The admin roles that are assigned to admins dictate the level of access they have to the Admin Portal. Zscaler provides a default super admin role which has full access to the Admin Portal and Executive Insights App. This role is assigned to the default admin, but you can assign this role to other admins as necessary. For each additional role you create, you must define the role's access by specifying:

• Admin Rank
• Permissions
• Functional Scope

Admins who have permission to manage roles can only add, edit, or delete roles with lesser scope and lower rank. To learn more, see Adding Admin Roles and Adding SD-WAN Partner API Roles.

Configuring an admin is one of the tasks you must complete while configuring role-based administration. To learn more, see Configure Role-Based Administration.

The API role configured in the external OAuth 2.0 authentication server for a client application dictates the client application's permission and access to the different API categories in the Internet & SaaS API. You add the API role using the Admin Portal and then configure the external OAuth 2.0 authentication server to use that role. This enables the different APIs within the API categories of the Internet & SaaS API to be authenticated through the use of an OAuth 2.0 authentication server instead of the APIs passing an admin user, password, and an API key.

Adding an API role is one of the tasks you must complete before you can configure the external OAuth 2.0 authentication server. To learn more, see Securing Internet & SaaS APIs with OAuth 2.0.

About the Role Management Page

Certain options on the Role Management page are not available for ZIdentity-enabled tenants. To learn more, see ZIdentity Administration.

On the Role Management page (Administration > Admin Management > Role Based Access Control > Internet & SaaS), you can do the following:

1. Add an admin role.
2. Add an SD-WAN partner API role.
3. Add an API role.
4. Search for a configured admin role, SD-WAN partner API role, or API role.
5. View a list of all admin roles, SD-WAN partner API roles, and API roles configured for your organization. For roles, you can view the following information:
   • Name: The name of the role.
   • Admin Rank: The assigned admin rank for the admin roles. This is visible only if admin ranking is enabled in the Advanced Settings. Admin rank does not apply to SD-WAN partner API or API roles.
   • Full Access: The areas of the Admin Portal where admins with this role have full access or, for API roles, the areas in the Internet & SaaS API to which the client application has full access.
   • View Only Access: The areas of the Admin Portal where admins with this role have view-only access or, for API roles, the areas in the Internet & SaaS API to which the client application has view-only access.
   • User Names: This shows whether the user names are visible or obfuscated within the Zscaler service or APIs.
   • Device Information: This shows whether the device information (i.e., device hostname, device name, and device owner) is visible or obfuscated within the Admin Portal or APIs.
   • Functional Scope: The features in the Admin Portal that admins with this role can access, or, for API roles, the API categories in the Internet & SaaS API to which the client application has access.
   • Type: The type of role. The Admin role types are: Standard Admin, SD-WAN partner API, Executive App Admin, or Standard & Executive App Admin. The API role type is API Client.
6. Modify the table and its columns.
7. Edit the default Executive Insights App role.
8. View a configured admin role with greater scope and higher rank, or an SD-WAN partner API role.
9. Edit a configured admin role with lesser scope and lower rank, an SD-WAN partner API role, or an API role.