The concept of overriding settings on a per-organization group basis, when combined with organization group (OG) characteristics such as inheritance and multi-tenancy, can be further combined with authentication. This combination provides for flexible configurations.
The following organization group model illustrates this flexibility.
Administrators, generally in possession of greater permissions and functionality, are positioned at the top of this OG branch. These administrators log into their OG using SAML that is specific to admins.
Corporate users are subservient to Administrators so their OG is arranged as its child. Being users and not administrators, their SAML log in setting cannot inherit the administrator setting. Therefore, the Corporate users' SAML setting is overridden.
And while not subservient to Corporate users in a corporate hierarchy sense, placing BYOD users as a child of Corporate users has advantages. This arrangement means any device settings which are applicable to ALL corporate user devices are inherited by the BYOD users simply by applying them to the Corporate users OG.
Inheritance also applies to SAML authentication settings. Since BYOD users is a child of Corporate Users, the SAML for users authentication setting for the parent is inherited by the child.
An alternate model is to make BYOD users a sibling of Corporate users.
Under this alternate model, the following would be true.
- All device profiles meant to apply globally to ALL devices, including compliance policies, and other globally-applicable device settings would need to be applied to two organization groups instead of one. The reason for this duplication need is because inheritance from Corporate users to BYOD users is no longer a factor in this model. Corporate users and BYOD users are peers and therefore there is no inheritance.
- Another SAML override would need to be applied to BYOD users. This override would be necessary because the system would assume it is inheriting SAML settings from its parent, Administrators. This would be a mistake because BYOD users are not Administrators and should not have the same access and permissions.
- BYOD users would continue to be handled separately from Corporate users. This alternate model means they would continue to enjoy their own device profile settings.
What factor determines which model is the best? Compare the number of globally-applicable device settings with the number of group-specific device settings. Basically, if you want to treat all devices in generally the same way, then make BYOD users a child of Corporate users. If maintaining separate settings is more important, then make BYOD users a sibling of Corporate users.
For more information about setting per-OG SAML settings, see the "Set up Directory Services Manually topic" in the VMware AirWatch Directory Services Guide, available in Accessing Other Documents.
For a detailed example of OG inheritance involving enrollment, see Directory Service Integration and Enrollment Restrictions.