VMware Cloud Foundation 4.5

5.2 5.1 5.0 4.5
Deutsch Français Italiano 日本語 English

Information Security and Access Control Design for Workspace ONE Access
Last Updated January 30, 2025

You manage access to Workspace ONE Access by assigning users and groups to Workspace ONE Access roles.

Identity Management Design

In Workspace ONE Access, you can assign three types of roles to users and groups.
Workspace ONE Access Roles and Example Active Directory Groups
Role
Description
Example Active Directory Group Name
Super Admins
A role with the privileges to administer all Workspace ONE Access services and settings.
wsa-admins
Directory Admins
A role with the privileges to administer Workspace ONE Access users, groups, and directory management.
wsa-directory-admins
ReadOnly Admins
A role with read-only privileges to Workspace ONE Access.
wsa-read-only
For more information about Workspace ONE Access roles and their permissions, see the
Workspace ONE Access
 documentation.
As the cloud administrator for Workspace ONE Access, you establish an integration with your enterprise directories which allows you to use your organization's identity source for authentication.
The Workspace ONE Access deployment allows you to control access to supported SDDC components by assigning roles to your organization's enterprise directory groups, such as Active Directory security groups.
Assigning roles to groups is more efficient than assigning roles to individual users. As a cloud administrator, you determine the members that make up your groups and what roles they are assigned. Groups in the connected directories are available for use Workspace ONE Access. In this design, enterprise groups are used to assign roles in Workspace ONE Access.
Design Decisions on Identity Management for Workspace ONE Access
Decision ID
Design Decision
Design Justification
Design Implication
VCF-VRS-WSA-SEC-002
Create corresponding security groups in your corporate directory services for these Workspace ONE Access roles:
  • Super Admin
  • Directory Admins
  • ReadOnly Admin
Streamlines the management of Workspace ONE Access roles to users.
  • You must set the appropriate directory synchronization interval in Workspace ONE Access to ensure that changes are available within a reasonable period.
  • You must create the security group outside of the SDDC stack.

Password Management Design

The password management design consists of characteristics and decisions that support configuring user security policies for the Workspace ONE Access instance.
Design Decisions on Password Management for Workspace ONE Access
Decision ID
Design Decision
Design Justification
Design Implication
VCF-VRS-WSA-SEC-003
Rotate the appliance
root
 user password on a schedule post deployment.
The password for the
root
 user account expires 60 days after the initial deployment and after subsequent password changes.
You must manage the password rotation schedule for the
root
 user account in accordance with your corporate policies and regulatory standards, as applicable.
You must manage the
root
 password rotation schedule on the Workspace ONE Access nodes by using SDDC Manager.
VCF-VRS-WSA-SEC-004
Rotate the appliance
sshuser
 user password on a schedule post deployment.
The password for the
sshuser
 appliance user account expires 60 days after the initial deployment and after subsequent password changes.
You must manage the password rotation schedule for the appliance
sshuser
 user account in accordance with your corporate policies and regulatory standards, as applicable.
You must manage the
sshuser
 password rotation schedule on the Workspace ONE Access cluster nodes by using vRealize Suite Lifecycle Manager.
VCF-VRS-WSA-SEC-005
Rotate the
System Admin (admin user of port 8443)
 application user password on a schedule post deployment.
The password of
System Admin (admin user of port 8443)
 is initially the same as the password of the
admin
 application user but for password rotation the account is managed by vRealize Suite Lifecycle Manager separately.
You must manage the password rotation schedule for the
admin
 application user account in accordance with your corporate policies and regulatory standards, as applicable.
You must manage the
admin
 password rotation schedule on the Workspace ONE Access nodes by using SDDC Manager.
VCF-VRS-WSA-SEC-006
Rotate the
admin
 application user password on a schedule post deployment.
The password for the default administrator application user account does not expire after the initial deployment.
You must manage the password rotation schedule for the
admin
 application user account in accordance with your corporate policies and regulatory standards, as applicable.
You must manage the
admin
 password rotation schedule on the Workspace ONE Access nodes by using SDDC Manager.
VCF-VRS-WSA-SEC-007
Rotate the
configadmin
 application user password on a schedule post deployment.
The password for the configuration administrator application user account does not expire after the initial deployment.
You must manage the password rotation schedule for the configuration administrator application user account in accordance with your corporate policies and regulatory standards, as applicable.
You must use a combination of Workspace ONE Access and vRealize Suite Lifecycle Manager to manage the password rotation schedule of the configadmin user.
VCF-VRS-WSA-SEC-008
Configure a password policy for Workspace ONE Access local directory users,
admin
 and
configadmin
.
You can set a policy for Workspace ONE Access local directory users that addresses your corporate policies and regulatory standards.
The password policy is applicable only to the local directory users and does not impact your organization directory.
You must set the policy in accordance with your organization policies and regulatory standards, as applicable.
You must apply the password policy on the Workspace ONE Access cluster nodes.

Certificate Management Design

The Workspace ONE Access user interface and API endpoint use an HTTPS connection. To provide secure access to the Workspace ONE Access user interface and API, use a CA-signed certificate.
Design Decisions on Certificates for Workspace ONE Access
Decision ID
Design Decision
Design Justification
Design Implication
VCF-VRS-WSA-SEC-009
Use a CA-signed certificate containing the following in the SAN attributes, when deploying Workspace ONE Access.
  • Standard Workspace ONE Access
    • Workspace ONE Access cluster node
  • Clustered Workspace ONE Access
    • Each Workspace ONE Access cluster node FQDN
    • Workspace ONE Access cluster load balancer FQDN
Ensures that all communications to the externally facing Workspace ONE Access browser-based UI, API, and between the components are encrypted.
  • Certificate management is managed by the Locker in vRealize Suite Lifecycle Manager.
  • Using CA-signed certificates from a certificate authority increases the deployment preparation time, because certificate requests are generated and delivered.
  • You must manage the life cycle of the certificate replacement.
  • The SSL certificate key size must be 2048 bits or 4096 bits.
VCF-VRS-WSA-SEC-010
Use a SHA-2 or higher algorithm when signing certificates.
The SHA-1 algorithm is considered less secure and has been deprecated.
Not all certificate authorities support SHA-2.

Content feedback and comments