Automation Academy

Security Best Practices for Your RPA Bots

30.08.2019
5 min read
Security Best Practices for RPA Bots

Data security is essential when it comes to automating business processes in large enterprises. Companies that come from industries, such as finance or banking, which traditionally handle a lot of confidential customer information, are rightfully worried about the security of private data used by RPA bots.

To provide a proper level of automation data security and ensure confidential information is handled correctly, RPA developers and SMEs should follow certain best practices when developing bot tasks.

RPA bot credentials

In many automated business processes, an RPA bot would need to log into one or several applications and move data between them. There are several data security best practices when it comes to handling the credentials used to access such applications.

Create special service accounts for the bot

It is a good practice to never use existing users’ credentials but to create separate accounts for the bot with the same access level in all applications it will need to log into and use only these accounts in the automated business processes. One reason is protecting employees’ credentials. Another is separating the activities of the user from the activities of the bot for better auditing and visibility.

Example: You need to automate a certain process in SAP. Using an existing user’s credentials would be a bad practice because then an RPA bot will be indistinguishable from a person. A good practice of automation security, in this case, is to create a unique SAP account for the bot (or even several accounts for multiple bots, depending on the scale of automation in the company) and use these in the business process. That will help create a clear understanding of when a bot has conducted certain operations vs when a human did. It will also make it possible to attribute any possible mistakes or fraudulent actions.

Keep all credentials in the Secrets Vault

WorkFusion comes with a built-in password vault designed to store credentials in a secure way. It is available for both development and testing purposes (Secrets Vault in WorkFusion Studio) and in production
(Secrets Vault in Control Tower).

Secrets Vault in Control Tower
Secrets Vault in Control Tower2


The data stored in the Vault is encrypted and not visible to anyone. It is also not recorded in any logs or execution results, which eliminates the possibility of it being exposed to the outside world. Storing credentials right in the script or storing them in a text or an Excel file the bot would read is unacceptable, as that can lead to losing important credentials to the company’s applications.

Basic authentication

In case of web basic authentication, when an RPA bot needs to pass credentials with the web application’s URL, you should use one of these security best practices:

  • Store the whole target URL containing the credentials in the Secrets Vault
  • Store the username and password in the Secrets Vault and create the URL dynamically at runtime

Following these basic data access security practices will ensure that critical passwords will not be accessed by unauthorized people.

Using confidential data

As mentioned above, very often, the bot needs to move data between different systems in the organization. Sometimes, it can be confidential data. If you want to limit displaying this data anywhere, make sure to follow these data protection and security best practices.

Clear the clipboard at the end of each bot task

If you use the clipboard to copy-paste data, make sure to clear it at the end of each bot task, so no data is left there after the RPA bot has executed all actions. If you use loops in your script, is also a good practice to clear the clipboard at the end of each loop.

Note that in this case, data saved in variables is still recorded in the execution log and the Results of the business process. Sometimes, it is important to see for auditing purposes. However, if the corporate data security practices in your organization prohibit recording and displaying certain types of data even in such cases, you can either not store the data in the variables at all and only copy-paste it using the clipboard, or you need to purge the data in the variables.

Rewrite the data in the variables at the end of each bot task

If you rewrite the confidential data in the variables with blank values or other default values, it will be stored there only transitively (temporarily) and cleared at the end of the session, so it will not be recorded in the results.

Other RPA security best practices

Log important RPA bot activity

Intelligent Automation Cloud Enterprise automatically provides a complete audit trail for bot activities. In the Express edition, bot actions are recorded in various log files, and you can write custom logs to add extra traceability to the bot’s actions. Custom logging also can help you create better readable log files for business users to see:

  • completion of some important steps in the script
  • if the bot encounters a problem (exception handling)
  • temporary values of certain variables for auditing purposes

Configure the Group Policy Settings

This piece of advice is for administrators rather than RPA developers, but configuring the Group Policy Settings correctly will help you make sure that the bot will have the required access to the resources it needs to use in the business processes. Another way to ensure it is by creating special users for the bots in the Active Directory and adjusting the bot configuration to give the bots the same access rights as domain users.

Following these best practices will help you provide the required level of data security in your company and even enhance it.