Introduction
This article is about admin and user permissions within Workspace 365. Permissions determine what someone can and cannot do within Workspace 365, such as viewing or managing a specific application.
This article describes which permissions the admin has to configure settings and manage access to parts of Workspace 365, such as a shared space, and which permissions the admin can delegate.
Managing permissions via groups
Assigning permissions to groups of users is an easy way to manage permissions. How you create and synchronise groups depends on the synchronisation tool you use. See this overview page for more information.
Admin
The admin of a Workspace 365 environment can in principle do everything. There is a separate full guide on what an admin can configure and manage.
Delegated admin rights
The admin can delegate certain permissions to groups of users, or even to all users.
How to delegate admin rights?
Log in as admin to the Workspace 365 environment
Go to Settings
Go to Users & Groups
You will now see among other things:
Group management → if you want to delegate permissions to specific groups
Default permissions → if you want to delegate permissions to all users
Note: this distinction and the interaction between the two will be discussed later in this section.
Deny, not set, allow
As the above screenshots show, you can set a delegated permission to ‘deny’, ‘not set’ or ‘allow’.
the group (or all users) for whom you configure this does not have these permissions. | the group (or all users) for whom you configure this does have these permissions.
|
|
|
Default permissions vs group management
As mentioned, the admin can delegate permissions via:
Default permissions -> for all users.
Group management -> for group(s) of users.
Here a conflict of permissions can occur. This happens if a delegated permission is configured differently in default permissions than in group management. The following rules of thumb apply:
‘Not set’ combined with ‘Allow’ results in ‘Allow’
‘Allow’ combined with ‘Deny’ results in ‘Deny’
These rules of thumb lead to the following combinations:
Default permissions | Group management | End result |
Not set | Not set | Deny |
Not set | Allow | Allow |
Not set | Deny | Deny |
Allow | Not set | Allow |
Allow | Allow | Allow |
Allow | Deny | Deny |
Deny | Not set | Deny |
Deny | Allow | Deny |
Deny | Deny | Deny |
Which permissions can you delegate?
In both Group management and Default permissions, there are three categories in which you can delegate:
Admin settings:
Manage company information, modules and licences. See this overview page for more information
Manage users, groups, permissions and user provisioning. See this overview page for more information.
Manage branding sets. See this article for more information.
If one or more permissions under admin settings are assigned to a user, the user will see this under Settings in their Workspace 365 environment:
|
Apps / Shared tile groups / Spaces
Apps:
Create apps in the app store. This gives you access to creating apps in the app store.
Manage all apps in the app store. This gives you access to edit/disable/delete all apps in the app store.
Upload and manage app icons. This gives you access to upload and delete app icons.
Request apps in the app store. This gives you access to request apps you do not yet have permissions for, in the app store. See screenshot below.
Shared tile groups
Create shared tile groups. This gives you access to creating shared tile groups.
Manage all shared tile groups. This gives you access to editing and deleting shared tile groups.
Spaces
Edit your own workplace, create personal tile groups and add tiles. This gives you access to editing your personal workplace, creating personal tile groups and adding tiles.
Create and manage all spaces. This gives you access to creating/editing/deleting spaces and groups for the spaces.
Explanation: create and manage shared tile groups and spaces.
With the above permissions, the (delegated) admin can also configure permissions in both a shared tile group and in a space:
See also our FAQ for admin
💡 In traditional literature on user rights you often read about 'read rights' and 'write rights'. You can translate this as follows for Workspace 365:
|
The Hub
Create and manage all announcements and categories. This gives you access to creating/editing/deleting announcements and categories. It is also possible to place an announcement in multiple categories.
Create and manage all community posts and communities. This gives you access to creating/editing/deleting community posts and communities.
Create and manage all events and categories. This gives you access to creating/editing/deleting events and categories.
Create and manage all knowledge articles and categories. This gives you access to creating/editing/deleting knowledge articles and categories.
Create and manage Hub templates. This gives you access to creating/editing/deleting templates for announcements, events and knowledge articles.
Send direct pop-ups. This gives you access to sending pop-ups directly for announcements and events.
Managing announcements, events and knowledge articles
With the above permissions for announcements, events and knowledge articles, you can also configure permissions in the Hub itself. In the Hub you can organise posts into categories.
Per category you can configure:
Note: permissions you configure on a category take precedence over general permissions in the Hub. |