Secure Internet and SaaS Access (ZIA)
About Administrators
Watch a video about Administrators, including how to add new administrators
Zscaler’s role-based administration enables you to control what different admins can do in the ZIA Admin Portal. You can delegate responsibilities among admins and granularly control their level of access to the ZIA Admin Portal to ensure they do not create conflicting policies and settings. To learn more about other use cases for role-based administration, see Role-Based Administration Configuration Examples.
To facilitate role-based administration, each admin account comprises a role and scope:
- Using an admin role or SD-WAN partner API role, you can specify which features admins can access in the ZIA Admin Portal.
- Using an admin scope, you can specify which areas of the organization (for example, which departments or which locations) admins can configure policies or settings in the ZIA Admin Portal.
Role-based administration provides the following benefits and enables you to:
- Configure security policies in the ZIA Admin Portal, with help from the CISO (specified through role).
- Configure security policies for the entire organization (specified through scope).
- Configure access policies relevant to productivity and compliance (specified through role), only for a specific location or department (specified through scope).
Zscaler provides a default admin account, full access to the ZIA Admin Portal and scope. As a default admin, you can:
- Enable or disable the default admin account status, but you cannot delete the account.
- Add as many additional admins as necessary to meet the specific needs of your organization (only with role-based administration).
- Edit and delete admins as necessary at any time.
Also, depending on their admin role and scope, configured admins can add, edit, or delete admin accounts with a lower rank.
Zscaler recommends you log in with the new default admin account (DEFAULT ADMIN) and delete the deprecated default admin (DEFAULT ADMIN (Deprecated)). See image.
The new default admin login ID uses the following format:
admin@<Organization ID>.<Zscaler Cloud>.net
As a best practice, the new default admin can't be used to log in to the Zscaler service and browse the internet. Also, password reset is only supported for the new default admin.
Configuring an admin is one of the tasks you must complete when configuring role-based administration. To learn more, see Configuring Role-based Administration.
About the Administrators Page
On the Administrators page, you can only edit an existing admin's scope if you are subscribed to ZIdentity. The admins are configured in the ZIdentity Admin Portal. To learn more, see What Is ZIdentity?
On the Administrators page (Administration > Administrator Management), you can do the following:
- Add an admin.
- Add an SD-WAN partner API client.
- Add an Executive Insights App admin.
- Search for a configured admin.
- View a list of all admins configured for your organization. For each admin, you can see the following details:
- Login ID: The ZIA Admin Portal login ID for the admin.
- Name: The name of the admin.
- Role: The admin's level of access to the ZIA Admin Portal.
- Status: The status of the admin.
- Scope: The areas of the organization the admin can manage in the ZIA Admin Portal.
- Login Type: Lists if SAML single sign-on (SSO) login, direct password access login, or both are enabled for the admin.
- Comments: Displays any comments regarding the admin, if available.
- Password Expired: Displays whether the admin's password has expired if password expiration is enabled for admins.
- Type: Displays whether the admin's type of role is a Standard Admin, SD-Wan partner API, Executive App Admin, or Standard & Executive App Admin.
- Modify the table and its columns.
- Edit a default admin or a configured admin.
- Go to the Auditors page.
- Go to the Administrator Management page.
