Information security and access design details the design decisions covering authentication access controls and certificate management for the region-specific Workspace ONE Access deployment.

Identity Management Design

You manage access to your Workspace ONE Access deployments by assigning users and groups to Workspace ONE Access roles.

In Workspace ONE Access, you can assign users three types of role-based access.
Table 1. Workspace ONE Access Roles and Example Enterprise Groups

Role

Description

Enterprise Group

Super Admins

A role with the privileges to administer all Workspace ONE Access services and settings.

rainpole.io\ug-wsa-admins

Directory Admins

A role with the privileges to administer Workspace ONE Access users, groups, and directory management.

rainpole.io\ug-wsa-directory-admins

ReadOnly Admins

A role with read-only privileges to Workspace ONE Access.

rainpole.io\ug-wsa-read-only

For more information about the Workspace ONE Access roles and their permissions, see the Workspace ONE Access documentation.

As the cloud administrator for Workspace ONE Access, you establish an integration with your corporate directories which allows you to use your corporate identity source for authentication. You can also set up a multi-factor authentication as part of access policy settings.

The region-specific Workspace ONE Access deployment allows you to control authorization to your regional SDDC solutions, such as NSX-T Data Center, by assigning roles to your organization directory groups, such as Active Directory security groups.

Assigning roles to groups is more efficient than assigning roles to individual users. As a cloud administrator, you determine the members that make up your groups and what roles they are assigned. Groups in the connected directories are available for use Workspace ONE Access. In this design, enterprise groups are used to assign roles in Workspace ONE Access.

Table 2. Design Decisions on Identity Management for Region-Specific Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-MGMT-SEC-IAM-020

Assign roles to groups, synchronized from your corporate identity source for Workspace ONE Access.

Provides access management and administration of Workspace ONE Access by using corporate security group membership.

You must define and manage security groups, group membership and, security controls in your corporate identity source for Workspace ONE Access administrative consumption.

SDDC-MGMT-SEC-IAM-021

Create a security group in your organization directory services for the Super Admin role, rainpole.io\ug-wsa-admins, and synchronize the group in the Workspace ONE Access configuration.

Streamlines the management of Workspace ONE Access roles to users.

You must create the security group outside of the SDDC stack.

SDDC-MGMT-SEC-IAM-022

Assign the enterprise group for super administrators, rainpole.io\ug-wsa-admins, the Super Admins Workspace ONE Access role.

Provides the following access control features:

  • Access to Workspace ONE Access services is granted to a managed set of individuals that are members of the security group.

  • Improved accountability and tracking access to Workspace ONE Access.

You must maintain the life cycle and availability of the security group outside of the SDDC stack.

SDDC-MGMT-SEC-IAM-023

Create a security group in your organization directory services for the Directory Admin role, rainpole.io\ug-wsa-directory-admins, and synchronize the group in the Workspace ONE Access configuration.

Streamlines the management of Workspace ONE Access roles to users.

You must create the security group outside of the SDDC stack.

SDDC-MGMT-SEC-IAM-024

Assign the enterprise group for directory administrator users, rainpole.io\ug-wsa-directory-admins, the Directory Admins Workspace ONE Access role.

Provides the following access control features:

  • Access to Workspace ONE Access services is granted to a managed set of individuals that are members of the security group.

  • Improved accountability and tracking access to Workspace ONE Access.

You must maintain the life cycle and availability of the security group outside of the SDDC stack.

SDDC-MGMT-SEC-IAM-025

Create a security group in your organization directory services for the ReadOnly Admin role, rainpole.io\ug-wsa-read-only, and synchronize the group in the Workspace ONE Access configuration.

Streamlines the management of Workspace ONE Access roles to users.

You must create the security group outside of the SDDC stack.

SDDC-MGMT-SEC-IAM-026

Assign the enterprise group for read-only users, rainpole.io\ug-wsa-read-only, the ReadOnly Admin Workspace ONE Access role.

Provides the following access control features:

  • Access to Workspace ONE Access services is granted to a managed set of individuals that are members of the security group.

  • Improved accountability and tracking access to Workspace ONE Access.

You must maintain the life cycle and availability of the security group outside of the SDDC stack.

Note:

In an Active Directory forest, consider using a security group with a universal scope. Add security groups with a global scope that includes service accounts and users from the domains in the Active Directory forest.

Password Management Design

The password management design consists of characteristics and decisions that support configuring user security policies of the region-specific Workspace ONE Access nodes in the management domain.

Table 3. Design Decisions on Password Management for Region-Specific Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-MGMT-SEC-IAM-027

Rotate the appliance root user password on a schedule post deployment.

The password for the root user account expires 60 days after the initial deployment.

You must manage the password rotation schedule for the root user account in accordance with your corporate policies and regulatory standards, as applicable.

You must manage the password rotation schedule on each region-specific Workspace ONE Access instance.

SDDC-MGMT-SEC-IAM-028

Rotate the appliance sshuser user password on a schedule post deployment.

The password for the appliance sshuser user account expires 60 days after the initial deployment.

You must manage the password rotation schedule for the appliance sshuser user account in accordance with your corporate policies and regulatory standards, as applicable.

You must manage the password rotation schedule on each region-specific Workspace ONE Access instance.

SDDC-MGMT-SEC-IAM-029

Rotate the admin application user password on a schedule post deployment.

The password for the default administrator application user account does not expire after the initial deployment.

You must manage the password rotation schedule for the admin application user account in accordance with your corporate policies and regulatory standards, as applicable.

You must manage the password rotation schedule on each region-specific Workspace ONE Access instance.

You must use the API to manage the Workspace ONE Access local directory user password changes.

SDDC-MGMT-SEC-IAM-030

Configure a password policy for the Workspace ONE Access local directory admin user.

You can set a policy for Workspace ONE Access local directory user that addresses your corporate policies and regulatory standards.

The password policy is applicable only to the local directory users and does not impact your corporate directory.

You must set the policy in accordance with your corporate policies and regulatory standards, as applicable.

You must apply the password policy on each region-specific Workspace ONE Access instance.

Certificate Design

The certificate design consists of characteristics and decisions that support configuring signed certificates of the Workspace ONE Access appliance in the management domain.

The Workspace ONE Access user interface and API endpoint use an HTTPS connection. By default, Workspace ONE Access uses a self-signed certificate. To provide secure access to the Workspace ONE Access user interface and API, replace the default self-signed certificates with a CA-signed certificate.

Table 4. Design Decisions on Certificates for Region-Specific Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-MGMT-SEC-IAM-031

Replace the default self-signed certificates with a Certificate Authority-signed certificate during the deployment.

Ensures that all communications to the externally facing Workspace ONE Access browser-based UI, API, and between the components are encrypted.

  • Replacing the default certificates with trusted CA-signed certificates from a certificate authority increases the deployment preparation time as certificates requests are generated and delivered.

  • You must manage the life cycle of the certificate replacement.

  • You must use a multi-SAN certificate for the cross-region Workspace ONE Access cluster instance.

  • The SSL certificate key size must be 2048 or 3072 bits.

SDDC-MGMT-SEC-IAM-032

Import the certificate for the Root Certificate Authority to each Workspace ONE Access instance.

Ensures that the certificate authority is trusted by each Workspace ONE Access instance.

None

SDDC-MGMT-SEC-IAM-033

Use a SHA-2 or higher algorithm when signing certificates.

The SHA-1 algorithm is considered less secure and has been deprecated.

Not all certificate authorities support SHA-2.