Product documentation
Workspace Environment Management
Current Release Service 2503 2411 2407 2402 2311 2308 2305 2303 2212 2209 2206 2203
View PDF

Access control

September 4, 2025
Contributed by: 
C

Role-Based Access Control (RBAC) in Workspace Environment Management (WEM) provides a structured way to delegate administration.

Setting up RBAC involves three steps:

  1. Designate roles: In Citrix Cloud, assign each administrator a role — either WEM > Full administrator (unrestricted access) or WEM > Restricted administrator (limited access based on scopes). For more information, see Manage administrator permissions.

  2. Define scopes: In the Access control node of the WEM web console, define scopes for restricted administrators. For more information, see Create a scope.

  3. Assign scopes: In the Access control node of the WEM web console, assign scopes to restricted administrators to apply the associated access policies and permissions. For more information, see Assign scopes to a restricted administrator.

About the Access control node

The Access control node is where you implement RBAC by defining what restricted administrators can access and how they can interact with WEM resources.

With this node, you can:

  • Define and assign Scopes to limit which resources (such as configuration sets, scripted tasks, and app packages) restricted administrators can manage.

  • Delegate scopes and role types (Read-only admin or Read/write admin) to restricted administrators while protecting critical resources and reducing operational risk.

Note:

Only administrators who have the Full administrators role for WEM can access this node.

View WEM administrators

To view all WEM administrators (full or restricted), follow these steps:

  1. Go to Access control > Administrators. The Administrators list appears with all WEM administrators (full or restricted).
  2. To check an administrator’s role type, use the Search box to find them by name or email.
  3. To sync the list with Citrix Cloud > Identity and Access Management > Administrators, click Refresh.

Note:

To add or remove WEM administrators, or to change a WEM administrator’s role type (full or restricted), go to Citrix Cloud > Identity and Access Management > Administrators using a user account with Full Access:

  • To assign a user the WEM Full administrator role, select Custom Access > Workspace Environment Management > Full Administrator.
  • To assign a user the WEM Restricted administrator role, select Custom Access > Workspace Environment Management > Restricted Administrator.

For more information, see Manage administrator permissions.

Create and manage scopes

A scope is a collection of WEM resources, including configuration sets, scripted tasks, and app packages. Scopes help you organize resources and control which administrators can access and manage them.

The Scopes page gives you a centralized view of all scopes in your environment. You can create, edit, view, or delete scopes:

  • Search: Filter scopes by name or description.
  • Create scope: Add a resource collection.
  • Refresh: Update the list of scopes.
  • Administrator icon: View which administrators are assigned.
  • Menu (…) icon: View, edit, or delete a scope. (Shared scopes can’t be edited or deleted.)

WEM provides a built-in Shared scope that includes shared resources such as WEM cloud agent packages and built-in scripts. This scope is always available to all restricted administrators in read-only mode and can’t be edited or deleted.

Create a scope

  1. Go to Access control > Scopes.
  2. Click Create scope.
  3. On the Basic information page, enter a name and (optionally) a description, and click Next.

  4. On the Resources page, select which WEM resources to include from the Configuration sets, Scripted tasks, and App packages lists. Use these filters to narrow a list:

    • Show all: Displays all resources.
    • Show available only: Displays resources not yet assigned to a scope.
    • Show selected only: Displays the resources that you’ve chosen.
  5. Click Done.

View or edit a scope

  1. In Scopes, search for the scope by name or description.
  2. Click the Menu (…) icon at the end of the row, and select View or Edit.
  3. Review or update the information on the Basic information and Resources pages.
  4. Click Save.

Delete a scope

  1. In Scopes, select the scope.
  2. Click the Menu (…) icon at the end of the row, click Delete.

Note:

If the scope is already assigned to restricted administrators, deleting it immediately impacts their access.

Assign scopes to a restricted administrator

To control which collections of WEM resources a restricted administrator can manage, follow these steps:

  1. Go to Access control > Administrators.
  2. Locate a restricted administrator by name or email.
  3. Click the Manage access icon at the end of the row.
  4. On the Manage administrator access page that appears, do the following actions:
    • Select one or more existing scopes.
    • Click Create scope to define a new collection of resources. For more information, see Create a scope.
  5. Select the role type:
    • Read-only admin: The administrator can only view resources in the scope.
    • Read/Write admin: The administrator can view and manage resources in the scope.
  6. Click Done.

Note:

Restricted administrators always have read-only access to the built-in Shared scope.

Access control
September 4, 2025
Contributed by: 
C
September 4, 2025
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.