With role-based access control, you can create a role to manage one action or many actions.

When you create a role, you can add one or more services to the role. You name the role, select the type of services and the specific actions within the service that the role can manage.

  • When you create a role with the Directory Management service, the Identity and Access Management service must also be configured in the role.
  • When you create a role with the Roles Administration service, the User and Groups service must also be configured with the actions to manager users and to manage groups selected.


To create a role in the Workspace ONE Access service, you must be a super admin, also known as the system domain admin, who can access and manage all features and functions in the Workspace ONE Access services, or an admin user assigned the role that is configured with the Roles Administration service. See Managing Administrator Roles in Workspace ONE Access.


  1. In the Workspace ONE Access console Accounts > Roles page, click Add.
  2. In the Role Name text box, enter a descriptive role name and add a description.
    Each role name in your environment must be unique.
  3. Click Next.
  4. In the Configuration page, select the service to be managed by this role.
    1. In the Actions drop-down menu, select the type of actions that can be managed
    2. Resources is displayed. Select All resources to manage all resources within the action, or select Some and then select the condition that can be managed from the Conditions drop-down menu.
    3. To add additional actions to be managed by this role, in the Action(s) section, click + and continue to configure the action, resources, and conditions.
  5. Click SAVE.
  6. If you want to add another service to this role, select the service and configure the role.
  7. When finished, click SAVE on the Configuration page.

What to do next

Assign this role to users to make them administrators of this service.