You manage access to your Workspace ONE Access by assigning users and groups to Workspace ONE Access roles.
Identity Management Design
In Workspace ONE Access, you can assign users and groups three types of roles.
Role |
Description |
Example Active Directory Group Name |
---|---|---|
Super Admins |
A role with the privileges to administer all Workspace ONE Access services and settings. |
wsa-admins |
Directory Admins |
A role with the privileges to administer Workspace ONE Access users, groups, and directory management. |
wsa-directory-admins |
ReadOnly Admins |
A role with read-only privileges to Workspace ONE Access. |
wsa-read-only |
For more information about Workspace ONE Access roles and their permissions, see the Workspace ONE Access documentation.
As the cloud administrator for Workspace ONE Access, you establish an integration with your enterprise directories which allows you to use your organization's identity source for authentication.
The Workspace ONE Access deployment allows you to control access to supported SDDC components by assigning roles to your organization's enterprise directory groups, such as Active Directory security groups.
Assigning roles to groups is more efficient than assigning roles to individual users. As a cloud administrator, you determine the members that make up your groups and what roles they are assigned. Groups in the connected directories are available for use Workspace ONE Access. In this design, enterprise groups are used to assign roles in Workspace ONE Access.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-WSA-SEC-002 |
Create corresponding security groups in your corporate directory services for these Workspace ONE Access roles:
|
Streamlines the management of Workspace ONE Access roles to users. |
|
Password Management Design
The password management design consists of characteristics and decisions that support configuring user security policies of the Workspace ONE Access nodes.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-WSA-SEC-003 |
Rotate the appliance root user password on a schedule post deployment. |
The password for the root user account expires 60 days after the initial deployment and after subsequent password changes. |
You must manage the password rotation schedule for the root user account in accordance with your corporate policies and regulatory standards, as applicable. You must manage the root password rotation schedule on the Workspace ONE Access cluster nodes by using SDDC Manager. |
VCF-VRS-WSA-SEC-004 |
Rotate the appliance sshuser user password on a schedule post deployment. |
The password for the appliance sshuser user account expires 60 days after the initial deployment and after subsequent password changes. |
You must manage the password rotation schedule for the appliance sshuser user account in accordance with your corporate policies and regulatory standards, as applicable. You must manage the sshuser password rotation schedule on the Workspace ONE Access cluster nodes by using vRealize Suite Lifecycle Manager. |
VCF-VRS-WSA-SEC-005 |
Rotate the admin application user password on a schedule post deployment. |
The password for the default administrator application user account does not expire after the initial deployment. |
You must manage the password rotation schedule for the admin application user account in accordance with your corporate policies and regulatory standards, as applicable. You must manage the admin password rotation schedule on the Workspace ONE Access cluster nodes by using SDDC Manager. |
VCF-VRS-WSA-SEC-006 |
Rotate the configadmin application user password on a schedule post deployment. |
The password for the configuration administrator application user account does not expire after the initial deployment. |
You must manage the password rotation schedule for the configuration administrator application user account in accordance with your corporate policies and regulatory standards, as applicable. You must manage the password rotation schedule on the Workspace ONE Access cluster nodes by using vRealize Suite Lifecycle Manager. |
VCF-VRS-WSA-SEC-007 |
Configure a password policy for Workspace ONE Access local directory users, admin and configadmin. |
You can set a policy for Workspace ONE Access local directory users that addresses your corporate policies and regulatory standards. The password policy is applicable only to the local directory users and does not impact your organization directory. |
You must set the policy in accordance with your organization policies and regulatory standards, as applicable. You must apply the password policy on the Workspace ONE Access cluster nodes. |
Certificate Management Design
The Workspace ONE Access user interface and API endpoint use an HTTPS connection. To provide secure access to the Workspace ONE Access user interface and API, use a CA-signed certificate.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-WSA-SEC-008 |
Use a CA-signed certificate containing the following the in the SAN attributes, when deploying Workspace ONE Access.
|
Ensures that all communications to the externally facing Workspace ONE Access browser-based UI, API, and between the components are encrypted. |
|
VCF-VRS-WSA-SEC-009 |
Use a SHA-2 or higher algorithm when signing certificates. |
The SHA-1 algorithm is considered less secure and has been deprecated. |
Not all certificate authorities support SHA-2. |