RBAC is a quick way to assign and approve roles and permissions in Workspace ONE Intelligence.
What is RBAC?
RBAC has pre-defined roles that you can assign to admins for access to the resources they use. Assign a single role or combine roles for those admins who require permissions to your entire environment.
Basic and Directory Accounts in Workspace ONE UEM
One of the systems Workspace ONE Intelligence can get user data from is Workspace ONE UEM. RBAC supports adding admins from Workspace ONE UEM from both the basic users and the directory-based users.
- Basic users are individual accounts that are not managed through an identity service. They require no enterprise infrastructure. These credentials exist only in Workspace ONE UEM and have no federated security.
- Directory-based users are managed in an identity service and are pulled into Workspace ONE UEM. These users access resources with their directory credentials and any changes made to their accounts sync with Workspace ONE UEM.
Azure Active Directory (AD) to Use Admin Groups
To use your Azure AD admin groups with RBAC, you must authorize Workspace ONE Intelligence to access your public Azure AD environment using Microsoft Graph APIs.
Workspace ONE Intelligence stores minimal information from Azure like the user's first and last name, their contact email, or their affiliated groups. The integration does not include a regular sync schedule or polling operation but rather validates information when the user accesses Workspace ONE Intelligence.
Existing Users and RBAC Super Admins
Current Workspace ONE Intelligence users with access before the introduction of RBAC are assigned all roles. An admin with all roles assigned is a super admin. RBAC does not have a single role for a super admin.
Set Up Process
To set up RBAC, configure several components in Settings > Administrators .
- Authorize Workspace ONE Intelligence to connect to your Azure AD system using the setup wizard.
- Add and edit admins.
Editing RBAC Permissions
When you modify RBAC permissions in Workspace ONE Intelligence, the system sends an Account Role Modified email to the RBAC user. The notification lists who changed the permissions, when they changed them, and which permissions changed.
Add Admins From Workspace ONE UEM
To add basic and directory-based admins managed in Workspace ONE UEM for Roles Based Access Control (RBAC) in Workspace ONE Intelligence, configure settings to allow admins to access Workspace ONE Intelligence from Workspace ONE UEM.
This process includes configurations in both Workspace ONE UEM and Workspace ONE Intelligence. You add or edit admins in Workspace ONE UEM and assign them an
Intelligence Admin role. Then, grant permissions and configure RBAC accounts in Workspace ONE Intelligence.
If you do not assign the admins roles in Workspace ONE Intelligence, the new RBAC admins must log in to the Workspace ONE Intelligence console to request access using the Request Access notification process. The system sends you their request by email and the email is your prompt to grant permissions and configure RBAC accounts in Workspace ONE Intelligence.
- In the Workspace ONE UEM console, add a role for admins to access Workspace ONE Intelligence.
- Select the organization group.
- Go to Accounts > Administrators > Roles > Add Role.
- Enter a name and a description so you can find the role in the list view.
Intelligence Admin - Grants basic admins access to the WS1 Intelligence console.
- In the Search Resources text box, enter Intelligence to display the Intelligence role. This role is in Categories > Monitor > Intelligence.
- Give admins Read and Edit permissions. The
Intelligence Admin role is now available to assign to admins in Workspace ONE UEM.
- In the Workspace ONE UEM console, add admins and assign them the Intelligence role.
- Go to Accounts > Administrators > List View > Add > Add Admin.
- Select Basic tab, for the User Type setting, select Basic or Directory.
- Basic - Enter required settings on the Basic tab, including user name, password, First Name, and Last Name. You can enable Two-Factor Authentication where you select between Email and SMS as a delivery method and the token expiration time in minutes. You can also select a Notification option, selecting between None, Email, and SMS. Admins receive an auto-generated response.
- Directory - Enter the Domain and Username for the admin's directory credentials.
- Select the Roles tab, select the Organization Group, and enter the role you previously added,
- This step is necessary if you do not assign the roles assigned in Workspace ONE Intelligence. Have admins log in to Workspace ONE Intelligence and complete the Request Access process. By selecting the Request Access button on the Restricted Access page, the system sends an email notification to 10 admins who are active and have the Administrator role in the console to approve entry. If users have already requested access and select Request Access, the console prompts them about their previous request but lets them send another.
- Check your email for Admin Access Request notifications. You can use the Manage Users button to navigate to the Workspace ONE Intelligence console.
- In Workspace ONE Intelligence, grant access and configure admin permissions.
- Go to Settings > Administrators > Admin, select the admin from the list, and select Edit.
- Select the applicable permissions and save the admin account. Workspace ONE UEM admins can now access Workspace ONE Intelligence.
Add Admins and Admin Groups From Azure AD
To add admins and admin groups from Azure Active Directory (AC) for Roles Based Access Control (RBAC) in Workspace ONE Intelligence, configure settings to allow admins to access Workspace ONE Intelligence from Workspace ONE UEM.
You must authorize Workspace ONE Intelligence to connect with your Azure AD environment.
- In the Workspace ONE Intelligence console, go to Settings > Administrators > Admin and select Add. To add Azure AD groups, select the Admin Groups tab. The Add menu item does not display unless you have configured the integration with Azure AD.
- On the Add Admin page, enter the name of the admin in the User text box and select the name from the list. If you are adding Azure AD admin groups, the system navigates to the Add Admin Group page. Enter the name of the admin group in the Group text box.
- Select the applicable permissions and save the admin account. The added admin displays as Unknown (Not logged in) because the system is not pulling this data from Azure. This display is resolved with the admin logging in to Workspace ONE Intelligence.
- Have admins log in to Workspace ONE Intelligence. This login step resolves the admin's user name from Unknown (Not logged in) to the configured user name.
RBAC Role Descriptions
Roles based access control (RBAC) includes the administrator titles of Analyst, Auditor, Administrator, and Automator. Each role has specific permissions to offer quick assignment with appropriate access to Workspace ONE Intelligence features.
To create a super admin, assign all roles to the admin account. Workspace ONE Intelligence does not have a separate, single role for the super admin.
RBAC Admin Descriptions
- Administrator - The administrator can create identity and access management, admins, and integrations.
- Insights permission - Read
- Settings permissions - Create, update, and delete
- Analyst - An analyst can create, work, and delete their own objects and can work in other objects depending on their permissions. They cannot work in Settings or Automations.
- Insights permission - Read
- Dashboards permissions - Create, update, and delete
- Reporting permissions - Create, update, and delete
- Auditor - The auditor can see what other admins are creating for auditing purposes. They have read access to everything and everything that gets created. If you have an auditor that also edits objects, add one of the other roles to the account.
- Insights permission - Read
- Dashboards permission - Read
- Reporting permission - Read
- Automations permission - Read
- Settings permission - Read
- Automator - The automator can create, work, and delete automations. They can also configure integrations in Settings that are used in automations. Restricting other admins from creating automations helps control the large impact automations have on endpoints. It also helps with reduced creation of automatons that overlap or conflict.
- Insights permission - Read
- Automations permissions - Create, update, and delete
- Integrations permissions - Create, update, and delete