Planning for using the IBM RPA Vault

The IBM RPA Vault is a tool used for keeping and reusing safe credentials across your bots. Before you use it, you must consider the key concepts and see if your bot can benefit from it.

Understanding these key concepts can help you make an informed decision about using the IBM RPA Vault and can help you choose the best option for your needs.

Key concepts


A credential is a key that identifies a pair comprised of a user name and a password in IBM Robotic Process Automation to access an application, a module, or a specific resource from an application or process that is being automated. Credentials are also used to automatically unlock the machine where the bot will run.

For the System Vault, a credential represents a user and password set, whereas, for the User Vault, a credential by itself does not represent a specific user neither a user and password set, but a profile of a specific user and password pairs.

Credentials are used in bots that need to execute a task or process that requires authentication. These credentials are also used in the execution of scheduled jobs by the user in IBM Robotic Process Automation and, in these cases, the system will impersonate the user represented by the configured credential during the job. It is important to mention that all user access permissions are used during the job.

Private and public key pair

For the System Vault, you must check if the Tenant contains a public key pair configured. If a public key or certificate is configured, you must ask the Tenant's administrator for the specific private key. Without the private key, the System Vault is unable to decrypt the registered credentials. To see if a public key is registered, see Tenant credentials configuration.

If there is no public key registered, you must create your own public and private key pair, and keep them in a safe place, so you and other users can use the same private key.

However, registering a new public key overwrites the previous public key, and every computer that contains the previous private key is unable to decrypt credentials. Thus, you must ensure that you replace the private keys in every computer that uses the pair of keys.

For the user vault, you don't need to generate a key pair. You just need to register credential profiles on the Tenant. See how to do that in Vault credentials.

The user vault uses credential profiles that are only referenced in the tenant, but their values are configured locally on each computer. This means that if you register a user_login credential profile on the tenant, the value of that credential profile is not stored on the Tenant itself, only on the machine where the bot runs.

Attended or unattended bots

Depending on how you want your bot to run, you must consider what vault mode you need to use, or even if you must use both modes.

For unattended bots, use the System Vault. Entering credentials with the System Vault do not require human intervention, so you just need to configure these credentials before running the bot.

For attended bots, use the user vault. This means that when the bot is running, at some point it needs human intervention and the bot prompts the user to type the master password to access the IBM RPA Vault and get the user's credentials.

Reusing credentials

If the credentials are going to be reused in other computers, you must consider using the System Vault. System Vault credentials are registered and encrypted in the Tenant, and only those that contain the private key or certificate in the machine are able to decrypt these credentials.

However, that means that credentials can be accessed by anyone that contains the private key in the Tenant, and if that pair of credentials must be kept a secret, consider using the User Vault. The User Vault's credentials are registered locally, and can only be accessed by that specific machine. You must register a reference to these credentials in the Tenant, but the credentials values are encrypted and stored locally.

This means that any time that you want to reuse these credentials, you must manually register each credential in any computer that uses these same values.