You manage access to your Workspace ONE Access by assigning users and groups to Workspace ONE Access roles.

Identity Management Design

In Workspace ONE Access, you can assign users three types of roles.

Table 1. Workspace ONE Access Roles and Example Enterprise Groups

Role

Description

Enterprise Group

Super Admins

A role with the privileges to administer all Workspace ONE Access services and settings.

rainpole.io\ug-wsa-admins

Directory Admins

A role with the privileges to administer Workspace ONE Access users, groups, and directory management.

rainpole.io\ug-wsa-directory-admins

ReadOnly Admins

A role with read-only privileges to Workspace ONE Access.

rainpole.io\ug-wsa-read-only

For more information about Workspace ONE Access roles and their permissions, see the Workspace ONE Access documentation.

As the cloud administrator for Workspace ONE Access, you establish an integration with your corporate directories which allows you to use your corporate identity source for authentication. You can also set up a multi-factor authentication as part of access policy settings.

The cross-region Workspace ONE Access deployment allows you to control authorization to your cross-region SDDC solutions - vRealize Suite Lifecycle Manager, vRealize Operations, and vRealize Automation - by assigning roles to your organization directory groups, such as Active Directory security groups.

Assigning roles to groups is more efficient than assigning roles to individual users. As a cloud administrator, you determine the members that make up your groups and what roles they are assigned. Groups in the connected directories are available for use Workspace ONE Access. In this design, enterprise groups are used to assign roles in Workspace ONE Access.

Table 2. Design Decisions on Identity Management for Cross-Region Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-COM-SEC-IAM-036

Assign roles to groups, synchronized from your corporate identity source for Workspace ONE Access.

Provides access management and administration of Workspace ONE Access by using corporate security group membership.

You must define and manage security groups, group membership and, security controls in your corporate identity source for Workspace ONE Access administrative consumption.

SDDC-COM-SEC-IAM-037

Create a security group in your organization directory services for the Super Admin role, rainpole.io\ug-wsa-admins, and synchronize the group in the Workspace ONE Access configuration.

Streamlines the management of Workspace ONE Access roles to users.

You must create the security group outside of the SDDC stack.

You must set the appropriate directory synchronization interval in Workspace ONE Access to ensure that changes are available within a reasonable period.

SDDC-COM-SEC-IAM-038

Assign the enterprise group for administrators, rainpole.io\ug-wsa-admins, the Super Admins Workspace ONE Access role.

Provides the following access control features:

  • Access to Workspace ONE Access services is granted to a managed set of individuals that are members of the security group.

  • Improved accountability and tracking access to Workspace ONE Access.

You must maintain the life cycle and availability of the security group outside of the SDDC stack.

SDDC-COM-SEC-IAM-039

Create a security group in your organization directory services for the Directory Admin role, rainpole.io\ug-wsa-directory-admins, and synchronize the group in the Workspace ONE Access configuration.

Streamlines the management of Workspace ONE Access roles to users.

You must create the security group outside of the SDDC stack.

You must set the appropriate directory synchronization interval in Workspace ONE Access to ensure that changes are available within a reasonable period.

SDDC-COM-SEC-IAM-040

Assign the enterprise group for directory administrator users, rainpole.io\ug-wsa-directory-admins, the Directory Admins Workspace ONE Access role.

Provides the following access control features:

  • Access to Workspace ONE Access services is granted to a managed set of individuals that are members of the security group.

  • Improved accountability and tracking access to Workspace ONE Access.

You must maintain the life cycle and availability of the security group outside of the SDDC stack.

SDDC-COM-SEC-IAM-041

Create a security group in your organization directory services for the ReadOnly Admin role, rainpole.io\ug-wsa-read-only, and synchronize the group in the Workspace ONE Access configuration.

Streamlines the management of Workspace ONE Access roles to users.

You must create the security group outside of the SDDC stack.

You must set the appropriate directory synchronization interval in Workspace ONE Access to ensure that changes are available within a reasonable period.

SDDC-COM-SEC-IAM-042

Assign the enterprise group for read-only users, rainpole.io\ug-wsa-read-only, the ReadOnly Admin Workspace ONE Access role.

Provides the following access control features:

  • Access to Workspace ONE Access services is granted to a managed set of individuals that are members of the security group.

  • Improved accountability and tracking access to Workspace ONE Access.

You must maintain the life cycle and availability of the security group outside of the SDDC stack.

Note:

In an Active Directory forest, consider using a security group with a universal scope. Add security groups with a global scope that includes service accounts and users from the domains in the Active Directory forest.

Password Management Design

Table 3. Design Decisions on Password Management for Cross-Region Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-COM-SEC-IAM-043

Rotate the appliance root user password on a schedule post deployment.

The password for the root user account expires 60 days after the initial deployment.

You must manage the password rotation schedule for the root user account in accordance with your corporate policies and regulatory standards, as applicable.

You must manage the password rotation schedule on the cross-region Workspace ONE Access cluster nodes.

SDDC-COM-SEC-IAM-044

Rotate the appliance sshuser user password on a schedule post deployment.

The password for the appliance sshuser user account expires 60 days after the initial deployment.

You must manage the password rotation schedule for the appliance sshuser user account in accordance with your corporate policies and regulatory standards, as applicable.

You must manage the password rotation schedule on the cross-region Workspace ONE Access cluster nodes

SDDC-COM-SEC-IAM-045

Rotate the admin application user password on a schedule post deployment.

The password for the default administrator application user account does not expire after the initial deployment.

You must manage the password rotation schedule for the admin application user account in accordance with your corporate policies and regulatory standards, as applicable.

You must manage the password rotation schedule on the cross-region Workspace ONE Access cluster nodes.

You must use the API to manage the Workspace ONE Access local directory user password changes.

SDDC-COM-SEC-IAM-046

Rotate the configadmin application user password on a schedule post deployment.

The password for the configuration administrator application user account does not expire after the initial deployment.

You must manage the password rotation schedule for the configuration administrator application user account in accordance with your corporate policies and regulatory standards, as applicable.

You must manage the password rotation schedule on the cross-region Workspace ONE Access cluster nodes.

SDDC-COM-SEC-IAM-047

Configure a password policy for Workspace ONE Access local directory users, admin and configadmin.

You can set a policy for Workspace ONE Access local directory users that addresses your corporate policies and regulatory standards.

The password policy is applicable only to the local directory users and does not impact your organization directory.

You must set the policy in accordance with your organization policies and regulatory standards, as applicable.

You must apply the password policy on the cross-region Workspace ONE Access cluster nodes.

Certificate Management Design

The Workspace ONE Access user interface and API endpoint use an HTTPS connection. By default, Workspace ONE Access uses a self-signed certificate. To provide secure access to the Workspace ONE Access user interface and API, replace the default self-signed certificates with a CA-signed certificate.

Table 4. Design Decisions on Certificates for Cross-Region Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-COM-SEC-IAM-048

Use a CA-signed certificate containing the Workspace ONE Access cluster node FQDNs, and VIP FQDN in the SAN attributes, when deploying Workspace ONE Access.

Ensures that all communications to the externally facing Workspace ONE Access browser-based UI, API, and between the components are encrypted.

  • Using CA-signed certificates from a certificate authority increases the deployment preparation time as certificate requests are generated and delivered.

  • You must manage the life cycle of the certificate replacement.

  • The SSL certificate key size must be 2048 or 3072 bits.

SDDC-COM-SEC-IAM-049

Use a SHA-2 or higher algorithm when signing certificates.

The SHA-1 algorithm is considered less secure and has been deprecated.

Not all certificate authorities support SHA-2.

SDDC-COM-SEC-IAM-050

Import the certificate for the Root Certificate Authority to each Workspace ONE Access instance.

Ensures that the certificate authority is trusted by each Workspace ONE Access instance.

None