Admin roles allow you to enable or disable permissions for every available setting and resource in Workspace ONE UEM powered by AirWatch. These settings grant or restrict console abilities for each member of your admin team, enabling you to craft a hierarchy of administrators specific to your needs.

Creating multiple admin roles is a time saving measure. Making comprehensive configurations across different organization groups means you can change the permissions for a specific administrator at any time.

Making Admin Role Changes Effective

If you edit a role that is in use by an administrator, the edit does not apply until the administrator logs out and then logs back in.

Admin Roles List View

The Administrator Roles List View can be found by navigating to Accounts > Administrators > Roles.

You can delete an unused role from your library of administrator roles. You cannot delete a role that is assigned to an admin. Select an unassigned role you want to delete and select the Delete button.

You can edit an existing role's name, description, and specific permissions. Select the pencil icon to the left of the role name from the listing and the Edit Role screen displays, enabling you to make changes.

You can also download an XLSX or CSV (comma-separated values) file containing the entire Administrators Roles List View. You can then view and analyze this file with MS Excel. Select the Export button and choose a download location. For information about exporting roles for the purpose of later importing them, see the section on this page called Export Admin Roles.

Create Administrator Role

You can create administrator roles which define specific tasks that can be performed in Workspace ONE UEM. You then assign these roles to individual admins.

  1. Navigate to Accounts > Administrators > Roles and select Add Role in the UEM console.

    This screenshot features the Create Role screen with Categories on the left and searchable Content Management on the right.

  2. In the Create Role, enter the Name and Description of the role.
  3. Select from the list of Categories.

    The Categories section organizes top-level categories such as Device Management under which are located subcategories including Applications, Browser, and Bulk Management among others. This category subdivision enables an easy and quick role creation process. Each subcategory setting in the right panel has a Read and Edit check box.

    When you select from the Categories section, its subcategorized contents (individual settings) populate in the right panel. Each individual setting features its own Read and Edit check box and a "select all" style Read and Edit check box in the column heading. This arrangement allows for a flexible level of control and customization while creating roles.

    Use the Search Resources text box to narrow down the number of resources from which you can select. Resources are generally labeled the same way as they are referred to in the UEM console itself. For example, if you want to limit an admin role to editing App Logs, then enter "App Logs" in the Search Resources box and a listing of all resources that contain the string "App Logs" displays.

  4. Select the appropriate Read and Edit check box in the corresponding resource options. You can also choose to clear any of the selected resources.

    This screenshot shows how clicking on the orange pie graphs can let you choose an edit more for an entire category.

  5. To make blanket category selections, select None, Read, or Edit directly from the Categories section without ever populating the right panel. Select the circular icon to the right of the Category label, which is a drop-down menu. Use this selection method when you are certain you want to select none, read-only, or edit capabilities for the entire category setting.
  6. Select Save to finish creating the Custom Role. You can now view the added role in the list on the Roles page. From here, you can also edit the role details or delete the role.

What to do next: You must update the custom role after each Workspace ONE UEM version update to account for the new permissions in the latest release.

Export Admin Roles

Administrator roles are a portable resource. This portability can save time if you manage more than one Workspace ONE UEM environment. You can export settings from one environment as an XML file, then import that XML file into another environment. Be aware that such activity can cause versioning issues.

This screenshot shows the button cluster that displays when an admin role is selected, highlighting the Export function.

  1. Navigate to Accounts > Administrators > Roles.
  2. Select the check box next to the administrator role that you want to export. Doing so displays actions buttons above the role listing. If you select more than one admin role, the Export action is not available.
  3. Select Export and save the XML file to a location on your device.

Import Admin Roles

  1. Navigate to Accounts > Administrators > Roles and select Import Role.
  2. In the Import Role page, select Browse and locate the previously saved XML file. Select Upload to upload the admin role to the Category listing for validation.
  3. Workspace ONE UEM performs a series of validation checks including an XML file check, importing role permission check, duplicate role name check, and blank name and description check.
  4. Check the resource settings and verify their imported role specifications by selecting specific Categories in the left pane.
  5. You can also edit the resources and the Name and Description of the imported role based on your needs. If you want to keep both the existing role and the imported role, then rename the existing admin role before importing the new role.
    1. If the role you are importing is named the same as an existing role in your environment, then a message displays. "A role with this name exists in this environment. Would you Like to override the existing role?"
    2. If you select No, then the existing role in your environment remains untouched and the role import is canceled.
    3. If you select Yes, then you are prompted for the security PIN, which if entered correctly, replaces the existing role with the imported role.
  6. Select Save to apply the imported role to the new environment.

Versioning Issues When Importing and Exporting Admin Roles

There can be cases where an exported role is imported into an environment running an earlier version of Workspace ONE UEM. This earlier version might not have the same resources and permissions that comprise the imported role.

In these cases, Workspace ONE UEM notifies you with the following message.

There are some permissions in this environment that are not found in your imported file. Review and correct the highlighted permissions before saving.

Use the category listing page to deselect the highlighted permissions. This action allows you to save the role to the new environment.

Copy Role

You can save time by making a copy of an existing role. You can also change the permissions of the copy and save it under a different name.

  1. Select the check box next to the role you want to copy.
  2. Select the Copy button. The Copy Role page displays.
  3. Make your changes to the Categories, Name, and Description.
  4. When finished, select Save.

Rename an Admin Role

If you are importing an admin role named the same as an existing admin role, you might find it useful to rename the existing role first. Renaming a role enables you to keep both the old and the new role in the same environment.

  1. Navigate to Accounts > Administrators > Roles and select the Edit icon () of the role you want to rename. The Edit Role page displays.
  2. Edit the Name of the role and optionally, the Description.
  3. Select Save.

Read/Edit Indicator in Categories for Admin Roles

There is a visual indicator in the Categories section that reflects the current selection of read-only, edit, or a combination of each. This indicator reports what the setting is without requiring you to open and examine the individual subcategory settings.

The indicator features a circular icon located to the right side of the Category listing that reports the following.

This indicator icon is shaped like a full circle, colored orange, indicating a full editing capability. All options in this category have the edit capability (which by definition means that they also have read-only capability).
This indicator icon is shaped like a circle filled in three-quarters, colored orange, indicating a partial editing capability. Most category settings have the edit capability enabled, but edits are disabled for at least one subcategory.
This indicator icon is shaped like a half circle, colored orange, indicating a read-only capability. All category settings have read-only enabled (edit disabled).
This indicator icon is shaped like a circle filled in one-quarter, colored orange, indicating a partial editing capability. Most category settings are read-only, but edits are enabled for at least one subcategory.

Assign a Role or Edit the Role Loadout of an Admin

You can assign roles which expands the capabilities of an Admin in the Workspace ONE UEM console. You can also edit the existing role loadout, potentially limiting or expanding an admin's capabilities.

If you edit a role loadout that is in use by an administrator, the edit does not take effect until the administrator logs out and then logs back in.

  1. Navigate to Accounts > Administrators > List View, locate the admin account whose role loadout you want to change, and select the Edit icon () to the left of the admin account username. The Add/Edit Admin page displays.
  2. Select the Roles tab and then choose from among the following, a, b, or a combination of both:
    1. If you want to add a new role to the admin account, select the Add Role button, then enter the Organization Group and Role details for each role that you add.
    2. If you want to delete an existing role from the admin account, select the role and then select the Delete button.
  3. Select Save.

View the Resources of an Admin Role

You can view all the resources, or permissions, of any administrator role, including custom and default roles. This view can help you determine what an admin can, and cannot, do in the UEM console.

Roles are composed of hundreds of resources, also called permissions, which allow access (read only or edit) to a specific function within the UEM console.

The View Role and Edit Role screens are the same except that the Edit Role screen allows you to make and save changes with the Save button.

To view or edit the resources of an admin role, take the following steps.

  1. Navigate to Accounts > Administrators > Roles.
  2. Locate the admin role you want to see the permissions for. If you have a large library of admin roles, use the Search List bar in the upper-right corner to narrow the listing.
  3. Select from among the following choices, a or b:
    1. To view the role, select the name of the role, which is a link, and the View Role screen displays containing all the permissions associated with the role. When finished auditing administrator roles, select Close.

    2. To edit the role, select the Edit icon () to the left of the role name, and the Edit Role screen displays. Edit the role by adding or removing Read and Edit check marks. When finished editing the role, select Save.

Some facts about the listing, whether you select View or Edit.

  • Role Categories are listed in the left panel. There might be role subcategories which you can expand to view. Select the '>' indicator to expand the category.
  • For more information about the orange-colored read/edit visual indicators seen on this screen, see the section on this page entitled Read/Edit Indicator in Categories for Admin Roles.
  • Select a specific category in the left panel and the category, name, and description of each resource displays on the right panel.
    • The Details link to the far right reveals each specific read-only and edit function within the UEM console.
  • You can use the Search Resources text box to locate a specific function by name. This search feature makes it easy to locate a specific tag-related function and assign it to a role.
    • For example, if you want to make an admin role that can only add a tag to a device, enter the word "tag" in the Search Resources text box and press the enter key. Every resource that contains the string "tag" in the Category or Name or Description or Description Details, appears in the right panel.
      Note: Keep in mind, "Staging" as in Staging Devices, also includes the "tag" string.

What to do next: You can apply these steps to making your own roles by visiting the section on this page entitled Create Administrator Role.

Compare Two Roles

When creating an administrator role, it is often easier to modify an existing role than it is to create one from scratch. The Compare Roles tool lets you compare the permissions settings of any two administrator roles for the sake of accuracy or to confirm your deliberate settings differences.

  1. Navigate to Accounts > Administrators > Roles.
  2. Locate any two listed roles, including roles that appear on different pages, and select those roles.
  3. Select Compare. The Compare Roles page displays featuring a list of categories. Selecting a specific category on the left populates all the details of that category on the right.

    The screenshot of the Compare Roles page shows Categories on the left and searchable resource descriptions on the right.

    • If you have fewer than two or more than two roles selected, the Compare button does not display.
    • Role subcategories can be viewed in the right panel by selecting the Details link to the far-right side. Collapse the role subcategory by selecting the Hide link.
    • There is an All category in the left panel that, when selected, displays all the parent categories on the Compare Roles page. When you enter a search parameter in the Search Resources bar, the right panel only displays matching category and resources (also known as permissions) listings.
    • The search function is persistent. This persistence means that if you have a parameter in the Search Resources bar, selecting the All category displays only the matching categories and resources. The search function is persistent even after you select specific resources and make Read and Edit selections.
    • By default, only those categories and subcategories whose settings are different are displayed. You can display all the permissions including those settings that are identical across the two selected roles by enabling the Show All Permissions check box.
    • If you select two roles that have identical permissions across the board, the console displays this message at the top of the Compare Roles page.

      "There are no differences in permissions between the two roles.".

What to do next: You can optionally select Export to create an Excel-viewable XLSX or CSV file (comma-separated values). The export file contains all settings for Role 1 and Role 2, enabling you to analyze the differences between them.