The Workspace ONE Access service uses role-based access control (RBAC) to manage administrator roles. With roles-based access control, you create functional roles that control admin access to tasks in the Workspace ONE Access console and assign the roles to one or more users and groups.

Three predefined administrator roles are built into the Workspace ONE Access service.

  • Super administrator. The super administrator role can access and manage all features and functions in the Workspace ONE Access services. The super admin can assign administrator roles to users and groups and manage the administrator roles. As a best practice, grant the super administrator role to a select few.

    For Workspace ONE Access cloud tenants, a local tenant administrator user is created as the first super admin in the System Domain of the System Directory when the tenant is first set up. The name of this user is admin. The credentials you receive when you get a new tenant belong to this local admin user.

  • Read-only administrator. The read-only administrator role can view the details in the Workspace ONE Access console pages, including the dashboard and the reports, but cannot make changes. All administrator roles are automatically assigned the read-only role. You can also assign users and groups to the read-only role when you add them to the local directories.

    The read-only administrator role gives users admin access to view the Workspace ONE Access console, but unless an administrator is assigned another role with additional access, they can only view the content in the Workspace ONE Access console.

    Note: Some Workspace ONE Access console pages are not enabled to be viewed by an admin entitled to only the read-only role. When read-only admins try to view these pages, they are redirected to the dashboard.
  • Directory administrator. The directory administrator role can manage users, groups, and directories. The directory administrator can manage directory integration for both enterprise directories and local directories within your organization. The directory administrator can also manage local users and groups.

You can also create custom administrator roles that give limited permissions to specific types of services in the Workspace ONE Access console. Within these services, specific operations can be selected as the type of action that can be performed in the role.

How to Apply Administrator Roles to Different Services

You can create access control roles to manage six different types of services in the Workspace ONE Access console. Multiple roles can be assigned to the same user and groups. When a user is assigned to more than one role, the behavior of the roles applied is additive. For example, if an administrator is assigned two roles, one with write access to the Identity & Access Management service and can manage policies and the other role without access, that administrator has access to modify policies.

When you add a role, you select the type of service and define which actions can be performed in that service. In some of the services, you can select to manage all resources for the selected action or some resources.

Service Type

Service Description


The Catalog is the repository of all the resources that can be entitled to users.

The Catalog service can manage the following types of actions.

  • Web Applications
  • App sources
  • Third-party applications
  • ThinApp Virtual Apps Collection
  • Virtual Apps Collection which includes Horizon, Horizon Cloud, and Citrix-based applications.
Note: A super admin is required to initiate the getting started flow in the Virtual Apps Collection page in the Catalog. After the initial getting started flow, admin roles with the Catalog service can manage ThinApp packages and Desktop applications.
Directory Management

The Directory Management service can manage the following types of actions either for the organization or for specific directories in your organization.

  • Enterprise Directory. The admin can add, edit, and delete directories in the Workspace ONE Access service. Editing a directory includes managing directory settings, including sync settings.
  • Local Directory. The admin can create, edit, and delete local directories. Editing a directory includes managing settings and creating, editing, and deleting local users and groups.
Important: When you create a role with the Directory Management service, you must also configure the Identity & Access Management service in the role.
Users and Groups

The Users and Groups service can manage the following types of action in your total organization or for specific domains in your organization.

  • Groups
  • Users
  • Password resets for local users

The Entitlement service can assign users to web and virtual applications.

The following types of entitlement actions can be managed. For each of these actions, you can configure the role to assign users and groups to all the resources in your organization or to specific applications. You can also entitle applications to users and groups within specific domains.

  • Web entitlements
  • Third-party entitlements
Roles Administration

The Roles Administration service can manage the assignment of the admin role to users.

When you create a role with the Roles Administration service, you must configure the User and Groups service and select the Manage Users and Manage Groups actions.

Administrators who are assigned this role can promote users and groups to the administrator role and can remove the administrator role from users or groups.

Identity & Access Management

The Identity & Access Management service can manage the following areas from the Workspace ONE Access console.

  • Resources > Policies
  • Integrations > Authentication Methods, Connectors, Connectors (Legacy), Directories, Connector Authentication Methods, Identity Providers, Magic Link, Okta Catalog, UEM Integration
    Note: To manage the directory settings, you must include the Directory Management service in the role.
  • Settings > Branding, Login Preferences, Password Policy, Password Recovery, and User Attributes
Note: Administrators with the role that includes the Identity and Access Management service can integrate Workspace ONE Access with Workspace ONE UEM and create the directory from the Workspace ONE UEM console.