization of the at least one robot entity at one or more of the legacy systems, an authentication secret, an authorization secret, a password and/or access data.

21. The system of claim 13, characterized in that the at least one robot entity comprises a software agent, a set of control instructions, a physical robot, a software robot and/or an autonomous artificial intelligence agent.

Description

[0057] The invention will now be described merely by way of illustration with reference to the accompanying drawings:

[0058] FIG. 1 shows a message flow diagram for secure management of authorization data and automated processing of instructions in a robotic process automation environment according to an aspect of the present invention; and

[0059] FIG. 2 shows a further message flow and organization diagram in a robotic process automation environment according to an aspect of the present invention.

[0060] FIG. 1 shows a method for secure management of authorization data and automated processing of instructions in a robotic process automation environment, comprising transmitting 1 a certificate data item issued by a certificate providing server to an orchestration server and at least one robot entity; linking 2 the at least one robot entity with the orchestration server; transmitting 3 link token data from the certificate providing server to the at least one robot entity; linking 4 the at least one robot entity with a vault server and sending 6 credential data from the vault server to the at least one robot entity upon request 5 by the respective at least one robot entity and using 7 the sent credential data by respectively each of the robot entities to authenticate and authorize each of the respective at least one robot entity at a number of legacy systems, namely IT systems 1, 2, . . . , to perform tasks assigned to each of the robot entities by the orchestration server after linking 2.

[0061] The person skilled in the art recognizes that the aforementioned method steps can be performed iteratively or, optionally, in a different order.

[0062] FIG. 2 shows the suggested arrangement according to an aspect of the present invention. Compared to FIG. 1 a developer is introduced which designs activities to be stored as a process by the orchestration server. To do so the developer may likewise require a certificate.

[0063] In the following issues of secrets management in the suggested environment are provided, such as the model and the concept to manage secrets management in RPA and software robot implementations according to an aspect of the present invention. The organization describes the holder of the legacy system or systems on which the worker, robot or software agent works. The cloud introduced by the dotted circle on the left side may combine the vault server and the orchestration server in one single cloud.

[0064] RPA and Software Robot implementations according to an aspect of the present invention may have credentials to log in or get a permission to execute actions in IT systems. This creates fundamental security requirements to avoid misused of these credentials.

[0065] This invention consists of a process and technical solutions amongst others to manage needed secrets and use them in a secure way.

[0066] The solution according to an aspect of the present invention may consist of at least the following features:

[0067] 1. Cloud based orchestration service, Orchestrator, that control software agents,

[0068] 2. Software agents, Workers, that are installed locally,

[0069] 3. Data storage, Vault, where secrets are encrypted, and/or

[0070] 4. Certificate Provider that issues a Worker a unique certificate to run an operation.

[0071] When a Worker is created according to an aspect of the present invention, it gets a certificate and link token. With the certificate it can create its private and public keys. With the link token the Worker can link itself to the Orchestrator to execute tasks and in the linking process to change information to identify each other with their public and private keys.

[0072] The Certificate Provider issues the Worker rights to use the secrets (credentials), when the Orchestrator gives it a task that requires credentials. This happens according to an aspect of the present invention by providing an access token to the Worker. This token includes a link to use the Vault with a limited time (time needed by the Worker to execute the task). After this:

[0073] 1. The Vault identifies that the request comes to the genuine Worked based on an authentic access token and (optional) private-public keys of the Vault and Worker.

[0074] 2. The request includes parameters to know, which Secrets are needed by the Worker. The Vault checks the Worker has rights to get those Secrets.

[0075] 3. The Vault sends the needed Secrets to the Worker over an encrypted connection and optionally the Secrets can be encrypted also on the application layer by the private-public keys of Vault and Worker.

[0076] 4. The Worker is able to open the encryption with its private key.

[0077] 5. The Worker uses the credentials as needed and/or

[0078] 6. Vault collects an audit log from all Secret requests.

[0079] The underlying message flow can be implemented as a computer implemented software protocol in a distributed RPA (robotic process automation) environment. The suggested method and the arrangement can be implemented as a robotics-as-a-service (RaaS) system.

[0080] Use cases may include some legacy systems. Software robots can be used to automate more demanding tasks, including machine learning and artificial intelligence, and it still need some secrets and credentials to use other systems, although it is not always login name and password type sequences, but something similar that are needed e.g. to use API and get data.

[0081] The terms “legacy system” and “system used” can, according to an aspect of the present invention be used interchangeably. The same holds true for the terms “Robot Entity” (see FIG. 1) and “Worker” (see FIG. 2) which can likewise be used interchangeably. Consequently a robot and worker may be represented by the same entity. The Link Token can likewise be referred to as a (Vault) Access Token.