Security Credentials

EPAM Orchestrator supports a solution that provides the safety of your account within EPAM Orchestration service and allows the managers to set up user permissions.

Account Blocking

For security purpose, your account in EPAM Cloud will get blocked after four failing attempts to login to Orchestration. It will be automatically unblocked in 30 minutes, if no other login attempts are performed, and you will be able to try to log in again.

If your EPAM account also gets blocked and you unlock it with a request to Help Desk sooner than in 30 minutes, your Cloud account will still be inaccessible for you.

Registering in Orchestraion

Before you can start using the Orchestrator, you have to register your EPAM credentials. This is done via the or2-get-access(or2access) command that does not need any additional parameters: The command will prompt for you credentials, register them within the Orchestrator and create the file:


The credentials that the user enters according to the command request are checked for validity on Orchestrator side and a list of projects, available to the user, is drawn and stored in local Orchestrator storage.

You can run this command and provide the -s parameter to use your system credentials.

Passwords are never stored openly either on Orchestrator, or on Maestro CLI client side.

When the current Orchestrator session is finished, the specified credentials remain in the system and there is no need in registering on the next session start.

If you need to change the credentials for one reason or another, you have just to run the or2access once more.

Orchestrator allows Project Managers to customize user permissions to avoid any unwanted actions from specific project members and keep a better track of project infrastructure. Each project member is given access to a certain set of actions, depending on their current project role.

For more details on the user credentials and permissions, please see the Maestro CLI User Guide. Please pay special attention to section 1.3, Setting the Credentials.

User Roles and Permissions in Cloud

Apart from project roles, each Cloud User has a Cloud role that defines the user rights in EPAM Cloud. The role is set up by the Project Manager/Project Coordinator in the Staffing Portal accessible from the 'Resource Plan' page in UPSA:

Click 'Edit' to modify the user details:

Select the 'zCloudUser' or 'zCloudAdmin' role in addition to the project role:

By default, each user has Cloud User role that provides project role-based permissions.

The list of the default project roles, as well as the descriptions of the existing user group permissions, are given in Maestro CLI Reference Guide, Annex A: User Permissions.

If the permissions allowed according to the project role are not enough for a user, the Project Manager or coordinator can set the Cloud role to Cloud Admin. This role provides the user with max project permissions level.