As in any other tool or technology present in your environment, Orchestrator also has a security layer that can be worked and defined to avoid unauthorized access or prevent the misuse of Runbooks or the service.
Until this point in this book, you've seen which firewall ports to configure for Orchestrator to work and communicate properly, which service accounts to set and for what reason in Active Directory, and even which security groups to create in order to segregate the service access and rights for execution of tasks within Orchestrator, or execution of Runbooks.
Within the Runbooks, you might find yourself having to include or insert passwords for certain activities to execute, and therefore, leaving those passwords in plain text. We discourage you to do so, and instead to use the encrypted variable functionality so that you can protect that sensitive information.
Regarding the Orchestrator access, we've defined three types of groups in Chapter 1, Configuring and Deploying Orchestrator...