How do I add admin roles?


How do I add admin roles?

Configuring an administrator role is one of the tasks you must complete when configuring role-based administration. See How do I configure role-based administration? for the full list of tasks.

Click to watch a video about Role Management.

Prerequisites

When configuring (adding, editing, or deleting) roles:

  • You must have permission to do so, which is explained below.
  • You can only create, edit, or delete roles with equal or lower rank.
  • You must have organizational scope.

Adding Admin Roles

To configure admin roles:

  1. Go to Administration > Authentication > Role Management.
  2. Click Add Administrator Role, and do the following:

The one area not covered by Functional Scopes is:

  1. Click Save and activate the change.

Select an admin rank for the role if this feature is enabled in Advanced Settings.

Click to watch a video about Admin Rank.

Admin rank enables you to create a hierarchy among admins and ensure that policies and settings configured by admins with higher rank cannot be overridden by admins with lower rank.

For example, if the CISO, who has the highest rank, sets a rule for the organization blocking all access to pornography, no lower-ranked admin can create a pornography rule that overrides the one set by the CISO.

The admin rank ranges from 0 (high) to 7 (low). The highest rank, 0, belongs to the super admin. For each additional role you create, you can assign an admin rank between 1 (high) and 7 (low). 

NOTE: By default, the admin rank feature is disabled. To use this feature, you must enable admin rank in Administration > Settings > Advanced Settings

The admin rank affects admins in the following areas.

Rule-based policies in the admin portal include:

  • URL & Cloud App Control
  • File Type Control
  • Bandwidth Control
  • Data Loss Prevention
  • Mobile App Control
  • Firewall Control
  • DNS Control

When creating rules for any of the above policies, admins must assign the rule an admin rank that is equal to or lower than their own rank. The rule’s admin rank in turn automatically determines the rule order, so that rules with a higher admin rank are always given precedence in the rule order. Rules with the same admin rank can be manually moved before or after another rule with the same rank.

Admins can edit a rule or change a rule’s place in the rule order only if the rule’s admin rank is equal to or lower than their own admin rank. 

Admins who have permission to manage roles can only create or edit roles with equal or lower rank.

Admins who have permission to manage other admin accounts can only create or edit accounts with equal or lower rank. 

Admins are also users that can be specified in the criteria for a particular rule (for example, an admin can be chosen as a user to whom a URL filtering rule applies). Thus, if admins add another admin as a user for a rule, they can only select admins that have equal or lower admin rank.

Enter the number of days an admin with this role can view logs. 

Admins can view real-time logs of every transaction performed by your users regardless of where they are in the world. For example, see Viewing Web Logs. By specifying permissions in Logs Limit (Days), you can control the number of days admins are allowed to view logs. You can select a time frame from 30 days to Unrestricted. By default, admins can view logs for an unrestricted amount of time. If you need temporary access to the logs to verify compliance, admins can only view logs for the specified number of days. For example, if a logs limit of 30 days is chosen, then admins can only view logs for 30 days.

In Dashboards, admins can view predefined dashboards that enable real-time visibility into your organization’s Internet traffic in a range of areas. Admins can customize the dashboards as long as they have permission to do so.

Choose one of the following permissions:

  • Full: Allows admins to view, edit, and delete dashboards
  • View Only: Allows admins only to view all dashboards

 In Analytics > Reporting, admins can access a wide range of standard reports and can also create custom reportsBy specifying permissions in Reporting Access, you can control the access admins have to these features.

Choose one of the following permissions:

  • Full: Allows admins access to all features in Interactive Reports and Scheduled Reports. Note that admins must have full permission here to obtain detailed transaction logs from the View Logs feature in Insights. In addition, only admins with the super admin role can schedule executive reports and delete any custom reports; otherwise, admins can delete their own custom reports only.
  • View Only:
    • For Interactive Reports: Allows admins to view standard reports and custom reports created by other admins. 
    • For Scheduled Reports: Allows admins full access to features.
  • None: Does not allow admins access to Reporting and Insights. The Analytics page will not be visible in the admin portal. The Insights Access permission option below will disappear also.

In Analytics > Insights, admins can interactively mine logs for data on specific transactions. By specifying permissions in Insights Access, you can control the access admins have to this feature. Note that this permission category appears only if the role has been given Full or View Only permission to Reporting Access; otherwise, this category disappears.

Choose one of the following permissions:

  • View Only: Allows admins full access to Insights. However, the role must be given Full permission to Reporting Access to obtain detailed transaction logs in the View Logs feature in Insights. Admins cannot view these detailed transaction logs if they have View Only permission to Reporting Access.
  • None: Does not allow admins access to InsightsInsights is not visible in Analytics.

Admins can view or configure policies and settings in the Policy and Administration page. Note that if you give the role Full or View Only permission to Policy Access, you can specify which features admins can use or view by enabling specific Functional Scopes.

Choose one of the following permissions:

  • Full: Allows admins full access to features in the Policy and Administration. Note that if you do not give Full permission here, the Administrator Access option below will disappear.
  • View Only:  Allows admins to view, but not edit, items in the Policy and Administration. The only exception is with items in Administration > Settings > Account Management. With View Only permission, admins can still make changes to My Profile and still use the Print All Policies feature. Note that if you do not give Full permission here, the Administrator Access option below will disappear.
  • None: Does not allow admins access to policies. The Policy page disappears, and most items under Administration disappears. The only exception is with items in Administration > Settings > Account Management. Admins can still view the Company Profile and makes changes to My Profile.

In Administration > Authentication > Administration Controls, admins can add other admins, create audit logs, as well as back up and restore policies. Note that this permission category appears only if the role has been given Full permission to Policy Access; otherwise, this category does not appear.

Choose one of the following permissions:

  • Full: Allows admins to add, edit, and delete admin accounts that have admin ranks equal to or lower than their own account.
    • Administrator Management: Under Administrator Management > Administrators, only admins with organizational scope can add, edit, and delete admin accounts that have admin ranks equal to or lower than their own. Also, under Administrator Management > Auditors, only admins with organizational scope can view information, and if they want to make changes, they must have the super admin role.
    • Role Management: Admins can only add, edit, and delete roles that have equal or lesser scope, and admins can only add, edit, and delete roles with admin ranks equal to or lower than their own rank.
    • Audit Logs: Admins must have organizational scope to make changes.
    • Backup & Restore:  Admins with organizational scope can back up and restore policies, but admins with limited scope can only back up policies.
  • None: Does not allow access. Administration Controls is not visible in Administration > Authentication.

Choose whether real user names are visible to admins when they view dashboards, reports, or insights.

  • Visible: User names are visible.
  • Obfuscated: User names are obfuscated.

If an admin is assigned a role with user name obfuscation, but requires access to real user names, an auditor’s permission is required. See About Auditors.

Enable to allow admins access to:

  • Policy > Web > Access Control >
    • URL & Cloud App Control
    • File Type Control
    • Bandwidth Control
    • SSL Inspection
  • Policy > Mobile > Zscaler App Configuration > Zscaler App Portal

NOTE: The role must also have Traffic Forwarding enabled in Functional Scopes to access this feature.

  • Policy > Mobile > Access Control > Mobile App Store Control
  • Administration > Resources > Access Control >
    • URL Categories
    • Bandwidth Classes
    • Time Intervals
    • End User Notifications

Enable to allow admins access to Administration > Settings > Cloud Configuration > Advanced Settings.

NOTE: Access to the last three items in Advanced Settings (Services Forwarded to HTTP Web Proxy, Services Applicable to DNS Transactions Policies, and Services Forwarded to FTP Proxy) are not controlled by this functional scope. Access to these items are instead controlled by the Firewall & DNS functional scope below.

Enable to allow admins access to Administration > Authentication > Authentication Configuration >

  • Authentication Settings
  • User Management
  • Identity Proxy Settings

NOTE: You can specify with more granularity which of these three features the role can access.

Enable to allow admins access to:

  • Policy > Web > Data Loss Prevention >
    • Data Loss Prevention
  • Administration > Resources > Data Loss Prevention >
    • DLP Dictionaries & Engines
    • DLP Notification Templates

Enable to allow admins access to Administration > Settings > Cloud Configuration > Virtual ZENS.

Enable to allow admins access to:

  • Policy > Firewall > Access Control >
    • Firewall Control
    • DNS Control
    • FTP Control
  • Administration > Settings > Cloud Configuration > Advanced Settings >
    • Services Forwarded to HTTP Web Proxy
    • Services Applicable to DNS Transactions Policies
    • Services Forwarded to FTP Proxy
  • Administration > Resources > Firewall >
    • Network Services
    • Network Applications
    • IP Groups

Enable to allow admins access to Administration > Settings > Cloud Configuration > Nanolog Streaming Service.

Enable to allow admins access to:

  • Policy > Web > Security >
    • Malware Protection
    • Advanced Threat Protection
    • Sandbox
    • Browser Control
  • Policy > Mobile > Security > Mobile Malware Protection

Enable to allow admins access to Policy > Web > Access Control > SSL Inspection.

Enable to allow admins access to:

  • Administration > Resources > Traffic Forwarding >
    • Locations
    • VPN Credentials
    • Hosted PAC Files
    • eZ Agent Configuration
    • SecureAgent Notifications

NOTE: You can specify with more granularity which of these five features the role can access.

  • Policy > Mobile > Zscaler App Configuration > Zscaler App Portal

NOTE: The role must also have Access Control enabled in Functional Scopes to access this feature.

Items under Administration > Settings Account Management include:

  • My Profile
  • Company Profile
  • Alerts
  • Print All Policies

Access to these items are controlled by the Policy Access permission above.

  • If an admin is given Full permission in Policy Access, the admin has full access to all features in Account Management.
  • If an admin’s permission is View Only in Policy Access, the admin can do the following:
    • Edit My Profile
    • View Company Profile
    • View Alerts
    • Use the Print All Policies feature
  • If an admin’s permission is None in Policy Access, the admin can still edit My Profile and view Company Profile.