The Workspace ONE Access service uses role-based access control to manage administrator roles. With roles-based access control, you create functional roles that control admin access to tasks in the Workspace ONE Access console, and assign the roles to one or more users and groups.

Three predefined administrator roles are built into the Workspace ONE Access service, super administrator, read-only administrator, and directory administrator. You can assign these predefined roles to users and groups in your service. You cannot modify or delete these roles.

For Workspace ONE Access cloud deployments, a local tenant administrator user is created as the first super admin in the System Domain of the System Directory when the tenant is first set up. The name of this user is admin. The credentials you receive when you get a new tenant belong to this local admin user.

The super administrator role can access and manage all features and functions in the Workspace ONE Access services. You can assign other users to the super administrator role in the System Directory. As a best practice, grant the super administrator role to a select few.

The read-only administrator role can view the details in the Workspace ONE Access console pages, including the dashboard and the reports, but cannot make changes. All administrator roles are automatically assigned the read-only role.

Note: Some Workspace ONE Access console pages are not enabled to be viewed by an admin entitled to only the read-only role. When read-only admins try to view these pages, they are redirected to the dashboard.

The directory administrator role can manage users, groups, and directories. The directory administrator can manage directory integration for both enterprise directories and local directories within your organization. The directory administrator can also manage local users and groups.

You can also create custom administrator roles that give limited permissions to specific services in the Workspace ONE Access console. Within the service, specific operations can be selected as the type of action that can be performed in the role.

How to Apply Administrator Roles to Different Services

Role-based access control can be set up to manage the following services in the administrator console. Multiple roles can be assigned to the same user and groups. When a user is assigned to more than one role, the behavior of the roles applied is additive. For example, if an administrator is assigned two roles, one with write access to policy management and the other without, that administrator has access to modify policies.

Service Type

Service Description


The Catalog is the repository of all the resources that can be entitled to users.

The Catalog service can manage the following types of actions.

  • Web Applications
  • App sources
  • Third-party applications
  • ThinApp Virtual Apps Collection
  • Virtual Apps Collection which includes Horizon, Horizon Cloud, and Citrix-based applications.
Note: A super admin is required to initiate the getting started flow in the Virtual Apps Collection page in the Catalog. After the initial getting started flow, admin roles with the Catalog service can manage ThinApp packages and Desktop applications.
Directory Management

The Directory Management service can manage the following types of actions either for the organization or for specific directories in your organization.

  • Enterprise Directory. The admin can add, edit, and delete directories in the service. Editing a directory includes managing directory settings, including sync settings.
  • Local Directory. The admin can create, edit, and delete local directories. Editing a directory includes managing settings and creating, editing, and deleting local users and groups.

When the Directory Management service is included in a role, the Identity & Access Management service must also be configured in the role.

Users and Groups

The Users and Groups service can manage the following types of action in your total organization or for specific domains in your organization.

  • Groups
  • Users
  • Password resets for local users

The Entitlement service can assign users to web and virtual applications.

The following types of entitlement actions can be managed. For each of these actions, you can configure the role to assign users and groups to all the resources in your organization or to specific applications. You can also entitle applications to users and groups within specific domains.

  • Web entitlements
  • Third-party entitlements
Roles Administration

The Roles Administration service can manage the assignment of the admin role to users.

When you create a role with the Roles Administration service, you must configure the User and Groups service and select the Manage Users and Manage Groups actions.

Administrators who are assigned this role can promote users and groups to the administrator role and can remove the administrator role from users or groups.

Identity & Access Management

The Identity & Access Management service can manage the following areas from the Workspace ONE Access console.

  • Resources > Policies
  • Integrations > Authentication Methods, Connectors, Connectors (Legacy), Directories, Connector Authentication Methods, Identity Providers, Magic Link, Okta Catalog, UEM Integration
    Note: To manage the directory settings, the Directory Management service is also required.
  • Settings > Auto Discovery, Branding, Login Preferences, Password Policy, Password Recovery, Terms of Use, and User Attributes
Note: Administrators with the Identity and Access Management role can integrate Workspace ONE Access with Workspace ONE UEM and create the directory from the Workspace ONE UEM console.

When you add a role, you select the service and define which actions can be performed in the service. In some of the services, you can select to manage all resources for the selected action or some resources.

Manage Read-Only Access

Read-only Access is granted with each role that is assigned to an administrator. You can also assign users and groups to the read-only role when you add them to the local directories.

The read-only administrator role gives users admin access to view the Workspace ONE Access console, but unless an administrator is assigned another role with additional access, they can only view the content in the Workspace ONE Access console.

When you assign the read-only role as a separate role, you can remove the role from the ReadOnly Admin role Assign page or from the user or group profile page.