The Workspace ONE Access service uses role-based access control (RBAC) to manage administrator roles. With roles-based access control, you create functional roles that control admin access to tasks in the Workspace ONE Access console and assign the roles to one or more users and groups.
Three predefined administrator roles are built into the Workspace ONE Access service.
- Super administrator. The super administrator role can access and manage all features and functions in the Workspace ONE Access services. The super admin can assign administrator roles to users and groups and manage the administrator roles. As a best practice, grant the super administrator role to a select few.
For Workspace ONE Access cloud tenants, a local tenant administrator user is created as the first super admin in the System Domain of the System Directory when the tenant is first set up. The name of this user is admin. The credentials you receive when you get a new tenant belong to this local admin user.
- Read-only administrator. The read-only administrator role can view the details in the Workspace ONE Access console pages, including the dashboard and the reports, but cannot make changes. All administrator roles are automatically assigned the read-only role. You can also assign users and groups to the read-only role when you add them to the local directories.
The read-only administrator role gives users admin access to view the Workspace ONE Access console, but unless an administrator is assigned another role with additional access, they can only view the content in the Workspace ONE Access console.Note: Some Workspace ONE Access console pages are not enabled to be viewed by an admin entitled to only the read-only role. When read-only admins try to view these pages, they are redirected to the dashboard.
- Directory administrator. The directory administrator role can manage users, groups, and directories. The directory administrator can manage directory integration for both enterprise directories and local directories within your organization. The directory administrator can also manage local users and groups.
You can also create custom administrator roles that give limited permissions to specific types of services in the Workspace ONE Access console. Within these services, specific operations can be selected as the type of action that can be performed in the role.
How to Apply Administrator Roles to Different Services
You can create access control roles to manage six different types of services in the Workspace ONE Access console. Multiple roles can be assigned to the same user and groups. When a user is assigned to more than one role, the behavior of the roles applied is additive. For example, if an administrator is assigned two roles, one with write access to the Identity & Access Management service and can manage policies and the other role without access, that administrator has access to modify policies.
When you add a role, you select the type of service and define which actions can be performed in that service. In some of the services, you can select to manage all resources for the selected action or some resources.
The Catalog is the repository of all the resources that can be entitled to users.
The Catalog service can manage the following types of actions.
Note: A super admin is required to initiate the getting started flow in the Virtual Apps Collection page in the Catalog. After the initial getting started flow, admin roles with the Catalog service can manage ThinApp packages and Desktop applications.
The Directory Management service can manage the following types of actions either for the organization or for specific directories in your organization.
Important: When you create a role with the Directory Management service, you must also configure the Identity & Access Management service in the role.
|Users and Groups
The Users and Groups service can manage the following types of action in your total organization or for specific domains in your organization.
The Entitlement service can assign users to web and virtual applications.
The following types of entitlement actions can be managed. For each of these actions, you can configure the role to assign users and groups to all the resources in your organization or to specific applications. You can also entitle applications to users and groups within specific domains.
The Roles Administration service can manage the assignment of the admin role to users.
When you create a role with the Roles Administration service, you must configure the User and Groups service and select the Manage Users and Manage Groups actions.
Administrators who are assigned this role can promote users and groups to the administrator role and can remove the administrator role from users or groups.
|Identity & Access Management
The Identity & Access Management service can manage the following areas from the Workspace ONE Access console.
Note: Administrators with the role that includes the Identity and Access Management service can integrate Workspace ONE Access with Workspace ONE UEM and create the directory from the Workspace ONE UEM console.