The three predefined administrator roles that can be granted in the Workspace ONE Access server are super administrator, read-only administrator, and directory administrator.

  • The super administrator role can access and manage all features and functions in the Workspace ONE Access services.

    The first super administrator is the local administrator user that Workspace ONE Access creates when you first set up the service. The service creates the administrator in the System Domain of the System Directory. You can assign other users to the super administrator role in the System Directory. As a best practice, grant the super administrator role to a select few.

  • The read-only administrator role can view the details in the Workspace ONE Access console pages, including the dashboard and the reports, but cannot make changes. All administrator roles are automatically assigned the read-only role.
    Note: Some Workspace ONE Access console pages are not enabled to be viewed by an admin entitled to only the read-only role. When read-only admins try to view these pages, they are redirected to the dashboard.
  • The directory administrator role can manage users, groups, and directories. The directory administrator can manage directory integration for both enterprise directories and local directories within your organization. The directory administrator can also manage local users and groups.
Figure 1. Roles Tab in Workspace ONE Access Console

You can assign these predefined roles to users and groups in your service. You cannot modify or delete these roles.

You can also create custom administrator roles that give limited permissions to specific services in the Workspace ONE Access console. Within the service, specific operations can be selected as the type of action that can be performed in the role.

Multiple roles can be assigned to the same user and groups. When a user is assigned more than one role, the behavior of the roles applied is additive. For example, if an administrator is assigned two roles, one with write access to policy management and the other without, that administrator has access to modify policies.

Role-based access control can be set up to manage the following services in the administrator console.

Service Type

Service Description


The Catalog is the repository of all the Workspace ONE resources that can be entitled to users.

The Catalog service can manage the following types of actions.

  • Web Applications
  • App sources
  • Third-party applications
  • ThinApp Virtual Apps Collection
  • Virtual Apps Collection which includes Horizon, Horizon Cloud, and Citrix-based applications.
Note: A super admin is required to initiate the getting started flow in the Virtual Apps Collection page in the Catalog. After the initial getting started flow, admin roles with the Catalog service can manage ThinApp packages and Desktop applications.
Directory Management

The Directory Management service can manage the following types of actions either for the organization or for specific directories in your organization.

  • Enterprise Directory. The admin can add, edit, and delete directories in the service. Editing a directory includes managing directory settings, including sync settings.
  • Local Directory. The admin can create, edit, and delete local directories. Editing a directory includes managing settings and creating, editing, and deleting local users and groups.

When the Directory Management service is included in a role, the Identity & Access Management service must also be configured in the role.

Users and Groups

The Users and Groups service can manage the following types of action in your total organization or for specific domains in your organization.

  • Groups
  • Users
  • Password resets for local users

The Entitlement service can assign users to web and virtual applications.

The following types of entitlement actions can be managed. For each of these actions, you can configure the role to assign users and groups to all the resources in your organization or to specific applications. You can also entitle applications to users and groups within specific domains.

  • Web entitlements
  • Third-party entitlements
Roles Administration

The Roles Administration service can manage the assignment of the admin role to users.

When you create a role with the Roles Administration service, you must configure the User and Groups service and select the Manage Users and Manage Groups actions.

Administrators who are assigned this role can promote users and groups to the administrator role and can remove the administrator role from users or groups.

Identity & Access Management

The Identity & Access Management service can manage the settings in the Identity & Access Management tab. To manage the directory settings, the Directory Management service is also required.

Note: Administrators with the Identity and Access Management role can integrate Workspace ONE Access with Workspace ONE UEM and create the directory from the Workspace ONE UEM console.

When you add a role, you select the service and define which actions can be performed in the service. In some of the services, you can select to manage all resources for the selected action or some resources.

Manage Read-Only Access

Read-only Access is granted with each role that is assigned to an administrator. You can also assign users and groups to the read-only role from the ReadOnly Admin roles page.

The read-only administrator role gives users admin access to view the Workspace ONE Access console, but unless an administrator is assigned another role with additional access, they can only view the content in the Workspace ONE Access console.

When you assign the read-only role as a separate role, you can remove the role from the ReadOnly Admin role Assign page or from the user or group profile page.