Accounts Management

The Accounts Management features in VMware Workspace ONE Intelligence include Roles Based Access Control (RBAC) for Administrators, Data Access Policies, setting up Microsoft Azure Active Directory, and managing the System Limits allocated to admins. Find these features in the console in the Accounts area.

What is RBAC?

Roles Based Access Control (RBAC) has pre-defined roles that you can assign to admins for access to the resources they use. Assign a single role or combine roles for those admins who require permissions to your entire environment.

Basic and directory accounts in Workspace ONE UEM

One of the systems Workspace ONE Intelligence can get user data from is Workspace ONE UEM. RBAC supports adding admins from Workspace ONE UEM from both the basic users and the directory-based users.

• Basic users are individual accounts that are not managed through an identity service. They require no enterprise infrastructure. These credentials exist only in Workspace ONE UEM and have no federated security.
• Directory-based users are managed in an identity service and are pulled into Workspace ONE UEM. These users access resources with their directory credentials and any changes made to their accounts sync with Workspace ONE UEM.

Azure Active Directory (AD) to use admin groups

To use your Azure AD admin groups with RBAC, you must authorize Workspace ONE Intelligence to access your public Azure AD environment using Microsoft Graph APIs.

Workspace ONE Intelligence stores minimal information from Azure like the user’s first and last name, their contact email, or their affiliated groups. The integration does not include a regular sync schedule or polling operation but rather validates information when the user accesses Workspace ONE Intelligence.

Existing users and RBAC super admins

Current Workspace ONE Intelligence users with access before the introduction of RBAC are assigned all roles. An admin with all roles assigned is a super admin. RBAC does not have a single role for a super admin.

Set up process

To set up RBAC, configure several components in Accounts > Administrators .

• Authorize Workspace ONE Intelligence to connect to your Azure AD system using the setup wizard.
• Add and edit admins.

Editing RBAC permissions

When you modify RBAC permissions in Workspace ONE Intelligence, the system sends an Account Role Modified email to the RBAC user. The notification lists who changed the permissions and which permissions changed.

Transferring ownership of dashboards and reports

You can share dashboards and reports with other Workspace ONE Intelligence users. The owner of the object (dashboard or report) is designated with full access, while the users who share the object are designated with Can View (read only) or Can Edit access (read and write). As an extension of the sharing functionality, admins who have the Administrator role can also transfer the ownership of dashboards and reports. This feature is helpful after admins leave your organization because their Workspace ONE Intelligence objects no longer have an active admin to manage them. To assign these objects to an active admin, admins can find unowned objects and reassign them.

• For details on how to transfer ownership of dashboards, access Transferring ownership of dashboards.
• For details on how to transfer ownership of Reports, access Transferring ownership of reports.

Add admins from Workspace ONE UEM

To add basic and directory-based admins managed in Workspace ONE UEM for Roles Based Access Control (RBAC) in Workspace ONE Intelligence, configure settings to allow admins to access Workspace ONE Intelligence from Workspace ONE UEM.

This process includes configurations in Workspace ONE UEM. You add or edit admins in Workspace ONE UEM and assign them an Intelligence Admin role. You manage admin roles and permissions in VMware Cloud services.

New RBAC admins must log in to the Workspace ONE Intelligence console to request access using the Request Access notification process. The system sends you their request by email and the email is your prompt to grant permissions and configure RBAC accounts in Workspace ONE Intelligence.

Note: You edit admin roles and permissions for Workspace ONE Intelligence through VMware Cloud services. For details, see Identity & Access Management.

Procedure

1. In the Workspace ONE UEM console, add a role for admins to access Workspace ONE Intelligence.
   1. Select the organization group.
   2. Go to Accounts > Administrators > Roles > Add Role.
   3. Enter a name and a description so you can find the role in the list view. Intelligence Admin - Grants basic admins access to the WS1 Intelligence console.
   4. In the Search Resources text box, enter Intelligence to display the Intelligence role. This role is in Categories > Monitor > Intelligence.
   5. Give admins Read and Edit permissions. The Intelligence Admin role is now available to assign to admins in Workspace ONE UEM.
2. In the Workspace ONE UEM console, add admins and assign them the Intelligence role.
   • Go to Accounts > Administrators > List View > Add > Add Admin.
   • Select Basic tab, for the User Type setting, select Basic or Directory.
     • Basic - Enter required settings on the Basic tab, including user name, password, First Name, and Last Name. You can enable Two-Factor Authentication where you select between Email and SMS as a delivery method and the token expiration time in minutes. You can also select a Notification option, selecting between None, Email, and SMS. Admins receive an auto-generated response.
     • Directory - Enter the Domain and Username for the admin’s directory credentials.
   • Select the Roles tab, select the Organization Group, and enter the role you previously added, Intelligence Admin.
3. Have admins log in to Workspace ONE Intelligence and complete the Request Access process. By selecting the Request Access button on the Restricted Access page, the system sends an email notification to 10 admins who are active and have the Administrator role in the console to approve entry. If users have already requested access and select Request Access, the console prompts them about their previous request but lets them send another.
4. Check your email for Admin Access Request notifications.

Add admins and admin groups from Azure AD

To add admins and admin groups from Azure Active Directory (AC) for Roles Based Access Control (RBAC) in Workspace ONE Intelligence, configure settings to allow admins to access Workspace ONE Intelligence from Workspace ONE UEM.

Prerequisites

You must authorize Workspace ONE Intelligence to connect with your Azure AD environment.

Procedure

1. In Workspace ONE Intelligence, go to Accounts > Administrators. The Add menu item does not display unless you have configured the integration with Azure AD.
2. On the Add Admin page, enter the name of the admin in the User text box and select the name from the list. If you are adding Azure AD admin groups, the system navigates to the Add Admin Group page. Enter the name of the admin group in the Group text box.
3. Select the applicable permissions and save the admin account. The added admin displays as Unknown (Not logged in) because the system is not pulling this data from Azure. This display is resolved with the admin logging in to Workspace ONE Intelligence.
4. Have admins log in to Workspace ONE Intelligence. This login step resolves the admin’s user name from Unknown (Not logged in) to the configured user name.

RBAC role descriptions

Roles based access control (RBAC) includes the administrator titles of Analyst, Auditor, Administrator, and Automator. Each role has specific permissions to offer quick assignment with appropriate access to Workspace ONE Intelligence features.

To create a super admin, assign all roles to the admin account. Workspace ONE Intelligence does not have a separate, single role for the super admin.

• Administrator - The administrator can create identity and access management, admins, and integrations.
  • Insights permission - Read
  • Settings permissions - Create, update, and delete
• Analyst - An analyst can create, work, and delete their own objects and can work in other objects depending on their permissions. They cannot work in settings or workflows.
  • Insights permission - Read
  • Dashboards permissions - Create, update, and delete
  • Reporting permissions - Create, update, and delete
• Auditor - The auditor can see what other admins are creating for auditing purposes. They have read access to everything and everything that gets created. If you have an auditor that also edits objects, add one of the other roles to the account.
  • Insights permission - Read
  • Dashboards permission - Read
  • Reporting permission - Read
  • Workflows permission - Read
  • Settings permission - Read
• Automator - The automator can create, work, and delete automations. They can also configure integrations in Settings that are used in automations. Restricting other admins from creating automations helps control the large impact automations have on endpoints. It also helps with reduced creation of automatons that overlap or conflict.
  • Insights permission - Read
  • Workflows permissions - Create, update, and delete
  • Integrations permissions - Create, update, and delete

What are Data Access Policies?

Data Access Policies in Workspace ONE Intelligence control what data your users, specifically Analysts, see in dashboards and reports. To control access, Workspace ONE Intelligence uses organization groups configured in VMware Workspace ONE UEM. If there is data in an organization group you don’t want Analysts to see, use DAP to restrict them from that group by giving them access to a group below the desired organization group.

Where are Data Access Policies?

Find Data Access Policies in the console at Accounts > Data Access Policy.

DAP and scheduled reports

When your Intelligence environment uses DAP and you have reports that run on schedules, the report downloading mechanism adds certain steps to accommodate DAP. Consider this behavior for reports that run on schedules because the user won’t receive this report until they manually generate it.

• If a report runs on a schedule and you have activated DAP in Intelligence, all users, no matter their RBAC permissions, must generate scheduled reports before they can download them. You can generate reports in the console.
  1. In Workspace ONE Intelligence, go to Workspace > Reports.
  2. Select the desired report and choose the Downloads tab.
  3. Find the desired date/time of the report, and select Generate in the Action column. Notice that this date/time version of the report has a Pending Completion in the Status column. The status changes to Completed after the generating action completes.
  4. After the report generates, select Download in the Action column for the desired date/time version of the report.
     
• When you share a report that runs on a schedule and you have activated DAP in Intelligence, the ones you shared the report with must generate the report before they can download it.
  • After you configure sharing, the system sends an email to those with whom you’ve shared the report. The email has a link to download the report. However, when DAP is activated, users receive two emails.
    • The first email asks users to Generate the report. Users must generate the report in the console before they can download it.
    • The second email offers users to Download the report.
  • If users that you share the report with are Analysts, these users, like other users, must generate the report before they can download it. When they download the report, they can view only the Workspace ONE UEM data allowed by DAP settings.

DAP, scheduled reports, and the Download Report API

Intelligence environments that use DAP and use the Download Report API to pull scheduled report downloads must meet the listed requirements. Matching the listed requirements ensures that your Download Report API call runs successfully. These requirements are not necessary if reports do not run on schedules.

• Share the report with the service account that you use to run API calls. See Use APIs for Intelligence Reports with Service Accounts for the steps on configuring service accounts.
• If the service account has only the Analyst permission, ensure to assign a DAP to the service account.

DAP and the Report Public Link Sharing feature

Intelligence environments that use DAP require you to generate the publicly shared report in the console before users can use the public link to download it. If you do not manually generate the report, the public link displays as N/A and not as Download.

1. In Workspace ONE Intelligence, go to Workspace > Reports and open the report for which you want to share a public link.
2. On the Overview tab, select Share.
3. Activate the Public Link Sharing menu item and save the setting.
4. Select the Downloads tab of the report.
5. Find the desired date/time of the report, and select Generate in the Action column.

After the generate action completes, the public link displays as Download and not N/A.

Other DAP considerations

• Only for analysts - Users you want to assign to Data Access Policies must have the RBAC Analyst permission and only that permission. These users cannot have other RBAC permissions.
• Activation is immediate - After you activate your first Data Access Policy, users that have only Analyst permissions and who are not assigned to Data Access Policies cannot see Workspace ONE UEM data in Workspace ONE Intelligence. To ensure your Analysts continue to view data, assign them to a policy.
• Control access by organization group or allow all access
  • You can restrict an Analyst user’s access to Workspace ONE UEM data by assigning them to a restrictive Data Access Policy. Workspace ONE Intelligence controls data by using Workspace ONE UEM organization groups. To restrict an Analyst user’s data set, assign them to the Data Access Policy configured with the applicable organization group. For details on organization groups in Workspace ONE UEM, access the topic Organization Groups.
  • If you do not want to restrict an Analyst user’s access to Workspace ONE UEM data, assign them to the Data Access Policy configured to allow all access.
• Assign to a single policy - To avoid accidentally restricting or allowing access to data, assign an Analyst user to a single policy. Do not assign an Analyst user to multiple Data Access Policies.
• Sharing objects and object previews - Data Access Policies apply to queries in objects and when you share objects, you share these queries.
  • Consider this behavior when you share objects.
  • You might share an object with a user who is assigned a Data Access Policy that restricts them from seeing all the data in a dashboard or report preview.
  • This behavior applies to previews and not to the actual generation of the user’s access to data.
• Data Access Policies require integration with Workspace ONE UEM - You use the Workspace ONE UEM organization group hierarchy to configure Data Access Policies and to control data access.
• Limited set of UEM data - Data Access Policies apply to a limited set of data and do not apply to all data sets in Workspace ONE UEM.
• Dashboards and Reports - Data Access Policies control data displayed in Dashboards and in Reports.
• RBAC Administrators create and manage - You must have RBAC Administrator permissions to create and assign Data Access Policies.

How do you create your first Data Access Policy?

To get started with Data Access Policies, use the Accounts area.

1. In Workspace ONE Intelligence, go to Accounts > Data Access Policy > Add. You must add at least one policy to begin using the feature.
2. In the Add Data Access Policy window select a Data Category.
   • All Access: Users assigned this policy can see all Workspace ONE UEM data.
   • Workspace ONE UEM Organization Groups: Users assigned this policy can see data managed in Workspace ONE UEM at the selected organization group level.
   • Select the group in the Organization Group Hierarchy menu item.
3. Select users in the Users area. These users must have only the Analyst role so they can see the applicable data displayed in Dashboards and Reports.
4. View the Summary and save your policy. Workspace ONE Intelligence lists the policy in the Data Access Policy list view.
5. Activate the policy when you are ready to control data access to assigned users.

How do you assign policies to unassigned analysts?

To ensure that your admins have continued access to data, you can filter users on the Administrators page by the Active Users filter and assign every admin with only Analyst permissions to a Data Access Policy.

1. In Workspace ONE Intelligence, go to Accounts > Administrators.
2. Select the Active Users filter.
3. Look for admins that have only the Analyst role and have no policy listed in the Data Access Policy column.
4. Select the user and select Edit.
5. Select Assign Data Access Policy.
6. Select the Data Access Policy you want to assign to the Analyst and click Add.

Microsoft Azure Active Directory setup

To use Azure Active Directory (AD) groups in the roles based access control (RBAC) feature, authorize Workspace ONE Intelligence to connect with your Azure AD environment.

Workspace ONE Intelligence uses the Microsoft Graph API to communicate with your Azure environment.

Prerequisites

You must have the permissions to configure a public Azure AD account. Use your Azure AD admin account credentials for registration. If you do not have admin permissions to set up Azure AD, have an Azure AD admin register your environment with Workspace ONE Intelligence.

Procedure

1. In Workspace ONE Intelligence, go to Accounts > Administrators > Set up Azure Active Directory > Get started.
2. Select Set Up on the Microsoft Azure Active Directory card.
   The system directs you to your organization’s Microsoft area. If you have Azure AD admin permissions, the system prompts you to enter your Azure AD credentials.
3. Select Accept in the Microsoft window to give Workspace ONE Intelligence permissions to access data in Azure. If the system accepts the permissions, the Microsoft Azure Active Directory integration displays as Status: Authorized.
   • Give permission to sign in and read user profiles in Azure.
   • Give permission to read all groups in Azure.
   • Give permission to read the full profiles of all users in Azure.

Results

When you add an admin or group in Workspace ONE Intelligence, you can select from users and groups in your Azure Active Directory environment.

System Limits

Workspace ONE Intelligence limits the number of objects admins can create. To know if your environment is close to reaching these limits, use the System Limits page. This page offers visibility into how many objects admins have created in your environment, and it is where you can change the set limits if needed.

Navigation

Find System Limits in the console at Accounts > System Limits.

What’s displayed on the page?

The System Limits page displays metrics for the highest organization group in your environment, the customer tenant level, and it displays metrics for individual users throughout the other tenant levels in your deployment. Find metrics for created objects that include the following items. - Custom dashboards (data visualization objects) - Custom reports (reporting objects) - Custom automations (action-oriented objects)

The cards at the top of the UI report the total values from across all your organization groups (all your tenant levels).

• Automations - This card displays data for only Active automations, and it does not include automations that are created and not active.
• Custom Reports - This card displays the number of all created and saved reports.
• Custom Dashboards - This card displays the number of all created and saved dashboards.

Was an object popular and shared with other admins?

The Automations, Custom Reports, and Custom Dashboards tabs below the customer tenant level cards list user-specific data. These tabs list all admins and their corresponding counts of created automations, custom reports, and custom dashboards. Use the tabs to see if an object was shared and with whom. Knowing if an object was shared suggests it was popular. Use this data to decide to keep a popular object or delete an unpopular one to make room for other objects.

RBAC permissions dictate available actions

Super admins, admininstrators, and moderators can see the System Limits page but super admins can take action on this page.

Super admins (admins with all RBAC permissions) can see and set limits at the customer tenant level. They have this visibility so they can monitor data access, process requests for limit increases, and change limit values. On the System Limits page, super admins can take various actions to manage the deployment. - Super admins can monitor and control which admins can create objects. - They can use the Set Default User Limits feature at the tenant level for all admins.
This menu option gives super admins the ability to allocate an even number of objects to every admin or region of admins if needed. - They can process requests for increases in the limits for any object. - They can view individual admin objects. - Search for users that left the company to see how many created objects they had. - Transfer ownership of those objects or delete them to allow allocation of those unused objects to other admins. - They can filter the entire admin list using the Deactivated Users filter to see what outstanding objects need a transfer of ownership.