icon-unified.svg
Experience Center

About Administrators

Zscaler’s role-based administration enables you to control what different admins can do in the Admin Portal. You can delegate responsibilities among admins and granularly control their level of access to the Admin Portal to ensure they do not create conflicting policies and settings.

To facilitate role-based administration, each admin account comprises a role and scope:

  • Using an admin role or SD-WAN partner API role, you can specify which features admins can access in the Admin Portal.
  • Using an admin scope, you can specify which areas of the organization (for example, which departments or which locations) admins can configure policies or settings in the Admin Portal.

Role-based administration provides the following benefits and enables you to:

  • Configure security policies in the Admin Portal, with help from the CISO (specified through role).
  • Configure security policies for the entire organization (specified through scope).
  • Configure access policies relevant to productivity and compliance (specified through role), only for a specific location or department (specified through scope).

Zscaler provides a default admin account, full access to the Admin Portal and scope. As a default admin, you can:

  • Enable or disable the default admin account status, but you cannot delete the account.
  • Add as many additional admins as necessary to meet the specific needs of your organization (only with role-based administration).
  • Edit and delete admins as necessary at any time.

Also, depending on their admin role and scope, configured admins can add, edit, or delete admin accounts with a lower rank.

Zscaler recommends you log in with the new default admin account (DEFAULT ADMIN) and delete the deprecated default admin (DEFAULT ADMIN (Deprecated)).

The new default admin login ID uses the following format:

admin@<Organization ID>.<Zscaler Cloud>.net

As a best practice, the new default admin can't be used to log in to the Zscaler service and browse the internet. Also, password reset is only supported for the new default admin.

Configuring an admin is one of the tasks you must complete when configuring role-based administration. To learn more, see Configuring Role-Based Administration.

About the Administrators Page

On the Administrators page, you can only edit an existing admin's scope. The admins are configured in ZIdentity. To learn more, see ZIdentity Admin, User, & Role Management.

On the Administrators page (Administration > Admin Management > Administrator Management > Internet Access Administrators), you can do the following:

  1. Add an SD-WAN partner API client.
  2. Search for a configured admin.
  3. View a list of all admins configured for your organization. For each admin, you can see the following details:
    • Login ID: The Admin Portal login ID for the admin.
    • Name: The name of the admin.
    • Role: The admin's level of access to the Admin Portal.
    • Scope: The areas of the organization the admin can manage in the Admin Portal.
    • Login Type: Lists if SAML single sign-on (SSO) login, direct password access login, or both are enabled for the admin.
    • Comments: Displays any comments regarding the admin, if available.
    • Password Expired: Displays whether the admin's password has expired if password expiration is enabled for admins.
    • Status: The status of the admin.
    • Type: Displays whether the admin's type of role is a Standard Admin, SD-Wan partner API, Executive App Admin, or Standard & Executive App Admin.
  4. Modify the table and its columns.
  5. Edit a default admin or a configured admin.
  6. Go to the Auditors page.
  7. Go to the Administrator Management page.

Related Articles
About AdministratorsUnderstanding Admin ScopeEditing Internet & SaaS Super AdminsEditing Internet & SaaS AdminsAdding SD-WAN Partner API Clients