Workspace Item Types
Overview
Before creating a WorkSpace item, an Item Type must be created to be assigned to the item. This guide will walk you through how to do that.
Decide on the WorkSpace Item Types:
- Configure relevant WorkSpace Item Types from which items will be created. The Workspace Item Type defines the default properties and behaviours for the Item (e.g., location, group type, icons, default naming patterns, and automations).
If using Active Directory Groups - you need to review where Groups will be created within Active Directory.
- A Workspace Item is represented by up to 2 groups in Active Directory.
- Group creation locations should be considered early when setting up the WorkSpace Service.
Active Directory Group Types
Resource Group:
- The group secured against the application or resource.
- Public/shared and private groups.
User Group:
- This is only used for public items in multi-tenant Active Directory situations.
- The User Group is a customer-specific group that contains only users for the specific customer.
- This group is then made a member of the Resource Group.
Creating WorkSpace Item Types:
Workspace defaults with a set of Workspace Item Types. Check these in Services > Workspace > Workspace ItemTypes as the list may already meet your requirements.
If you need to create new Item Types, click the Add button. You will be presented with a form with multiple fields to fill out.
- Display Name: The display name for the Item Type in Atria.
- Description: Description of the item type in Atria.
- Icon: An icon to be displayed across Atria. Icons can either be uploaded or selected from an icon reference library, such as Font Awesome (search for icons here)
- Resource Group Name: A naming convention that is inherited by Workspace Items. You can use variables within these such as
{ItemName}. Workspace items created with this ItemType will use these names if not overridden. - User Group Name: Same premise as Resource Group Name.
- Resource and User Group Type:
The following table shows the different group types that can be specified for a Workspace Item Type.
| IDPType | IDPGroupType | Description |
|---|---|---|
| ActiveDirectory | GLOBAL DISTRIBUTION | Global Scoped Distribution Group |
| ActiveDirectory | GLOBAL SECURITY | Domain Global Scoped Security Group |
| ActiveDirectory | LOCAL DISTRIBUTION | Domain Local Scoped Distribution Group |
| ActiveDirectory | LOCAL SECURITY | Domain Local Scoped Security Group |
| ActiveDirectory | UNIVERSAL DISTRIBUTION | Universal Scoped Distribution Group (Exchange) |
| ActiveDirectory | UNIVERSAL SECURITY | Universal Scoped Security Group |
| AzureAD | Distribution | Exchange Online Distribution Group |
| AzureAD | MailEnabledSecurity | Mail Enabled Azure AD Security Group |
| AzureAD | Microsoft365 | Microsoft 365 Group |
| AzureAD | Security | Azure AD Security Group |
- Sort Order: This is used to order the list of ItemTypes in Atria.
Here is an example of an ItemType created for a printer:
And some further examples of ItemTypes:
Additional Mail Properties for Active Directory Distribution Groups
If Mail Enabled AD groups are created through Atria, the following properties can be added to the Item Type to automatically set an Email address and Alias for the group.
The following screenshot shows the two default properties that need to be set in order will use to determine that the group is mail-enabled and the pattern to use for the email alias.
| Property | Value | Description |
|---|---|---|
| Mail-Enabled | True | Provisioning Engine uses flag to determine whether or not to set email attributes on the group |
| defaultPrimarySmtpAddress | {ItemName}@{PrimaryDomain} | Pattern to use to generate a primary SMTP email address |
Dealing with Mail Enabled Groups
When groups are imported into Atria, Atria will leave email-related properties alone (e.g., permissions, email addresses). If Atria creates a mail-enabled group, only minimal properties will be set. Group mail features should be managed through the Atria Azure AD group management feature or via Office 365.
Configuring the Active Directory Placement of Workspace Groups
In Active Directory, you can configure the OU to use when creating groups. This is defined by a configuration setting in the Atria Config Service. You can change this using Powershell.
Please make sure you have read/write access of the Config Service. If you need assistance of this, please contact our support team.
First, check the current configuration with the below PowerShell command on the Provisioning Server
Get-AtriaConfig -ConfigKey WSResourceContainer -UseEnvironment
You should see an output similar to the below
This outputs the default configuration, which is
{
"ActiveDirectory": "WorkSpace Groups",
"ActiveDirectory:Common": "Shared Resources,WorkSpace,Services,CortexSystem"
}
Here we see two specific keys -
- 'ActiveDirectory' and
- 'ActiveDirectory:Common' Key.
These specifically relate to if an item is Private or Shared. The first key without the common is a 'Private' item resource container, the 'Shared' key is for the overall path where resources are stored. The difference between Private and Shared items is described in: Workspace Items
To change this, here are two examples.
Private Items
Private Item's are created within the clients OU. We are simply updating the label, so the below command will set the config to change the OU name from 'WorkSpace Groups' to 'Groups'
Set-AtriaConfig -ConfigKey 'WSResourceContainer' -ConfigValue '{"ActiveDirectory":"Groups","ActiveDirectory:Common":"Shared Resources,WorkSpace,Services,CortexSystem"}' -UseEnvironment
Shared Items
Below is how we can change the Root OU of where Shared Groups are created.
For example, we want to change the Root OU of Shared Groups to go under Shared Groups under Customers
This will be the below command
Set-AtriaConfig -ConfigKey 'WSResourceContainer' -ConfigValue '{"ActiveDirectory":"Workspace Groups","ActiveDirectory:Common":"Shared Groups, Customers"}' -UseEnvironment
Terminologies
| Term | Definition |
|---|---|
| iDP Type | Identity Provider Type, out of the box this is EntraID and Active Directory |
| Indirect Group | An Indirect Group is created by the Workspace service. For Shared items, we will not put users directly in the root group. Within Active Directory, we will create a group then create a new group as a Member Of per customer. This means that users in different customers are still segregated, but can inherit resources allocated to the group. |
| Direct Group | A Direct Group is a group that is created specifically for one client. This will create a group within Active Directory which Workspace will put users directly into. |