You can make roles that grant specific kinds of access to the Workspace ONE UEM powered by AirWatch. You define roles for individual users and groups based on UEM console access levels you find useful.
For example, help desk administrators within your enterprise might have limited access within the console, while the IT Manager has a greater range of permissions. For details about this example, see the use case How Do You Create a Restrictive Help Desk Admin and Add a Role Giving It Specific Functions.
To enable role-based access control, you must first set up administrator and user roles within the UEM console. Specific resources, also known as permissions, define these roles which enable and deactivate access to various features within the UEM console. You can create user roles granting access to the Self-Service Portal.
Since roles (and specifically resources or permissions) determine what users and admins can and cannot do in the UEM console, grant the correct resources or permissions with care. For example, if you require admins enter a note before a device can be enterprise wiped, the role must not only have the permissions to enterprise wipe a device but also add a note.
Roles are important to maintain the security of your device fleet, for example, the creation of staging users which is an elevated level administrator privilege. Treat staging user credentials the same as administrator privileges and do not disclose the user credentials.
There are several default roles already provided by Workspace ONE UEM powered by AirWatch from which you can select. These default roles are available with every upgrade and help quickly assign roles to new users. You can tailor the user privileges and permissions further if you require more customization.
Unlike default roles, custom roles require manual updates with every Workspace ONE UEM upgrade.
Each type of role includes inherent advantages and disadvantages. Default Roles save time in configuring a brand new role from scratch, logically suit various administrative privileges, and automatically update alongside new features and settings. However, Default Roles might not be a precise fit for your organization or MDM deployment, which is why Custom Roles are available.
Roles are available by default to device users in the Unified Endpoint Management Console.
Custom Roles allow you to customize as many unique roles as you require, and to tweak large or small changes across different users and administrators. However, you must manually maintain custom roles over time and update them with new features.
If none of the available default roles provide the proper fit for your organization, consider modifying an existing user role and creating a custom user role.
Create a custom end-user role by editing a default role included with the UEM console.
The following roles are available by default to administrators in the Workspace ONE UEM console.
Use the Admin Role Compare tool to compare the specific permissions of two admin roles. For more information, see the section on this page titled, Create Administrator Role.
|System Administrator||The System Administrator role provides complete access to a Workspace ONE UEM environment. This role includes access to the Password and Security settings, Session Management, and UEM console audit information, located in the Administration tab under System Configuration.
This role is limited to environment managers, for example, SaaS Operations teams for all SaaS environments hosted by VMware.
|AirWatch Administrator||The AirWatch Administrator role allows comprehensive access to the Workspace ONE UEM environment. However, this access excludes the Administration tab under System Configuration, because that tab manages top-level UEM console settings.
This role is limited to VMware employees with access to environments for troubleshooting, installation, and configuration purposes.
|Console Administrator||The Console Administrator role is the default admin role for shared SaaS environments. The role features limited functionality surrounding compliance policy attributes, report authoring, and organization group selection.|
|Device Manager||The Device Manager role grants users significant access to the UEM console. However, this role is not designed to configure most System Configurations. These configurations include Active Directory (AD) /Lightweight Directory Access Protocol (LDAP), Simple Mail Transfer Protocol (SMTP), device-UEM interface hubs such as the Intelligent Hub, and so on. For these tasks, use a top-tier role like the AirWatch Administrator or System Administrator.|
|Report Viewer||The Report Viewer role allows viewing of the data captured through Mobile Device Management (MDM). This role limits its users to generating, viewing, exporting, and subscribing to reports from the UEM console.|
|Content Management||The Content Management role only includes access to VMware Content Locker management. Use this role for specialized administrators responsible for uploading and managing a device content.|
|Application Management||The Application Management role allows admins with this access to deploy and manage the device fleet’s internal and public apps. Use this role for an application management administrator.|
|Help Desk||The Help Desk role provides the tools necessary for most Level 1 IT Help Desk functions. The primary tool available in this role is the ability to see and respond to device info with remote actions. However, this role also contains report viewing and device searching abilities.|
|App Catalog Only Administrator||The App Catalog Only Admin role has much the same permissions as Application Management. Added to these permissions are abilities to add and maintain admin and user accounts, admin and user groups, device details, and tags.|
|Read Only||The Read Only role provides access to most of the UEM console, but limits access to read-only status. Use this role to audit or record the settings in a Workspace ONE UEM environment. This role is not useful for system operators or administrators.|
|Horizon Administrator||The Horizon Administrator role is a specially designed set of permissions for complementing a Workspace ONE UEM configuration integrated with VMware Horizon View.|
|NSX Administrator||The NSX Administrator role is a specially designed set of permissions intended to complement VMware NSX integrated with Workspace ONE UEM. This role offers the full complement of system and certificate management permissions, allowing administrators to bridge endpoint security with data center security.|
|Privacy Officer||The Privacy Officer role provides read access to Monitor Overview, Device List View, View system settings, and full edit permissions for privacy settings.|
If the available default roles provide no proper fit for admin resources in your organization, consider modifying an existing default role into a custom admin role.
Create a custom administrator role by editing a default role included with the UEM console.
What to do next: For more information, see the section on this page titled, Create Administrator Role.
You can enable or deactivate permissions for every available setting and resource in Workspace ONE UEM powered by AirWatch. These settings grant or restrict console abilities for each member of your admin team, enabling you to craft a hierarchy of administrators specific to your needs.
Creating multiple admin roles is a time saving measure. Making comprehensive configurations across different organization groups means that you can change the permissions for a specific administrator at any time.
If you edit a role that is in use by an administrator, it does not apply until the administrator logs out and then logs back in.
Navigate to Accounts > Administrators > Roles.
You can delete an unused role from your library of administrator roles. You cannot delete an assigned role. Select an unassigned role and select the Delete button.
You can edit the name, description, and specific permissions of a role. Select the pencil icon to the left of the role name from the listing and the Edit Role screen displays.
You can also download an XLSX or CSV (comma-separated values) file containing the entire Administrators Roles List View. You can then view and analyze this file with MS Excel. Select the Export button and choose a download location. For information about exporting roles and later importing them, see the section on this page called Export Admin Roles.
Navigate to Accounts > Administrators > Roles and select Add Role in the UEM console.
In the Create Role, enter the Name and Description of the role.
Select from the list of Categories.
The Categories section organizes top-level categories such as Device Management under which are located subcategories including Applications, Browser, and Bulk Management among others. This category subdivision enables an easy and quick role creation process. Each subcategory setting in the right panel has a Read and Edit check box.
When you select from the Categories section, its subcategorized contents (individual settings) populate in the right panel. Each individual setting features its own Read and Edit check box and a “select all” style Read and Edit check box in the column heading. This arrangement allows for a flexible level of control and customization while creating roles.
Use the Search Resources text box to narrow down the number of resources from which you can select. Resources are generally labeled the same way as they are referred to in the UEM console itself. For example, if you want to limit an admin role to editing App Logs, then enter “App Logs” in the Search Resources box and a listing of all resources that contain the string “App Logs” displays.
Select the appropriate Read and Edit check box in the corresponding resource options. You can also choose to clear any of the selected resources.
To make blanket category selections, select None, Read, or Edit directly from the Categories section without ever populating the right panel. Select the circular icon to the right of the Category label, which is a drop-down menu. Use this selection method when you are certain you want to select none, read-only, or edit capabilities for the entire category setting.
What to do next: You must update the custom role after each Workspace ONE UEM version update to account for the new permissions in the latest release.
Administrator roles are a portable resource. This portability can save time if you manage more than one Workspace ONE UEM environment. You can export settings from one environment as an XML file, then import that XML file into another environment. Such activity can cause versioning issues.
There can be cases where an exported role is imported into an environment running an earlier version of Workspace ONE UEM. This earlier version might not have the same resources and permissions that comprise the imported role.
In these cases, Workspace ONE UEM notifies you with the following message.
There are some permissions in this environment that are not found in your imported file. Review and correct the highlighted permissions before saving.
Use the category listing page to deselect the highlighted permissions. This action allows you to save the role to the new environment.
You can save time by making a copy of an existing role. You can also change the permissions of the copy and save it under a different name.
If you are importing an admin role named the same as an existing admin role, you might find it useful to rename the existing role first. Renaming a role enables you to keep both the old and the new role in the same environment.
There is a visual indicator in the Categories section that reflects the current selection of read-only, edit, or a combination of each. This indicator reports what the setting is without requiring you to open and examine the individual subcategory settings.
The indicator features a circular icon located to the right side of the Category listing that reports the following.
|All options in this category have the edit capability (which by definition means that they also have read-only capability).|
|Most category settings have the edit capability enabled, but edits are deactivated for at least one subcategory.|
|All category settings have read-only enabled (edit deactivated).|
|Most category settings are read-only, but edits are enabled for at least one subcategory.|
You can assign roles which expands the capabilities of an Admin in the Workspace ONE UEM console. You can also edit the existing role loadout, potentially limiting or expanding an admin’s capabilities.
If you edit a role loadout that is in use by an administrator, it does not take effect until the administrator logs out and then logs back in.
You can view all the resources, or permissions, of any administrator role, including custom and default roles. This view can help you determine what an admin can, and cannot, do in the UEM console.
Roles are composed of hundreds of resources, also called permissions, which allow access (read only or edit) to a specific function within the UEM console.
The View Role and Edit Role screens are the same except that the Edit Role screen allows you to make and save changes with the Save button.
To view or edit the resources of an admin role, take the following steps.
Select from among the following choices, a or b:
Some facts about the listing, whether you select View or Edit.
You can use the Search Resources text box to locate a specific function by name. This search feature makes it easy to locate a specific tag-related function and assign it to a role.
For example, if you want to make an admin role that can only add a tag to a device, enter the word “tag” in the Search Resources text box and press the enter key. Every resource that contains the string “tag” in the Category or Name or Description or Description Details, appears in the right panel.
Note: Keep in mind, “Staging” as in Staging Devices, also includes the “tag” string.
What to do next: You can apply these steps to making your own roles by visiting the section on this page entitled Create Administrator Role.
When creating an administrator role, it is often easier to modify an existing role than it is to create one from scratch. The Compare Roles tool lets you compare the permissions settings of any two administrator roles for the sake of accuracy or to confirm your deliberate settings differences.
Select Compare. The Compare Roles page displays featuring a list of categories. Selecting a specific category on the left populates all the details of that category on the right.
“There are no differences in permissions between the two roles.”
What to do next: You can optionally select Export to create an Excel-viewable XLSX or CSV file (comma-separated values). The export file contains all settings for Role 1 and Role 2, enabling you to analyze the differences between them.
User roles in Workspace ONE UEM powered by AirWatch allow you to enable or deactivate specific actions that users can perform. These actions include controlling access to a device wipe, device query, and managing personal content. User Roles can also customize initial landing pages and restrict access to the Self-Service portal.
Creating multiple user roles is a time saving measure. You can make comprehensive configurations across different organization groups or change the user role for a specific user at any time.
In addition to the preset Basic Access and Full Access roles, you can create customized roles. Having multiple user roles available fosters flexibility and can potentially save time when assigning roles to new users.
Enter a Name and Description, and select the Initial Landing Page of the SSP for users with this new role.
For existing user roles, the default Initial Landing Page is the My Devices page.
Select from a list of options the level of access and control end users of this assigned role have in the SSP.
What to do next: From the Roles page, you can view, edit, or delete roles.
A default role is the baseline role from which all user roles are based. Configuring a default role enables you to set the permissions and privileges users automatically receive upon enrollment.
Configure a default level of access for end users in the Self-Service Portal (SSP) by selecting a Default Role.
These role settings are customizable by organization group. Choose from the following.
You can edit the role for a specific user, for example, to grant or restrict access to Workspace ONE UEM functions.
If you edit a role that is in use by a user, the edit does not take effect until the user logs out and then logs back in.
How Do You Create a Restrictive Help Desk Admin and Add a Role Giving It Specific Functions
You can make a custom role that allows a help desk admin to do only the things in Workspace ONE UEM powered by AirWatch that you allow them to do. Learn how accounts, roles, and programmable permissions all work together to get you where you need to go.