A local directory is one of the types of directories that you can create in the Workspace ONE Access service. A local directory enables you to provision local users in the service and provide them access to specific applications, without having to add them to your enterprise directory. A local directory is not connected to an enterprise directory and users and groups are not synced from an enterprise directory. Instead, you create local users directly in the local directory.

A default local directory, named System Directory, is available in the service. You can also create other local directories.

System Directory

The System Directory is a local directory that is automatically created in the service when it is first set up. This directory uses a domain called System Domain. You cannot change the directory or domain name of the System Directory or add new domains to it. You cannot delete the System Directory or the System Domain.

For Workspace ONE Access cloud deployments, a local administrator user is created in the System Domain of the System Directory when the tenant is first set up. The credentials you receive when you get a new tenant belong to this local administrator user.

The local administrator user that is created when you first set up the Workspace ONE Access appliance is created in the System Domain of the System Directory.

The System Directory is typically used to set up a few local administrator users to manage the service. To provision end users and additional administrators and entitle them to applications, creating a new local directory is recommended.

Local Directories

Besides the System Directory, other local directories can be created. Each local directory can have one or more domains. When you create local users, you specify the directory and domain for users.

You can select user attributes that are required for the local users. User attributes such as userName, lastName, firstName, and email are specified at the global level in the Workspace ONE Access service and are required. Global user attributes apply to all directories in the service. At the local directory level, you can select other attributes that are required for the directory. Selecting other attributes allows you create a custom set of attributes for each local directory.

Creating local directories with customized mapped attributes is useful in scenarios such as the following.

  • You can create a local directory for a specific type of user that is not part of your enterprise directory. For example, you can create a local directory for partners, and provide partners access to only the specific applications they need.
  • If you want different user attributes or authentication methods for different sets of users, you can create different local directories. For example, you can create a local directory for distributors that has user attributes such as region and market size, and another local directory for suppliers that has user attributes such as product category and supplier type.

Identity Provider for System Directory and Local Directories

By default, the System Directory is associated with an identity provider named System Identity Provider. The Password (Local Directory) authentication method is enabled on this identity provider. The default_access_policy_set policy rule sets up this password authentication for the ALL RANGES network range for the Web Browser device type. You can configure additional authentication methods to the policy rules.

When you create a new local directory, this local directory is not associated with an identity provider. After creating the local directory, create a new built-in identity provider of type Embedded. Associate the local directory with the identity provider and enable the Password (Local Directory) authentication method. Multiple local directories can be associated with the same identity provider.

The Workspace ONE Access connector is not required for either the System Directory or for local directories you create.

Password Management for Local Directory Users

By default, all users configured in local directories can change their password in the user portal or from the Intelligent Hub app. You can set a password policy for local users. You can also reset local user passwords as needed.

Users click their name in the top-right corner to change their passwords when they are logged into their user portal . They select Account from the drop-down menu and click the Change Password link. In the Intelligent Hub app users can change their passwords by clicking their profile and selecting Change Password.

For information on setting password policies and resetting local user passwords, see Managing Passwords in Workspace ONE Access.