Users provisioned through Just-in-Time provisioning in the Workspace ONE Access service are added to groups based on their user attributes and derive their resources entitlements from the groups to which they belong.

Before you configure Just-in-Time provisioning, ensure that you have local groups in the Workspace ONE Access service. Create one or more local groups, based on your needs. For each group, set the rules for group membership and add entitlements.
Note: Reference to local groups is synonymous with system domain groups.


  1. In the Workspace ONE Access console Accounts > User Groups page
  2. Click Add Group, provide a name and description for the group, and click Next.
  3. In the Add users to group page, search for users to add to the group. Click + and add the user to the group list.
  4. Click Next and set the rules for group membership.
  5. Click Next and add users that are excluded from the group.
  6. Click Next to see a summary of the configuration and click Create Group.
  7. Add entitlements to the group.
    1. Select the group that you created and click Apps.
    2. Click Add Entitlements and select the applications and the deployment method for each application.
    3. Click Save.