Common Security Concerns

OpenRPA will store data in openflow, so if you are using the openflow at https://app.openiap.io , Employees at OpenIAP ApS will have access to certain data, including some sensitive data.
First up is user passwords. Passwords are stored using asymmetric encryption meaning no one can decrypt and read it. it’s NEVER a good idea to use passwords if you can use federation instead, so I highly recommend using Google id, office 365 or Microsoft Live account instead, the security around those accounts should be much greater than what openflow can provide.

Next is encrypted fields. This is for instance used for storing application credentials from NodeRED and OpenRPA. These are stored using aes 256 bit encryption meaning it can be decrypted when needed. These data are protected by access control list, like any other data in openflow, and since admin’s always have access to all data ( This is on by default , it can be disabled on your own openflow ), here for Employees at OpenIAP ApS.could potentially also get access to those.

Next is OpenRPA workflows and state. When recording, OpenRPA will snap a small screenshot of the elements, those could potentially contain sensitive information. Any data you store inside the database and therefore also inside the workflows, like hardcoded username/passwords, database names, hostnames etc. could by some be considered sensitive and will also be stored in openflow. Again, since admins by default have access to all information, so does Employees at OpenIAP ApS when using https://app.openiap.io

When a workflow runs, everytime it goes idle (like waiting on a detector or using invoke openflow/invoke openrpa) , or you use the “persist” activity, the workflow will save all information including the content of all variables inside the workflow instance. This is saved inside the local database, and inside openflow, once the workflow completes, fails or gets aborted this information is removed from both places. Variables could contain sensitive data, so if you want to avoid saving that, you have 3 options.

  1. you can run the robot offline and not use openflow at all
  2. you can skip saving data in openflow and only save it locally by setting skip_online_state to true in settings.json
  3. you can disable saving state altogether by setting disable_instance_store to true in settings.json

OpenFlow, OpenIAP\NodeRed and OpenRPA all collect anonymous, non sensitives telemetry data (se link for more information).

1 Like