Fine-tuning user group permissions in Workspace ONE Express allows you to reconsider who inside your organization can edit certain groups. For example, if your organization has a user group for company executives, you might not want lower-level administrators to have management permissions for that user group.

Use the Permissions tab to control who can manage certain user groups and who can assign profiles, compliance policies, and applications to user groups.


  1. Navigate to Accounts > User Groups > List View.
  2. Select the Edit icon of an existing user group row.
  3. Select the Permissions tab, then select the Add button.
  4. The Organization Group displays the prepopulated organization group.
  5. Select the Permissions you want to enable.
    • Manage Group (Edit/Delete) – Activate the ability to edit and delete user groups.
    • Manage Users Within Group and Allow Enrollment – Manage users within the user group and to allow a device enrollment in the OG. This setting can only be enabled when Manage Group (Edit/Delete) is also enabled. If Manage Group (Edit/Delete) is disabled, then this setting is also disabled.
    • Use Group For Assignment – Use the group to assign security policies and enterprise resources to devices. This setting can only be changed if Manage Group (Edit/Delete) is disabled. If Manage Group (Edit/Delete) is enabled, then this setting becomes locked and uneditable.
      • This setting is disabled when the user group is managed by a parent OG and you want to assign the group from one of its children OGs.
  6. Select the Scope of these permissions, that is, which groups of administrators are allowed to manage or use this user group. Only one of the following options may be active.
    • Administrator Only – The permissions affect only those administrators at the parent OG.
    • All Administrators at or below this Organization Group – The permissions affect the administrators in the OG.
  7. Select Save.