System Directory

The System Directory is a local directory that is automatically created in the Workspace ONE Access service when Workspace ONE Access is first set up. The local directory uses a domain called System Domain. You cannot change the directory or domain name or add new domains to the System Directory. You cannot delete the System Directory or the System Domain.

The local administrator user is created in the System Domain of the System Directory. The local administrator is assigned the super admin role and can manage all features and functions in the Workspace One Access service. You add additional local admins with the super admin role to the local System Directory.

For Workspace ONE Access cloud deployments, when the tenant account is first set up, a local administrator user is created in the System Domain of the System Directory. The credentials you receive when you get a new tenant belong to this local administrator user.

For on-premises deployments, the local administrator user is created in the System Domain of the System Directory when you first set up the Workspace ONE Access appliance .

To provision end users and add administrators that are assigned other admin roles, create a new local directory.

Local Directories

Besides the System Directory, other local directories can be created. Each local directory can have one or more domains. When you create local users, you specify the directory and domain for users.

You can select user attributes that are required for the local users. User attributes such as userName, lastName, firstName, and email are specified at the global level in the Workspace ONE Access service and are required. Global user attributes apply to all directories in the service. At the local directory level, you can select other attributes that are required for the directory. Selecting other attributes allows you create a custom set of attributes for each local directory.

Creating local directories with customized mapped attributes is useful in scenarios such as the following.

Identity Provider for System Directory and Local Directories

By default, the System Directory is associated with an identity provider named System Identity Provider. The Password (Local Directory) authentication method is enabled on this identity provider. The default_access_policy_set policy rule sets up this password authentication for the ALL RANGES network range for the Web Browser device type. You can configure additional authentication methods to the policy rules.

When you create a new local directory, this local directory is not associated with an identity provider. After creating the local directory, create a new built-in identity provider of type Embedded. Associate the local directory with the identity provider and enable the Password (Local Directory) authentication method. Multiple local directories can be associated with the same identity provider.

The Workspace ONE Access connector is not required for either the System Directory or for local directories you create.

Password Management for Local Directory Users

By default, all users configured in local directories can change their password in the user portal or from the VMware Workspace ONE Intelligent Hub app. You can set a password policy for local users. You can also reset local user passwords as needed.

Users click their name in the top-right corner to change their passwords when they are logged into their user portal. They select Account from the drop-down menu and click the Change Password link. In the IWorkspace ONE Intelligent Hub app users can change their passwords by clicking their profile and selecting Change Password.

For information on setting password policies and resetting local user passwords, see Managing Passwords in Workspace ONE Access.