Company Managers can customize the functionality of Workplace on both a User and Group Level. When multiple levels of functionality are set, it can be confusing to determine what functionality does a user actually has access to.
The Default Policy
When a user is added to a group, the user will inherit the policy defined at the group level. For example, we have updated the policy for Multi-factor Authentication (MFA) for the Marketing group. We have set the policy to require SMS Verification for the MFA.
When we view the security options of a member of the group, Gene Krantz, we can see the MFA policy states the policy is set to SMS Verification because it inherits the policy from all available groups.
Multiple Groups Policy
In some cases, a user may belong to multiple groups with conflicting policies. When Workplace elevates the policy settings at the group level, Workplace utilizes an OR rule to determine if a policy is active. For example, the user, Gene Krantz, is assigned to two groups, Marketing, and Sales.
The policy for Allow On-Demand Work Folders for the Marketing Group is Disabled. The policy for Allow On-Demand Work Folders for the Sales Group is Enabled. Since Workplace utilizes an OR rule to determine a user's policy, Gene Krantz's account will have Allow On-Demand Work Folders set to Enabled.
The User Override
Workplace follows a "lowest to highest" approach with permissions, settings, and policies.
For example, we have updated the policy for Multi-factor Authentication (MFA) for the user, Gene Krantz. We have set the policy to require No Verification for the MFA.
When we view the security options at a group level, in this case, Marketing, we can see the policy for Multi-factor Authentication (MFA) is set to SMS.
When Gene Krantz signs in to Workplace, the user will not be presented with Multi-factor Authentication (MFA) because the policy at the lowest level (User) is set to none.