The users and groups in the Workspace ONE Access service are imported from your enterprise directory or are created as local users and groups in the Workspace ONE Access console.

Users in the Workspace ONE Access service can be users that are synced from your enterprise directory, local users that you provision in the Workspace ONE Access console, or users added with just-in-time provisioning.

Users imported from your enterprise directory are updated in the Workspace ONE Access directory according to your server synchronization schedule. You cannot edit or delete users that sync from Active Directory.

You can create local users and groups. Local users are added to a local directory on the service. You manage the local user attribute mapping and password policies. You can create local groups to manage resource entitlements for users.

Users added with just-in-time provisioning are added and updated dynamically when the user logs in based on SAML assertions sent by the identity provider. All user management is handled through SAML assertions. To use just-in-time provisioning, see Just-in-Time User Provisioning.

Groups in the Workspace ONE Access service can be groups that are synced from your enterprise directory and local groups that you create in the Workspace ONE Access console. Active Directory group names sync to the directory according to your sync schedule. The users in these groups are not synced to the directory until a group is entitled to resources or a group is added to the access policy rules. You cannot edit or delete groups that sync from Active Directory.

In the Workspace ONE Access console, the Users & Groups pages provides a user-and-group-centric view of the service. You can manage users and groups and monitor resource entitlements, group affiliations, and VMware Verify phone numbers. For local users, you also can manage the password policy.