Information Security and Access Control Design for Workspace ONE Access

You manage access to Workspace ONE Access by assigning users and groups to Workspace ONE Access roles.

Identity Management Design

In Workspace ONE Access, you can assign three types of roles to users and groups.

Table 1. Workspace ONE Access Roles and Example Active Directory Groups
Role	Description	Example Active Directory Group Name
Super Admins	A role with the privileges to administer all Workspace ONE Access services and settings.	wsa-admins
Directory Admins	A role with the privileges to administer Workspace ONE Access users, groups, and directory management.	wsa-directory-admins
ReadOnly Admins	A role with read-only privileges to Workspace ONE Access.	wsa-read-only

For more information about Workspace ONE Access roles and their permissions, see the Workspace ONE Access documentation.

As the cloud administrator for Workspace ONE Access, you establish an integration with your enterprise directories which allows you to use your organization's identity source for authentication.

The Workspace ONE Access deployment allows you to control access to supported SDDC components by assigning roles to your organization's enterprise directory groups, such as Active Directory security groups.

Assigning roles to groups is more efficient than assigning roles to individual users. As a cloud administrator, you determine the members that make up your groups and what roles they are assigned. Groups in the connected directories are available for use Workspace ONE Access. In this design, enterprise groups are used to assign roles in Workspace ONE Access.

Table 2. Design Decisions on Identity Management for Workspace ONE Access
Decision ID	Design Decision	Design Justification	Design Implication
VCF-VRS-WSA-SEC-002	Create corresponding security groups in your corporate directory services for these Workspace ONE Access roles: Super Admin Directory Admins ReadOnly Admin	Streamlines the management of Workspace ONE Access roles to users.	You must set the appropriate directory synchronization interval in Workspace ONE Access to ensure that changes are available within a reasonable period. You must create the security group outside of the SDDC stack.

Password Management Design

The password management design consists of characteristics and decisions that support configuring user security policies for the Workspace ONE Access instance.

Table 3. Design Decisions on Password Management for Workspace ONE Access
Decision ID	Design Decision	Design Justification	Design Implication
VCF-VRS-WSA-SEC-003	Rotate the appliance root user password on a schedule post deployment.	The password for the root user account expires 60 days after the initial deployment and after subsequent password changes.	You must manage the password rotation schedule for the root user account in accordance with your corporate policies and regulatory standards, as applicable. You must manage the root password rotation schedule on the Workspace ONE Access nodes by using SDDC Manager.
VCF-VRS-WSA-SEC-004	Rotate the appliance sshuser user password on a schedule post deployment.	The password for the sshuser appliance user account expires 60 days after the initial deployment and after subsequent password changes.	You must manage the password rotation schedule for the appliance sshuser user account in accordance with your corporate policies and regulatory standards, as applicable. You must manage the sshuser password rotation schedule on the Workspace ONE Access cluster nodes by using vRealize Suite Lifecycle Manager.
VCF-VRS-WSA-SEC-005	Rotate the System Admin (admin user of port 8443) application user password on a schedule post deployment.	The password of System Admin (admin user of port 8443) is initially the same as the password of the admin application user but for password rotation the account is managed by vRealize Suite Lifecycle Manager separately.	You must manage the password rotation schedule for the admin application user account in accordance with your corporate policies and regulatory standards, as applicable. You must manage the admin password rotation schedule on the Workspace ONE Access nodes by using SDDC Manager.
VCF-VRS-WSA-SEC-006	Rotate the admin application user password on a schedule post deployment.	The password for the default administrator application user account does not expire after the initial deployment.	You must manage the password rotation schedule for the admin application user account in accordance with your corporate policies and regulatory standards, as applicable. You must manage the admin password rotation schedule on the Workspace ONE Access nodes by using SDDC Manager.
VCF-VRS-WSA-SEC-007	Rotate the configadmin application user password on a schedule post deployment.	The password for the configuration administrator application user account does not expire after the initial deployment.	You must manage the password rotation schedule for the configuration administrator application user account in accordance with your corporate policies and regulatory standards, as applicable. You must use a combination of Workspace ONE Access and vRealize Suite Lifecycle Manager to manage the password rotation schedule of the configadmin user.
VCF-VRS-WSA-SEC-008	Configure a password policy for Workspace ONE Access local directory users, admin and configadmin.	You can set a policy for Workspace ONE Access local directory users that addresses your corporate policies and regulatory standards. The password policy is applicable only to the local directory users and does not impact your organization directory.	You must set the policy in accordance with your organization policies and regulatory standards, as applicable. You must apply the password policy on the Workspace ONE Access cluster nodes.

Certificate Management Design

The Workspace ONE Access user interface and API endpoint use an HTTPS connection. To provide secure access to the Workspace ONE Access user interface and API, use a CA-signed certificate.

Table 4. Design Decisions on Certificates for Workspace ONE Access
Decision ID	Design Decision	Design Justification	Design Implication
VCF-VRS-WSA-SEC-009	Use a CA-signed certificate containing the following in the SAN attributes, when deploying Workspace ONE Access. Standard Workspace ONE Access Workspace ONE Access cluster node Clustered Workspace ONE Access Each Workspace ONE Access cluster node FQDN Workspace ONE Access cluster load balancer FQDN	Ensures that all communications to the externally facing Workspace ONE Access browser-based UI, API, and between the components are encrypted.	Certificate management is managed by the Locker in vRealize Suite Lifecycle Manager. Using CA-signed certificates from a certificate authority increases the deployment preparation time, because certificate requests are generated and delivered. You must manage the life cycle of the certificate replacement. The SSL certificate key size must be 2048 bits or 4096 bits.
VCF-VRS-WSA-SEC-010	Use a SHA-2 or higher algorithm when signing certificates.	The SHA-1 algorithm is considered less secure and has been deprecated.	Not all certificate authorities support SHA-2.