The User Management features in VMware Workspace ONE Intelligence include Roles Based Access Control (RBAC), Data Access Policies, and setting up Microsoft Azure Active Directory.
What is RBAC?
Roles Based Access Control (RBAC) has pre-defined roles that you can assign to admins for access to the resources they use. Assign a single role or combine roles for those admins who require permissions to your entire environment.
Basic and directory accounts in Workspace ONE UEM
One of the systems Workspace ONE Intelligence can get user data from is Workspace ONE UEM. RBAC supports adding admins from Workspace ONE UEM from both the basic users and the directory-based users.
- Basic users are individual accounts that are not managed through an identity service. They require no enterprise infrastructure. These credentials exist only in Workspace ONE UEM and have no federated security.
- Directory-based users are managed in an identity service and are pulled into Workspace ONE UEM. These users access resources with their directory credentials and any changes made to their accounts sync with Workspace ONE UEM.
Azure Active Directory (AD) to use admin groups
To use your Azure AD admin groups with RBAC, you must authorize Workspace ONE Intelligence to access your public Azure AD environment using Microsoft Graph APIs.
Workspace ONE Intelligence stores minimal information from Azure like the user's first and last name, their contact email, or their affiliated groups. The integration does not include a regular sync schedule or polling operation but rather validates information when the user accesses Workspace ONE Intelligence.
Existing users and RBAC super admins
Current Workspace ONE Intelligence users with access before the introduction of RBAC are assigned all roles. An admin with all roles assigned is a super admin. RBAC does not have a single role for a super admin.
Set up process
To set up RBAC, configure several components in Settings > Administrators .
- Authorize Workspace ONE Intelligence to connect to your Azure AD system using the setup wizard.
- Add and edit admins.
Editing RBAC permissions
When you modify RBAC permissions in Workspace ONE Intelligence, the system sends an Account Role Modified email to the RBAC user. The notification lists who changed the permissions and which permissions changed.
Transferring ownership of dashboards and reports
You can share My Dashboards and Reports with other Workspace ONE Intelligence users. The owner of the object (dashboard or report) is designated with full access, while the users who share the object are designated with Can View (read only) or Can Edit access (read and write). As an extension of the sharing functionality, admins who have the Administrator role can also transfer the ownership of dashboards and reports. This feature is helpful after admins leave your organization because their Workspace ONE Intelligence objects no longer have an active admin to manage them. To assign these objects to an active admin, admins can find unowned objects and reassign them.
Add admins from Workspace ONE UEM
To add basic and directory-based admins managed in Workspace ONE UEM for Roles Based Access Control (RBAC) in Workspace ONE Intelligence, configure settings to allow admins to access Workspace ONE Intelligence from Workspace ONE UEM.
This process includes configurations in both Workspace ONE UEM and Workspace ONE Intelligence. You add or edit admins in Workspace ONE UEM and assign them an
Intelligence Admin role. Then, grant permissions and configure RBAC accounts in Workspace ONE Intelligence.
If you do not assign the admins roles in Workspace ONE Intelligence, the new RBAC admins must log in to the Workspace ONE Intelligence console to request access using the Request Access notification process. The system sends you their request by email and the email is your prompt to grant permissions and configure RBAC accounts in Workspace ONE Intelligence.
- In the Workspace ONE UEM console, add a role for admins to access Workspace ONE Intelligence.
- Select the organization group.
- Go to Accounts > Administrators > Roles > Add Role.
- Enter a name and a description so you can find the role in the list view.
Intelligence Admin - Grants basic admins access to the WS1 Intelligence console.
- In the Search Resources text box, enter Intelligence to display the Intelligence role. This role is in Categories > Monitor > Intelligence.
- Give admins Read and Edit permissions. The
Intelligence Admin role is now available to assign to admins in Workspace ONE UEM.
- In the Workspace ONE UEM console, add admins and assign them the Intelligence role.
- Go to Accounts > Administrators > List View > Add > Add Admin.
- Select Basic tab, for the User Type setting, select Basic or Directory.
- Basic - Enter required settings on the Basic tab, including user name, password, First Name, and Last Name. You can enable Two-Factor Authentication where you select between Email and SMS as a delivery method and the token expiration time in minutes. You can also select a Notification option, selecting between None, Email, and SMS. Admins receive an auto-generated response.
- Directory - Enter the Domain and Username for the admin's directory credentials.
- Select the Roles tab, select the Organization Group, and enter the role you previously added,
- This step is necessary if you do not assign the roles assigned in Workspace ONE Intelligence. Have admins log in to Workspace ONE Intelligence and complete the Request Access process. By selecting the Request Access button on the Restricted Access page, the system sends an email notification to 10 admins who are active and have the Administrator role in the console to approve entry. If users have already requested access and select Request Access, the console prompts them about their previous request but lets them send another.
- Check your email for Admin Access Request notifications. You can use the Manage Users button to navigate to the Workspace ONE Intelligence console.
- In Workspace ONE Intelligence, grant access and configure admin permissions.
- Go to Settings > Administrators > Admin, select the admin from the list, and select Edit.
- Select the applicable permissions and save the admin account. Workspace ONE UEM admins can now access Workspace ONE Intelligence.
Add admins and admin groups from Azure AD
To add admins and admin groups from Azure Active Directory (AC) for Roles Based Access Control (RBAC) in Workspace ONE Intelligence, configure settings to allow admins to access Workspace ONE Intelligence from Workspace ONE UEM.
You must authorize Workspace ONE Intelligence to connect with your Azure AD environment.
- In the Workspace ONE Intelligence console, go to Settings > Administrators > Admin and select Add. To add Azure AD groups, select the Admin Groups tab. The Add menu item does not display unless you have configured the integration with Azure AD.
- On the Add Admin page, enter the name of the admin in the User text box and select the name from the list. If you are adding Azure AD admin groups, the system navigates to the Add Admin Group page. Enter the name of the admin group in the Group text box.
- Select the applicable permissions and save the admin account. The added admin displays as Unknown (Not logged in) because the system is not pulling this data from Azure. This display is resolved with the admin logging in to Workspace ONE Intelligence.
- Have admins log in to Workspace ONE Intelligence. This login step resolves the admin's user name from Unknown (Not logged in) to the configured user name.
RBAC role descriptions
Roles based access control (RBAC) includes the administrator titles of Analyst, Auditor, Administrator, and Automator. Each role has specific permissions to offer quick assignment with appropriate access to Workspace ONE Intelligence features.
To create a super admin, assign all roles to the admin account. Workspace ONE Intelligence does not have a separate, single role for the super admin.
RBAC admin descriptions
- Administrator - The administrator can create identity and access management, admins, and integrations.
- Insights permission - Read
- Settings permissions - Create, update, and delete
- Analyst - An analyst can create, work, and delete their own objects and can work in other objects depending on their permissions. They cannot work in Settings or Automations.
- Insights permission - Read
- Dashboards permissions - Create, update, and delete
- Reporting permissions - Create, update, and delete
- Auditor - The auditor can see what other admins are creating for auditing purposes. They have read access to everything and everything that gets created. If you have an auditor that also edits objects, add one of the other roles to the account.
- Insights permission - Read
- Dashboards permission - Read
- Reporting permission - Read
- Automations permission - Read
- Settings permission - Read
- Automator - The automator can create, work, and delete automations. They can also configure integrations in Settings that are used in automations. Restricting other admins from creating automations helps control the large impact automations have on endpoints. It also helps with reduced creation of automatons that overlap or conflict.
- Insights permission - Read
- Automations permissions - Create, update, and delete
- Integrations permissions - Create, update, and delete
What are Data Access Policies?
Data Access Policies in Workspace ONE Intelligence control what data your users, specifically Analysts, see in Dashboards and Reports. To control access, Workspace ONE Intelligence uses organization groups configured in VMware Workspace ONE UEM.
Control access by organization group or allow all access
You can restrict a user's access to Workspace ONE UEM data by assigning them to a restrictive Data Access Policy. Workspace ONE Intelligence controls data by using Workspace ONE UEM organization groups. To restrict a user's data set, assign them to the Data Access Policy configured with the applicable organization group. For details on organization groups in Workspace ONE UEM, access the topic Organization Groups.
If you do not want to restrict a user's access to data, assign them to the Data Access Policy configured to allow all access.
After you activate your first Data Access Policy, users that have only Analyst permissions and who are not assigned to Data Access Policies cannot see Workspace ONE UEM data in Workspace ONE Intelligence. To ensure your Analysts continue to view data, assign them to a policy.
Only for analysts
Users you want to assign to Data Access Policies must have the RBAC Analyst permission and only that permission. These users cannot have other RBAC permissions.
Assign to a single policy
To avoid accidentally restricting or allowing access to data, assign a user to a single policy. Do not assign a user to multiple Data Access Policies.
Sharing objects and object previews
Data Access Policies apply to queries in objects and when you share objects, you share these queries. Consider this behavior when you share objects. You might share an object with a user who is assigned a Data Access Policy that restricts them from seeing all the data in a dashboard or report preview. This behavior applies to previews and not to the actual generation of the user's access to data.
- Data Access Policies require integration with Workspace ONE UEM. You use the Workspace ONE UEM organization group hierarchy to configure Data Access Policies and to control data access.
- Data Access Policies apply to a limited set of data and do not apply to all data sets in Workspace ONE UEM.
- Data Access Policies control data displayed in Dashboards and in Reports.
- You must have RBAC Administrator permissions to create and assign Data Access Policies.
Navigation to Data Access Policies
After you create and activate your first policies, you can edit or add more Data Access Policies in the console at Settings > Data Access Policy.
How do you create your first Data Access Policy?
To get started with Data Access Policies, go to the Getting Started area of Workspace ONE Intelligence.
- Find a card for the feature in Getting Started > User Management > Restrict access to data.
- Select the Restrict access to data card. You must add at least one policy to begin using the feature.
- Select Add.
- In the Add Data Access Policy window select a Data Category.
- All Access: Users assigned this policy can see all Workspace ONE UEM data.
- Workspace ONE UEM Organization Groups: Users assigned this policy can see data managed in Workspace ONE UEM at the selected organization group level. Select the group in the Organization Group Hierarchy menu item.
- Select users in the Assign Users area. These users must have only the Analyst role so they can see the applicable data displayed in Dashboards and Reports.
- View the Summary and save your policy. Workspace ONE Intelligence lists the policy in the Data Access Policy list view.
- Select Activate when you are ready to control data access to assigned users.
How do you assign policies to unassigned analysts?
To ensure that your admins have continued access to data, you can filter users on the Administrators page by the Active Users filter and assign every admin with only Analyst permissions to a Data Access Policy.
- In Workspace ONE Intelligence, go to Settings > Administrators.
- Select the Active Users filter.
- Look for admins that have only the Analyst role and have no policy listed in the Data Access Policy column.
- Select the user and select Edit.
- Select Assign Data Access Policy.
- Select the Data Access Policy you want to assign to the Analyst and click Add.
Microsoft Azure Active Directory
To use Azure Active Directory (AD) groups in the roles based access control (RBAC) feature, authorize Workspace ONE Intelligence to connect with your Azure AD environment.
Workspace ONE Intelligence uses the Microsoft Graph API to communicate with your Azure environment.
You must have the permissions to configure a public Azure AD account. Use your Azure AD admin account credentials for registration. If you do not have admin permissions to set up Azure AD, have an Azure AD admin register your environment with Workspace ONE Intelligence.
- In the Workspace ONE Intelligence console, go to Settings > Administrators > User Identity Management > Microsoft Azure Active Directory > Set Up. The system directs you to your organization's Microsoft area. If you have Azure AD admin permissions, the system prompts you to enter your Azure AD credentials.
- Select Accept in the Microsoft window to give Workspace ONE Intelligence permissions to access data in Azure. If the system accepts the permissions, the Microsoft Azure Active Directory integration displays as Status: Authorized.
- Give permission to sign in and read user profiles in Azure.
- Give permission to read all groups in Azure.
- Give permission to read the full profiles of all users in Azure.
When you add an admin or group in Workspace ONE Intelligence, you can select from users and groups in your Azure Active Directory environment.
What to do next
Add and edit admins in Settings > Administrators. For information on the different roles and their permissions, access RBAC Role Descriptions.