This article describes how to assign roles and permissions to admins who manage the Admin Portal. These admins can manage users and entitlements on the assigned Zscaler services.

Prerequisites

You need to first add users and user groups and then assign them with admin roles.

To assign admin roles:

1. Go to Administration > Admin Management > Role Based Access Control > Unified User Interface.
2. Click Add Role.

3. In the Add Role window:

   • Name: Enter a name for the admin role.
   • Description (optional): Enter a description for the role.
   • Select one of the following access levels for each of the modules in the Admin Portal:
     • Full: Allows admins full access to the module.
     • View Only: Allows admins to only view the details.
     • Restricted View: Allows admins to view specific details in the module.
     • None: Admins don't have access to the module.
   • You can set the access levels for the following modules in the Admin Portal.
     • Admin Sign-On Policy

       Set the access level to Administration > Admin Management > Administrator Management > Sign-On Policies.

       Condition: The role must also have Full or View Only access to IP Locations to manage or view Sign-On Policy.

       Close
     • Authentication Methods

       Set the access level to:

       • Administration > Identity > ZIdentity > Password Complexity
       • Administration > Identity > ZIdentity > Authentication Methods.

       Close
     • Users & Groups

       Set the access level to

       • Administration > Identity > ZIdentity > Users
       • Administration > Identity > ZIdentity > User Groups
       • Administration > Identity > ZIdentity > Attributes

       Condition: This permission doesn't allow access to Administration > Identity > ZIdentity > Users > Edit User > Security Settings. The role must have Full or View Only access to User Credentials to manage or view the Security Settings of users.

       Close
     • User Credentials

       Set the access level to Administration > Identity > ZIdentity > Users > Edit User > Security Settings.

       Condition: The role must have Full or View Only access to Users and Groups to manage or view the Security Settings of users.

       Close
     • External Identities

       Set the access level to Administration > Identity > ZIdentity > External Identities.

       Condition: The Restricted View access allows View-Only access to External Identities but doesn't allow the role to view or access the Bear Token field (Administration > Identity > ZIdentity > External Identities > Edit Primary or Secondary Identity Provider > Provisioning).

       Close
     • Trusted IP Locations & Groups

       Set the access level to Infrastructure > Locations > Trusted IP Locations and Infrastructure > Locations > Trusted IP Location Groups.

       Close
     • Linked Services

       Set the access level to Administration > System > Linked Services.

       Close
     • Authentication Session

       Set the access level to the Authentication Session section in Administration > Identity > ZIdentity > Authentication Session.

       Close
     • Administrative Entitlements

       Set the access level to Administration > Entitlements > Administrative.

       Conditions:

       • The admins that are assigned this role can access the configuration on the Administrative Entitlements: Administrative page only for the services to which they are assigned as service admins, where their role includes the following permission set to Full:
         • Administration > Admin Management > Role Based Access Control > Unified User Interface in the Admin Portal.

       For example, you assign a ZIdentity user as service admin for the Internet & SaaS and Private Applications services with roles that include full administrative control for the Internet & SaaS service and Read Only administrative control for the Private Applications service. When you assign this service admin as an admin for the ZIdentity, the admin only sees the Internet & SaaS service listed on the About Administrative Entitlements page and not the Private Applications service, because the admin doesn't have full access to administrative controls of Private Applications service.

       • Admins with Full access to users and groups can do the following on the Administrative Entitlements page:
         • View the users and user groups details.
         • View all users and user group assignments.
         • Assign users and user groups.
         • Remove users and user group assignments.
       • Admins with View Only access to users and groups can do the following on the Administrative Entitlements page:
         • View all users and user group assignments.
       • Admins with Restricted Full access can:
         • Access, view, and search administrative entitlements.
         • View users and user groups of individual tenants if they have “Users and Groups - Full” or “Users and Groups - View” permission.
         • View all users and user groups assignments
         • Assign users, remove user assignments, assign user groups, and remove user group assignments if they have permission on individual tenants to manage administrators.

       Close
     • Service Entitlements

       Set the access level to Administration > Entitlements > Service.

       Conditions:

       • Admins with Full access to users and groups can do the following on the Service Entitlements page:
         • View users and user groups and assignments.
         • Assign users and user groups.
         • Remove users and user group assignments.
       • Admins with View Only access to users and groups can do the following on the Service Entitlements page:
         • View the subscribed services.
         • View all users and user group assignments.

       Close
     • Audit Logs

       Set the access level to Administration > System > Audit Logs.

       Close
     • Roles

       Set the access level to Administration > Entitlements > ZIdentity Roles.

       Condition: To edit or delete admin roles that are currently assigned to admins, you must have Full access to Administrative Entitlements and Full or View Only access to Users & Groups.

       When configuring a ZIdentity role, an admin can only set the permission level equal to or less than their role scope. For example, if admin access is set to Full for Roles and View Only for IP Locations for a role, the admin assigned to that role can only add new roles with IP Locations to either View or None, but not as Full. This ensures that admins with lower scope and permission can't configure an admin with a higher scope and permission.

       Close
     • Guest Domains

       Set the access level to Full, View Only, or None.

       Close
     • Branding

       Set the access level to Administration > Account Management > Branding.

       Close
     • API Clients & Resources

       Set the access level to Administration > API Configuration > OneAPI > API Clients and Administration > API Configuration > OneAPI > API Resources.

       Close
     • Executive Insights

       Set the access level to Administration > Executive Insights.

       The Executive Insights role is assigned to the leadership team (chief executive officer (CEO), chief operating officer (COO), chief financial officer (CFO), etc.) in your organization, allowing them to access the Executive Insights app.

       Close

   See image.

   

   Close

4. Click Save.

   The role is successfully added and displayed on the Roles page.