Role-based Access

You can make roles that grant specific kinds of access to the Workspace ONE UEM powered by AirWatch. You define roles for individual users and groups based on UEM console access levels you find useful.

For example, help desk administrators within your enterprise might have limited access within the console, while the IT Manager has a greater range of permissions. For details about this example, see the use case How Do You Create a Restrictive Help Desk Admin and Add a Role Giving It Specific Functions.

To enable role-based access control, you must first set up administrator and user roles within the UEM console. Specific resources, also known as permissions, define these roles which enable and deactivate access to various features within the UEM console. You can create user roles granting access to the Self-Service Portal.

Since roles (and specifically resources or permissions) determine what users and admins can and cannot do in the UEM console, grant the correct resources or permissions with care. For example, if you require admins enter a note before a device can be enterprise wiped, the role must not only have the permissions to enterprise wipe a device but also add a note.

Roles are important to maintain the security of your device fleet, for example, the creation of staging users which is an elevated level administrator privilege. Treat staging user credentials the same as administrator privileges and do not disclose the user credentials.

Default and Custom Roles

There are several default roles already provided by Workspace ONE UEM powered by AirWatch from which you can select. These default roles are available with every upgrade and help quickly assign roles to new users. You can tailor the user privileges and permissions further if you require more customization.

Unlike default roles, custom roles require manual updates with every Workspace ONE UEM upgrade.

Each type of role includes inherent advantages and disadvantages. Default Roles save time in configuring a brand new role from scratch, logically suit various administrative privileges, and automatically update alongside new features and settings. However, Default Roles might not be a precise fit for your organization or MDM deployment, which is why Custom Roles are available.

Default End-User Roles

Roles are available by default to device users in the Unified Endpoint Management Console.

  • Full Access Role – Provides full access to the Self-Service Portal.
  • Basic Access Role – Provides all permissions except MDM commands from the Self-Service Portal.

Custom Roles allow you to customize as many unique roles as you require, and to tweak large or small changes across different users and administrators. However, you must manually maintain custom roles over time and update them with new features.

Edit a Default End-User Role to Create a Custom User Role

If none of the available default roles provide the proper fit for your organization, consider modifying an existing user role and creating a custom user role.

Create a custom end-user role by editing a default role included with the UEM console.

This screenshot shows the Accounts, Users Roles page, which you can use to make custom user roles from default roles.

  1. Ensure that you are currently in the organization group you want the new role to be associated with.
  2. Navigate to Accounts > Users > Roles.
  3. Determine which role from the list best fits the role you want to create. Then edit that role by selecting the edit icon (The edit icon is shaped like a gray pencil.) to the far right. The Add/Edit Role page displays.
  4. Edit the Name, Description, and Initial Landing Page text boxes as necessary. Review each of the check boxes. These options represent the various permissions, selecting and deselecting those options as necessary.
  5. Select Save.

Default Administrator Roles

The following roles are available by default to administrators in the Workspace ONE UEM console.

Use the Admin Role Compare tool to compare the specific permissions of two admin roles. For more information, see the section on this page titled, Create Administrator Role.

Role Description
System Administrator The System Administrator role provides complete access to a Workspace ONE UEM environment. This role includes access to the Password and Security settings, Session Management, and UEM console audit information, located in the Administration tab under System Configuration.

This role is limited to environment managers, for example, SaaS Operations teams for all SaaS environments hosted by VMware.
AirWatch Administrator The AirWatch Administrator role allows comprehensive access to the Workspace ONE UEM environment. However, this access excludes the Administration tab under System Configuration, because that tab manages top-level UEM console settings.

This role is limited to VMware employees with access to environments for troubleshooting, installation, and configuration purposes.
Console Administrator The Console Administrator role is the default admin role for shared SaaS environments. The role features limited functionality surrounding compliance policy attributes, report authoring, and organization group selection.
Device Manager The Device Manager role grants users significant access to the UEM console. However, this role is not designed to configure most System Configurations. These configurations include Active Directory (AD) /Lightweight Directory Access Protocol (LDAP), Simple Mail Transfer Protocol (SMTP), device-UEM interface hubs such as the Intelligent Hub, and so on. For these tasks, use a top-tier role like the AirWatch Administrator or System Administrator.
Report Viewer The Report Viewer role allows viewing of the data captured through Mobile Device Management (MDM). This role limits its users to generating, viewing, exporting, and subscribing to reports from the UEM console.
Content Management The Content Management role only includes access to VMware Content Locker management. Use this role for specialized administrators responsible for uploading and managing a device content.
Application Management The Application Management role allows admins with this access to deploy and manage the device fleet’s internal and public apps. Use this role for an application management administrator.
Help Desk The Help Desk role provides the tools necessary for most Level 1 IT Help Desk functions. The primary tool available in this role is the ability to see and respond to device info with remote actions. However, this role also contains report viewing and device searching abilities.
App Catalog Only Administrator The App Catalog Only Admin role has much the same permissions as Application Management. Added to these permissions are abilities to add and maintain admin and user accounts, admin and user groups, device details, and tags.
Read Only The Read Only role provides access to most of the UEM console, but limits access to read-only status. Use this role to audit or record the settings in a Workspace ONE UEM environment. This role is not useful for system operators or administrators.
Horizon Administrator The Horizon Administrator role is a specially designed set of permissions for complementing a Workspace ONE UEM configuration integrated with VMware Horizon View.
NSX Administrator The NSX Administrator role is a specially designed set of permissions intended to complement VMware NSX integrated with Workspace ONE UEM. This role offers the full complement of system and certificate management permissions, allowing administrators to bridge endpoint security with data center security.
Privacy Officer The Privacy Officer role provides read access to Monitor Overview, Device List View, View system settings, and full edit permissions for privacy settings.

Edit a Default Admin Role to Create a Custom Admin Role

If the available default roles provide no proper fit for admin resources in your organization, consider modifying an existing default role into a custom admin role.

Create a custom administrator role by editing a default role included with the UEM console.

This screenshot shows the Accounts, Administrator Roles page, which you can use to make custom admin roles from default roles.

  1. Ensure that you are currently in the organization group with which you want the new role to be associated.
  2. Navigate to Accounts > Administrators > Roles.
  3. Determine which role from the list best fits the role you want to create. Select the check box for that role.
  4. Select Copy from the actions menu. The Copy Role page displays.
  5. Edit specific settings of the copy in the resulting Copy Role page. Create a unique Name and Description for the customized role.
  6. Select Save.

What to do next: For more information, see the section on this page titled, Create Administrator Role.

Admin Roles

You can enable or deactivate permissions for every available setting and resource in Workspace ONE UEM powered by AirWatch. These settings grant or restrict console abilities for each member of your admin team, enabling you to craft a hierarchy of administrators specific to your needs.

Creating multiple admin roles is a time saving measure. Making comprehensive configurations across different organization groups means that you can change the permissions for a specific administrator at any time.

Making Admin Role Changes Effective

If you edit a role that is in use by an administrator, it does not apply until the administrator logs out and then logs back in.

Admin Roles List View

Navigate to Accounts > Administrators > Roles.

You can delete an unused role from your library of administrator roles. You cannot delete an assigned role. Select an unassigned role and select the Delete button.

You can edit the name, description, and specific permissions of a role. Select the pencil icon to the left of the role name from the listing and the Edit Role screen displays.

You can also Export a CSV (comma-separated values) file containing the entire Administrators Roles List View. You can then view and analyze this file with MS Excel. Select the Export button navigate to Monitor > Reports & Analytics > Exports to view and download the resulting report.

Create Administrator Role

  1. Navigate to Accounts > Administrators > Roles and select Add Role in the UEM console.

    This screenshot features the Create Role screen with Categories on the left and searchable Content Management on the right.

  2. In the Create Role, enter the Name and Description of the role.

  3. Select from the list of Categories.

    The Categories section organizes top-level categories such as Device Management under which are located subcategories including Applications, Browser, and Bulk Management among others. This category subdivision enables an easy and quick role creation process. Each subcategory setting in the right panel has a Read and Edit check box.

    When you select from the Categories section, its subcategorized contents (individual settings) populate in the right panel. Each individual setting features its own Read and Edit check box and a “select all” style Read and Edit check box in the column heading. This arrangement allows for a flexible level of control and customization while creating roles.

    Use the Search Resources text box to narrow down the number of resources from which you can select. Resources are generally labeled the same way as they are referred to in the UEM console itself. For example, if you want to limit an admin role to editing App Logs, then enter “App Logs” in the Search Resources box and a listing of all resources that contain the string “App Logs” displays.

  4. Select the appropriate Read and Edit check box in the corresponding resource options. You can also choose to clear any of the selected resources.

    This screenshot shows how clicking on the orange pie graphs can let you choose an edit more for an entire category.

  5. To make blanket category selections, select None, Read, or Edit directly from the Categories section without ever populating the right panel. Select the circular icon to the right of the Category label, which is a drop-down menu. Use this selection method when you are certain you want to select none, read-only, or edit capabilities for the entire category setting.

  6. Select Save to finish creating the Custom Role. You can now view the added role in the list on the Roles page. From here, you can also edit the role details or delete the role.

What to do next: You must update the custom role after each Workspace ONE UEM version update to account for the new permissions in the latest release.

Export Admin Roles

Administrator roles are a portable resource. This portability can save time if you manage more than one Workspace ONE UEM environment. You can export settings from one environment as an XML file, then import that XML file into another environment. Such activity can cause versioning issues.

This screenshot shows the button cluster that displays when an admin role is selected, highlighting the Export function.

  1. Navigate to Accounts > Administrators > Roles.
  2. Export a role by selecting the check box next to the administrator role. If you select more than one admin role, the Export action is not available.
  3. Select the Export button and save the XML file to a location on your device.

Import Admin Roles

  1. Navigate to Accounts > Administrators > Roles and select Import Role.

    This screenshot shows the Accounts, Administrators Roles page with the Import Role button highlighted.

  2. In the Import Role page, select Browse and locate the previously saved XML file. Upload the admin role to the Category listing for validation by selecting Upload.

  3. Workspace ONE UEM performs a series of validation checks including an XML file check, importing role permission check, duplicate role name check, and blank name and description check.
  4. Check the resource settings and verify their imported role specifications by selecting specific Categories in the left pane.
  5. You can also edit the resources and the Name and Description of the imported role based on your needs. If you want to keep both the existing role and the imported role, then rename the existing admin role before importing the new role.
    1. If the role you are importing is named the same as an existing role in your environment, then a message displays. “A role with this name exists in this environment. Would you Like to override the existing role?”
    2. If you select No, then the existing role in your environment remains untouched and the role import is canceled.
    3. If you select Yes, then you are prompted for the security PIN, which if entered correctly, replaces the existing role with the imported role.
  6. Select Save to apply the imported role to the new environment.

Versioning Issues When Importing and Exporting Admin Roles

There can be cases where an exported role is imported into an environment running an earlier version of Workspace ONE UEM. This earlier version might not have the same resources and permissions that comprise the imported role.

In these cases, Workspace ONE UEM notifies you with the following message.

There are some permissions in this environment that are not found in your imported file. Review and correct the highlighted permissions before saving.

Use the category listing page to deselect the highlighted permissions. This action allows you to save the role to the new environment.

Copy Role

You can save time by making a copy of an existing role. You can also change the permissions of the copy and save it under a different name.

This screenshot shows the Accounts, Administrator Roles page with a role selected and the Copy button highlighted.

  1. Navigate to Accounts > Administrators > Roles.
  2. Select the check box next to the role you want to copy.
  3. Select the Copy button. The Copy Role page displays.
  4. Make your changes to the Categories, Name, and Description.
  5. When finished, select Save.

Rename an Admin Role

If you are importing an admin role named the same as an existing admin role, you might find it useful to rename the existing role first. Renaming a role enables you to keep both the old and the new role in the same environment.

This screenshot shows the Accounts, Administrator Roles page with a role copy selected, ready to be edited and renamed.

  1. Navigate to Accounts > Administrators > Roles and select the Edit icon (The edit icon is in the shape of a grey pencil.) of the role you want to rename. The Edit Role page displays.
  2. Edit the Name of the role and optionally, the Description.
  3. Select Save.

Read/Edit Indicator in Categories for Admin Roles

There is a visual indicator in the Categories section that reflects the current selection of read-only, edit, or a combination of each. This indicator reports what the setting is without requiring you to open and examine the individual subcategory settings.

The indicator features a circular icon located to the right side of the Category listing that reports the following.

Icon Description
This indicator icon is shaped like a full circle, colored orange, indicating a full editing capability. All options in this category have the edit capability (which by definition means that they also have read-only capability).
This indicator icon is shaped like a circle filled in three-quarters, colored orange, indicating a partial editing capability. Most category settings have the edit capability enabled, but edits are deactivated for at least one subcategory.
This indicator icon is shaped like a half circle, colored orange, indicating a read-only capability. All category settings have read-only enabled (edit deactivated).
This indicator icon is shaped like a circle filled in one-quarter, colored orange, indicating a partial editing capability. Most category settings are read-only, but edits are enabled for at least one subcategory.

Assign a Role or Edit the Role Loadout of an Admin

You can assign roles which expands the capabilities of an Admin in the Workspace ONE UEM console. You can also edit the existing role loadout, potentially limiting or expanding an admin’s capabilities.

If you edit a role loadout that is in use by an administrator, it does not take effect until the administrator logs out and then logs back in.

This screenshot shows the Accounts, Admin List View page with the kebab icon selected and the Edit button highlighted, showing the path to alter the the role loadout or assign a role to an admin.

  1. Navigate to Accounts > Administrators > List View, locate the admin account whose role loadout you want to change, and select the kebab icon (This UI element is called a kebab icon and it looks like a vertically oriented elipsis.) to the left of the admin account username and select Edit. The Add/Edit Admin page displays.
  2. Select the Roles tab and then choose from among the following, a, b, or a combination of both:

    a. If you want to add a new role to the admin account, select the Add Role button, then enter the Organization Group and Role details for each role that you add.

    b. If you want to delete an existing role from the admin account, select the role and click the Delete button.

  3. Select Save.

View the Resources of an Admin Role

You can view all the resources, or permissions, of any administrator role, including custom and default roles. This view can help you determine what an admin can, and cannot, do in the UEM console.

Roles are composed of hundreds of resources, also called permissions, which allow access (read only or edit) to a specific function within the UEM console.

The View Role and Edit Role screens are the same except that the Edit Role screen allows you to make and save changes with the Save button.

To view or edit the resources of an admin role, take the following steps.

  1. Navigate to Accounts > Administrators > Roles.
  2. Locate the admin role for which you want to see permissions. If you have a large library of admin roles, use the Search List bar in the upper-right corner to narrow the listing.
  3. Select from among the following choices, a or b:

    a. To view the role, select the name of the role, which is a link, and the View Role screen displays containing all the permissions associated with the role. When finished auditing administrator roles, select Close.

    This screenshot is the View Role screen, allowing you to only view role details.

    b. To edit the role, select the Edit icon (The edit icon is in the shape of a grey pencil.) to the left of the role name, and the Edit Role screen displays. Edit the role by adding or removing Read and Edit check marks. When finished editing the role, select Save.

    This screenshot is the Edit Role screen, allowing you to edit and view role details.

Some facts about the listing, whether you select View or Edit.

  • Role Categories display in the left panel. Select the ‘>’ indicator to expand the category and view role subcategories.
  • For more information about the orange-colored read/edit visual indicators seen on this screen, see the section on this page entitled Read/Edit Indicator in Categories for Admin Roles.
  • Select a specific category in the left panel and the category, name, and description of each resource displays on the right panel.
    • The Details link to the far right reveals each specific read-only and edit function within the UEM console.
  • You can use the Search Resources text box to locate a specific function by name. This search feature makes it easy to locate a specific tag-related function and assign it to a role.

    • For example, if you want to make an admin role that can only add a tag to a device, enter the word “tag” in the Search Resources text box and press the enter key. Every resource that contains the string “tag” in the Category or Name or Description or Description Details, appears in the right panel.

      Note: Keep in mind, “Staging” as in Staging Devices, also includes the “tag” string.

What to do next: You can apply these steps to making your own roles by visiting the section on this page entitled Create Administrator Role.

Compare Two Roles

When creating an administrator role, it is often easier to modify an existing role than it is to create one from scratch. The Compare Roles tool lets you compare the permissions settings of any two administrator roles for the sake of accuracy or to confirm your deliberate settings differences.

  1. Navigate to Accounts > Administrators > Roles.
  2. Locate any two listed roles, including roles that appear on different pages, and select those roles.
  3. Select Compare. The Compare Roles page displays featuring a list of categories. Selecting a specific category on the left populates all the details of that category on the right.

    The screenshot of the Compare Roles page shows Categories on the left and searchable resource descriptions on the right.

    • If you have fewer than two or more than two roles selected, the Compare button does not display.
    • Select the Details link to the far-right side to view role subcategories. Collapse the role subcategory by selecting the Hide link.
    • There is an All category in the left panel that, when selected, displays all the parent categories on the Compare Roles page. When you enter a search parameter in the Search Resources bar, the right panel only displays matching category and resources (also known as permissions) listings.
    • The search function is persistent. This persistence means that if you have a parameter in the Search Resources bar, selecting the All category displays only the matching categories and resources. The search function is persistent even after you select specific resources and make Read and Edit selections.
    • By default, only categories and subcategories whose settings are different display. You can display all the permissions including those settings that are identical across the two selected roles by enabling the Show All Permissions check box.
    • If you select two roles that have identical permissions across the board, the console displays this message at the top of the Compare Roles page.

    “There are no differences in permissions between the two roles.”

What to do next: You can optionally select Export to create an Excel-viewable XLSX or CSV file (comma-separated values). The export file contains all settings for Role 1 and Role 2, enabling you to analyze the differences between them.

User Roles

User roles in Workspace ONE UEM powered by AirWatch allow you to enable or deactivate specific actions that users can perform. These actions include controlling access to a device wipe, device query, and managing personal content. User Roles can also customize initial landing pages and restrict access to the Self-Service portal.

Creating multiple user roles is a time saving measure. You can make comprehensive configurations across different organization groups or change the user role for a specific user at any time.

Create a New User Role

In addition to the preset Basic Access and Full Access roles, you can create customized roles. Having multiple user roles available fosters flexibility and can potentially save time when assigning roles to new users.

This screenshot shows the Add/Edit screen for the Accounts, Users Roles page, which lets you create a user role.

  1. Navigate to Accounts > Users > Roles and select Add Role. The Add/Edit Role page displays.
  2. Enter a Name and Description, and select the Initial Landing Page of the SSP for users with this new role.

    For existing user roles, the default Initial Landing Page is the My Devices page.

  3. Select from a list of options the level of access and control end users of this assigned role have in the SSP.

    • Click Select None to clear all check boxes on the page.
    • Select all the check boxes on the page by selecting Select All.
  4. Save the changes to the role. The added user role now appears in the list on the Roles page.

What to do next: From the Roles page, you can view, edit, or delete roles.

Configure a Default Role

A default role is the baseline role from which all user roles are based. Configuring a default role enables you to set the permissions and privileges users automatically receive upon enrollment.

This screenshot shows the Enrollment Grouping Settings Page, which enables you to configure a default user role.

  1. Navigate to Devices > Device Settings > Devices & Users > General > Enrollment and select the Grouping tab.
  2. Configure a default level of access for end users in the Self-Service Portal (SSP) by selecting a Default Role.

    These role settings are customizable by organization group. Choose from the following.

    • Full Access - Grants users with access to higher SSP functions such as install/remove profiles and apps, reset passcodes, send device messages, and write-access to content.
    • Basic Access - Grants users with a low impact access. They can register their own device, view-only (but not install) profiles and apps, view their own account, and query and find their own device.
    • External Access - Users with External Access have all the abilities as basic access users but they also have read-only access to content on the SSP that is explicitly shared with them.
  3. Select Save.

Assign or Edit the Role of an Existing User

You can edit the role for a specific user, for example, to grant or restrict access to Workspace ONE UEM functions.

If you edit a role that is in use by a user, the edit does not take effect until the user logs out and then logs back in.

This screenshot shows the Add/Edit User page of the Accounts, Users, List view, which lets you assign and edit roles for existing users.

  1. Select the appropriate organization group.
  2. Navigate to Accounts > Users > List View.
  3. Search for the specific user that you want to edit from the list. Once you have identified the user, select the Edit icon under the check box. The Add/Edit User screen displays.
  4. In the General tab, scroll to the Enrollment section and select a User Role from this drop-down menu to change the role for this specific user.
  5. Select Save.

See Also: How Do You Create a Restrictive Help Desk Admin and Add a Role Giving It Specific Functions.
You can make a custom role that allows a help desk admin to do only the things in Workspace ONE UEM powered by AirWatch that you allow them to do. Learn how accounts, roles, and programmable permissions all work together to get you where you need to go.

check-circle-line exclamation-circle-line close-line
Scroll to top icon