User roles in Workspace ONE UEM powered by AirWatch allow you to enable or disable specific actions that logged-in users can perform. These actions include controlling access to a device wipe, device query, and managing personal content. User Roles can also customize initial landing pages and restrict access to the Self-Service portal.

Creating multiple user roles is a time saving measure. You can make comprehensive configurations across different organization groups or change the user role for a specific user at any time.

Create a New User Role

In addition to the preset Basic Access and Full Access roles, you can create customized roles. Having multiple user roles available fosters flexibility and can potentially save time when assigning roles to new users.

  1. Navigate to Accounts > Users > Roles and select Add Role. The Add/Edit Role page displays.
  2. Enter a Name and Description, and select the Initial Landing Page of the SSP for users with this new role.

    For existing user roles, the default Initial Landing Page is the My Devices page.

  3. Select from a list of options the level of access and control end users of this assigned role have in the SSP.
    • Click Select None to clear all check boxes on the page.
    • Select all the check boxes on the page by selecting Select All.
  4. Save the changes to the role. The added user role now appears in the list on the Roles page.

What to do next: From the Roles page, you can view, edit, or delete roles.

Configure a Default Role

A default role is the baseline role from which all user roles are based. Configuring a default role enables you to set the permissions and privileges users automatically receive upon enrollment.

  1. Navigate to Devices > Device Settings > Devices & Users > General > Enrollment and select the Grouping tab.
  2. Configure a default level of access for end users in the Self-Service Portal (SSP) by selecting a Default Role.

    These role settings are customizable by organization group. Choose from the following.

    • Full Access - Grants users with access to higher SSP functions such as install/remove profiles and apps, reset passcodes, send device messages, and write-access to content.
    • Basic Access - Grants users with a low impact access. They can register their own device, view-only (but not install) profiles and apps, view their own account, and query and find their own device.
    • External Access - Users with External Access have all the abilities as basic access users but they also have read-only access to content on the SSP that is explicitly shared with them.
  3. Select Save.

Assign or Edit the Role of an Existing User

You can edit the role for a specific user, for example, to grant or restrict access to Workspace ONE UEM functions.

If you edit a role that is in use by a user, the edit does not take effect until the user logs out and then logs back in.

  1. Select the appropriate organization group.
  2. Navigate to Accounts > Users > List View.
  3. Search for the specific user that you want to edit from the list. Once you have identified the user, select the Edit icon under the check box. The Add/Edit User screen displays.
  4. In the General tab, scroll to the Enrollment section and select a User Role from this drop-down menu to change the role for this specific user.
  5. Select Save.