After you add your directory service groups to Workspace ONE UEM, you can use the resulting user groups for enrollment and role-based access. In terms of a device enrollment, you can map user groups to existing organization groups and automatically select a Group ID based on a user group. In terms of console access, you can restrict the level of UEM console access users have (roles) based on their user group membership
You can configure settings to select a Group ID automatically based on a user group or allow users to select a Group ID from a list.
- Navigate to Grouping tab. and select the
- Choose Automatically Select Based on User Group as the Group ID Assignment Mode.
This option works only when your existing directory service is already replete with user group assignments independent from Workspace ONE UEM.
Enabling this option ensures that users are automatically assigned to organization groups based on their directory service group assignments. Once selected, the Group Assignment Settings section displays all the organization groups (OG) for the environment and their associated directory service user groups.
When the Apply mapping on enrollment only setting is enabled, the user group assignment applies at enrollment time only. After enrollment, devices can be manually moved to another organization group. However, if the Apply mapping on enrollment only check box is still enabled, the device does not honor any new user group mapping. The event log captures the identity of the admin requesting this mapping at enrollment time.
For more information about the Event Log, see the VMware AirWatch Logging Guide, available on docs.vmware.com.
- Modify the organization group/user group associations and set the rank of precedence for each group by selecting Edit Group Assignment. Select Save when you are finished.
If a user belongs to multiple user groups, the rank determines which user group takes precedence. The user is associated to the OG of the highest-ranked user group to which they belong.
- Similar to user group mapping to an OG assignment, map roles, or console permissions, based on user groups. Enable the editing of role-based access levels by selecting Enable Directory Group-Based Mapping in the User Role Mapping section. To edit roles and rank user groups, similar to the method used in step 3, select Edit Assignment.
For each user group, set the rank of precedence and associated role each group has. Just as in step 3, if a user belongs to multiple user groups, the rank determines which user group, and therefore role, takes precedence. The user receives permissions for the highest-ranked user group to which they belong. Select Save when you are finished.
Access the Roles page and define new or edit existing Roles by navigating to.
- Select Save when you are done mapping user groups to enrollment organization groups and roles.