icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Role-Based Administration Configuration Examples

With role-based administration, organizations can easily add admins and assign them specific roles, with differing levels of access to the ZIA Admin Portal.

The following examples illustrate how an organization can leverage role-based administration for a variety of scenarios:

  • For this example, your organization has an office located in the US and another office located in the UK. You require admins with the following conditions:

    • For each office, you need an admin from HR to manage access control policies like URL filtering and bandwidth usage.
    • Both admins are responsible for providing reports and analyses on employee web usage to measure productivity and ensure compliance.
    • They are ranked lower than the VP of HR, who has an admin account with an admin rank of 2, to ensure that the VP has the final say on access control policies.
    • They have access to logs for an unrestricted period of time.
    • They have full access to dashboard, reporting, and policy and view-only access to Insights.
    • They don't have access to Administrators Access and can't see real user names and device information (i.e., device name, device hostname, and device owner) in logs.
    • They can't view or make changes to any other policy beyond Access Control.
    • They do not need to receive Zscaler security, product, or service updates.
    • They can log in to the ZIA Admin Portal directly from the organization's SSO provider portal (Password-based login isn't required).

    To configure an admin with the above specifications:

      1. Go to Administration > Role Management.
      2. Click Add Administrator Role.
      3. In the Add Administrator Role window, add a new HR admin role with the following settings:
        • Name: Enter a name for the admin role
        • Enable Permissions for Executive Insights: Disable
        • Logs Limit (Days): Unrestricted
        • Dashboard Access: Full
        • Reporting Access: Full
        • Insights Acess: View Only
        • Policy Access: Full
        • Administrators Access: None
        • User Names: Obfuscated
        • Device Information: Obfuscated
        • Advanced Settings: Disable
        • Data Loss Prevention: Disable
        • Security: Disable
        • SSL Policy: Disable
        • Virtual Service Edge Configuration (formerly Virtual ZEN or VZEN Configuration): Disable
        • Firewall, DNAT, DNS, & IPS: Disable
        • NSS Configuration: Disable
        • Partner Integration: Disable
        • Remote Assistance Management: Disable
        • Access Control (Web & Mobile): Enable
        • Traffic Forwarding: Disable
        • Authentication Configuration: Disable

      This role can then be assigned to both admins since they are performing the same tasks in the ZIA Admin Portal.

      Close
      1. Go to Administration > Administrator Management.
      2. Click Add Administrator.
      3. In the Add Administrator window, add a US admin account with the following settings:
        • Login ID: Enter a login ID for the admin
        • Email: Enter an email address for the admin
        • Name: Enter a name for the admin
        • Role: Choose the role you added in Step 1: Add the Admin Role
        • Scope: Choose Location. The following option will appear:
          • Locations: Select your US office location. In this example, it's called USA Office
        • Security Updates: Disable
        • Service Updates: Disable
        • Product Updates: Disable
        • Password Based Login: Disable
        • Executive Insights App Access: Disable
        • Comments: Enter any additional notes or information

      Close
      1. On the Administrators page, click Add Administrator.
      2. In the Add Administrator window, add a UK admin account with the following settings:
        • Login ID: Enter a login ID for the admin
        • Email: Enter an email address for the admin
        • Name: Enter a name for the admin
        • Role: Choose the role you added in Step 1: Add the Admin Role
        • Scope: Choose Location. The following option will appear:
          • Locations: Select your UK office location. In this example, it's called UK Office
        • Security Updates: Disable
        • Service Updates: Disable
        • Product Updates: Disable
        • Password Based Login: Disable
        • Executive Insights App Access: Disable
        • Comments: Enter any additional notes or information

      Close
    Close

  • Your organization requires admins with responsibility over security policy for the organization. However, you require two types of admin accounts (e.g., CISO and Security Response Manager) with the following conditions:

    • A CISO admin account that has:
      • A higher admin rank than the Security Response Manager, but a lower rank than the CEO, who has an admin account with a rank of 1.
      • Access to logs for an unrestricted period of time.
      • Full access to dashboards, reporting, policies, and view-only access to insights.
      • No access to Administrators Access
      • Ability to view user names and device information (i.e., device name, device hostname, and device owner).
      • Ability to configure security policy for the organization.
      • Access to Zscaler security, product, and service updates.
      • Ability to log in to the ZIA Admin Portal directly from the organization's SSO provider portal (Password-based login isn't required.)
    • A Security Response Manager admin account that has:
      • A lower admin rank than the CISO.
      • Access to logs for 30 days.
      • Full access to dashboards and reporting.
      • View-only access to insights and policies.
      • No access to Administrators Access
      • Ability to view user names and device information (i.e., device name, device hostname, and device owner).
      • Ability to view security policies but not configure them.
      • Access to Zscaler security, product, and service updates.
      • Ability to log in to the ZIA Admin Portal directly from the organization's SSO provider portal (Password-based login isn't required.)

    To configure an admin with the above specifications:

      1. Go to Administration > Role Management.
      2. Click Add Administrator Role.
      3. In the Add Administrator Role window, add a new CISO admin role with the following settings:
      • Name: Enter a name for the admin role
      • Enable Permissions for Executive Insights: Disable
      • Logs Limit (Days): Unrestricted
      • Dashboard Access: Full
      • Reporting Access: Full
      • Insights Access: View Only
      • Policy Access: Full
      • Administrators Access: None
      • User Names: Visible
      • Device Information: Visible
      • Advanced Settings: Disable
      • Data Loss Prevention: Disable
      • Security: Enable
      • SSL Policy: Disable
      • Virtual Service Edge Configuration: Disable
      • Firewall, DNAT, DNS, & IPS: Disable
      • NSS Configuration: Disable
      • Partner Integration: Disable
      • Remote Assistance Management: Disable
      • Access Control (Web & Mobile): Disable
      • Traffic Forwarding: Disable
      • Authentication Configuration: Disable

      Close
      1. On the Role Management page, click Add Administrator Role.
      2. In the Add Administrator Role window, add a new Security Response Manager admin role with the following settings:
      • Name: Enter a name for the admin role
      • Enable Permissions for Executive Insights: Disable
      • Logs Limit (Days): 30
      • Dashboard Access: Full
      • Reporting Access: Full
      • Insights Access: View Only
      • Policy Access: View Only
      • Administrators Access: None
      • User Names: Visible
      • Device Information: Visible
      • Advanced Settings: Disable
      • Data Loss Prevention: Disable
      • Security: Enable
      • SSL Policy: Disable
      • Virtual Service Edge Configuration: Disable
      • Firewall, DNAT, DNS, & IPS: Disable
      • NSS Configuration: Disable
      • Partner Integration: Disable
      • Remote Assistance Management: Disable
      • Access Control (Web & Mobile): Disable
      • Traffic Forwarding: Disable
      • Authentication Configuration: Disable

      Close
      1. Go to Administration > Administrator Management.
      2. Click Add Administrator.
      3. In the Add Administrator window, add a CISO admin account with the following settings:
        • Login ID: Enter a login ID for the admin
        • Email: Enter an email address for the admin
        • Name: Enter a name for the admin
        • Role: Choose the role you added in Step 1: Add the CISO Admin Role.
        • Scope: Choose Organization.
        • Security Updates: Enable
        • Service Updates: Enable
        • Product Updates: Enable
        • Password Based Login: Disable
        • Executive Insights App Access: Disable
        • Comments: Enter any additional notes or information

      Close
      1. On the Administrators page, click Add Administrator.
      2. In the Add Administrator window, add a Security Response Manager admin account with the following settings:
        • Login ID: Enter a login ID for the admin
        • Email: Enter an email address for the admin
        • Name: Enter a name for the admin
        • Role: Choose the role you added in Step 2: Add the Security Response Manager Admin Role
        • Scope: Choose Organization
        • Security Updates: Enable
        • Service Updates: Enable
        • Product Updates: Enable
        • Password Based Login: Disable
        • Executive Insights App Access: Disable
        • Comments: Enter any additional notes or information

      Close
    Close

  • Your organization requires admins with read-only access to the Zscaler Client Connector Portal. You require admins with the following conditions:

    • Admins have the ability to view the dashboard.
    • They have access to logs for an unrestricted period of time.
    • They have the ability to view select policies.
    • They don't have Reporting Access.
    • They don't have Administrators Access and can't see user names and device information (i.e., device name, device hostname, and device owner) in logs.
    • They do not need to receive Zscaler security, product, or service updates.

    To configure an admin with the above specifications:

      1. Go to Administrator > Role Management.
      2. Click Add Administrator Role.
      3. In the Add Administrator Role window, add a new read-only admin role with the following settings:
      • Name: Enter a name for the admin role
      • Enable Permissions for Executive Insights: Disable
      • Logs Limit (Days): Unrestricted
      • Dashboard Access: View Only
      • Reporting Access: None
      • Policy Access: View Only
      • Administrators Access: None
      • User Names: Obfuscated
      • Device Information: Obfuscated
      • Advanced Settings: Disable
      • Data Loss Prevention: Disable
      • Security: Disable
      • SSL Policy: Disable
      • Virtual Service Edge Configuration: Disable
      • Firewall, DNAT, DNS, & IPS: Disable
      • NSS Configuration: Disable
      • Partner Integration: Disable
      • Remote Assistance Management: Disable
      • Access Control (Web & Mobile): Enable, and select Policy and Resource Management
      • Traffic Forwarding: Enable, and select Locations
      • Authentication Configuration: Disable

      Close
      1. Go to Administrator > Administrator Management.
      2. Click Add Administrator.
      3. In the Add Administrator window, add an admin account with the following settings:
        • Login ID: Enter a login ID for the admin
        • Email: Enter an email address for the admin
        • Name: Enter a name for the admin
        • Role: Choose the role you added in Step 1: Add the Admin Role
        • Scope: Organization
        • Security Updates: Disable
        • Service Updates: Disable
        • Product Updates: Disable
        • Password Based Login: Disable
        • Executive Insights App Access: Disable
        • Comments: Enter any additional notes or information

      Close
    Close

Even if your admin role permission is set to Full or View Only for the Dashboard, Reports Access, and Insights Access, you will be able to view the features only if the corresponding Functional Scope is enabled.

Related Articles
Configuring Role-Based AdministrationRole-Based Administration Configuration ExamplesUnderstanding Administrator Management SettingsConfiguring Password ExpirationConfiguring Restricted Access for AdminsConfiguring Advanced Configuration for AdminsObfuscating User Names for AdminsObfuscating Device Information for AdminsAbout AuditorsAdding AuditorsAbout Audit LogsAbout Event Logs