Workspace ONE Access By Product Technical Guides

Introducing Role-Based Access Control (RBAC) in VMware Identity Manager 3.2

The Importance of Identity Management RBAC

Role-based access control (RBAC) allows you to segment what type of access is granted to administrators in different functional roles. It’s important to provide access to enough tools for an administrator to do their job, without granting the keys to the kingdom unnecessarily.

For example, VMware Identity Manager, a component of VMware Workspace ONE, is a tool for managing identity providers, access policies, company-wide application configurations and more. Only a few administrators should have access to edit this.

In addition, most apps are managed by various business units. Once the app is added to Identity Manager, the super administrator may want to delegate the day-to-day duties to another admin without granting full super admin access.

For these reasons, RBAC for administrators has been a frequent request for Identity Manager, and we are pleased to announce its inclusion in our Identity Manager 3.2 release. Our first release of RBAC is focused on offering write permissions to specify what a given administrator can and cannot modify within the console. This gives you the capability to prevent access to sensitive administrative functions, like policy management and app configuration records, while allowing you to provide limited administrative access for functions like reporting, user management and help desk requests.

What’s New in RBAC for Identity Manager

Out of the box, Identity Manager offers three default administrator roles:

  1. A Super administrator is granted access to everything, full control.
  2. A Read-Only administrator is granted no write permissions, just the ability to view console information, like reports.
  3. In between sits the Directory admin. This administrator role is granted the ability to manage users, groups and directories, but is not allowed to make modifications to, for example, app configurations and authentication policies.

These default roles can be accessed and applied to administrators or groups from the new Roles tab in the Identity Manager admin console.


Many of you will want to take things a step further, creating your own roles for job-specific functions in your organization. Fortunately, Identity Manager’s implementation of RBAC also supports the definition of custom roles.

Let’s walk through an example of creating a custom admin role that grants access only to modify Salesforce entitlements. Such a role might be required if help desk requests for one-off Salesforce access were frequent. Limiting your admin accounts in such a way would allow your help desk personnel to perform this task without having access to accidentally modify sensitive settings, like authentication rules or your app configurations.

How to Build & Manage Your Roles

Let’s create an admin role to manage entitlements to the Salesforce application:

  • Since we want to create a new role, let’s navigate to the Roles tab. From here, we can see our default roles, as well as any other custom roles that have been created.
  • Since we want to create a new role, we should click Add. First, we need to give our role a name and description to identify it in the listing.

  • Next, we are presented with a selection of top level permission categories. For our use case, we need to allow administrators to modify entitlements to Salesforce, so let’s select Entitlements.

  • After selecting the permission category, we find that there are a number of actions from which to choose. These include a read-only option, as well as a number of write options. For our use case, let’s select the Manage Web Entitlements action. (However, if you wish to add more than one action you can do so with the + button.)

  • Many actions also include further granularity in the form of conditions. We can either grant full access with the All option, or limit to access to a specific condition using the Some option.

  • For our example, we want to provide access to modify application entitlements, but only for Salesforce. So let’s use the Some option. By selecting the Application condition, and then using the search function to find the Salesforce entry, we are able to grant application entitlement management for only the Salesforce app.

  • We are now ready to save our role and apply it to individual administrators or groups. This can be done in the Roles tab by selecting the desired role and clicking Assign.

Mastering the Roles Page

The Roles tab also offers a few additional tools for managing your roles and assignments.

From here, in addition to creating new roles, you can modify and delete existing ones. However, this capability is only extended to your custom roles. The default, built-in roles cannot be modified or deleted. You are welcome, however, to edit the default roles to view which permissions they include.

Role assignment also offers a high level of flexibility. You will find that you can not only assign a given role based on both user and group, but you can also assign multiple roles to the same user or group. The behavior of multiple roles applied to the same administrator is additive. For example, if an administrator is assigned two roles, one with write access to policy management and the other without, that administrator will have access to modify policies.

Tell us What You Think!

This is just the beginning of RBAC for Identity Manager. Expect further enhancements to this feature in later releases. For example, we already plan on updating the user experience to hide the edit button on pages where the administrator doesn’t have sufficient permission to edit (instead of simply presenting the administrator with a permission denied message when attempting to save).

We are excited to offer this new feature and look forward to seeing how creative you get with securing your administrators. Please send us your feedback so we can keep rolling in improvements.