Workspace Roles
Overview
Workspace Roles in Atria are a mechanism for grouping multiple Workspace Items — these could be applications, resources, or any IT assets — into a single user-assignable role. Roles can be assigned to users, simplifying the process of managing who has access to what within the organization.
Implementing Workspace Roles provides additional value to organisations. When implemented well, managing end-users becomes easier, mistakes are reduced and access can be minimised to protect information. It also offers a clearer overview of access control within a business.
Key Features of Workspace Roles
Private and Customizable
Workspace Roles are always private to each customer, this allows organisation to create roles that are precisely aligned with their internal structure and access policies.
Role Composition
Each Workspace Role can contain one or more Workspace Items. A single role can provide access to a wide range of IT resources, making it easier for administrators to assign and manage access across different departments or teams.
User Assignment
Users can be assigned to one or more Workspace Roles, allowing Workspace Items to be structured to meet each organisations standards. For example, location based Roles could control access to Local resources and associated configuration. Job based roles can control access to team resources and applications.
Automatic Item Assignment
When a Workspace Item is added to a role, all users assigned to that role automatically gain access to the new Workspace Item. This feature simplifies the process of handling moves, adds or changes to resources and applications.
Automation Integration
Any automations associated with individual Workspace Items are executed when a user is assigned to a role containing those items. This ensures that all workflows and processes linked to a Workspace Item are triggered as expected, maintaining consistency and reliability in IT operations.
Dynamic Role Updates
Workspace Roles are not static. Administrators can update roles by adding or removing Workspace Items. These changes will affect all users assigned to the role.
Cross Identity Platform
Workspace Item Types can be defined for different IDPs and systems. Roles can contain Workspace Items from any platform, enabling users to access resources across different environments. For instance, a user can be granted access to a desktop via Active Directory and simultaneously be assigned to Teams and distribution groups in Microsoft 365 through a single role.
Administering Roles
Atria Security Roles and Access
Customer must be Provisioned the Workspace Service. The following Atria Security Roles are able to administer Workspace Roles:
- Service Provider Admin
- Reseller Admin
- Customer Admin
- Workspace Service Admin
View Workspace Roles
This is a customer context sensitive function.
Navigate to Services > Workspace > Workspace Roles
Add Workspace Role
-
To add a new role, navigate to the Roles page
Services > Workspace > Workspace Roles -
Click on the Add button
The New Role form is shown below:
Role Name
Enter a descriptive name for the role; this can be edited in the future as needed.
Sort Order
The sort order is an integer: leave blank or enter a number to force a sort order for this item.
Items in Role
- Select one or more items from the list of Workspace Items assigned to the customer.
- Use the search function at the top of the grid to locate specific Workspace Items; this also searches through the Workspace Item Type.
- Select or de-select all items using the checkbox on the top left of the grid header.
Managing Role Membership
Role membership can be managed in one of two ways:
- via the User Provisioning Interface: Assigning Workspace to a User.
- via the Role Editor (adding the user to the role)
Regardless of method, the user is granted the role and all associated Workspace Items within the role are indirectly assigned to the user.
To change role membership,
- Navigate to the Roles page:
Services > Workspace > Workspace Roles. - Click on the role you want to edit.
- Select the "Users with Role" tab.
- Use the search field at the top right of the table to instantly filter the rows.
- Check all of the users you'd like to add.
- Select "Save" at the top right to add the users to the role.
Users must have been assigned the Workspace Service in order to be found in the Roles page.
Additional Notes on Roles
Processing
Changes to roles can trigger a large volume of back-end changes.
- For example, adding 50 users to a Workspace Role with 20 items would cause 1000 changes to group membership.
Changes are queued and processed but may take a bit of time to complete.
Automation Execution happens at User Level
Automations defined against a Workspace Item type will fire for every user added to that Workspace Item. When the item is added to a role, the automation will still execute for each individual user.
Duplication of Item assignment
It is possible for multiple roles to contain overlapping items; it is also possible for users to be assigned multiple roles, as well as be assigned items directly.
Atria tracks changes at the Item level irrespective of how they are assigned. This means that Automations at user level will only fire on the first assignment and on the last removal.
e.g. The following Workspace Items exist for a customer:
- Microsoft Word
- Adobe Acrobat
- Xero Accounts
- Zoho CRM
The following roles exist within the customer:
- Finance Team - contains Microsoft Word and Xero Accounts.
- All Staff - contains Adobe Acrobat
- Service Desk - contains Microsoft Word, and Zoho CRM
A User in the Finance Team - has roles "All Staff" and "Finance Team" From this assignment, they have:
- Microsoft Word (from Finance Team Role)
- Xero Accounts (from Finance Team Role)
- Adobe Acrobat (from All Staff)
They change roles temporarily and are granted the "Service Desk" role, they now have:
- Microsoft Word (from Finance Team Role AND from Service Desk Role)
- Xero Accounts (from Finance Team Role)
- Adobe Acrobat (from All Staff Role)
- Zoho CRM (from Service Desk Role)
After adding this role, Atria will ONLY add the user to the Zoho CRM Workspace Item group; any Provisioning Actions configured within the Item(s) will additionally be initiated at the same time as the role addition.
From a Billing/tracking standpoint, Atria will record the assignment of Zoho CRM to the User as they already had Microsoft Word.
Similarly, if the "Service Desk" role was removed from the user, the only impacting change recorded would be the removal of Zoho CRM from the user.