What is admin scope?


What is admin scope?

With role-based administration, an admin's scope specifies which areas of the organization an admin can manage in the admin portal. The default admin has scope over the entire organization. For each additional admin you create, you must select one of the following scopes:

  • Organization
  • Departments
  • Locations

Note that you can assign scope over the entire organization, or, either location or department (you cannot combine location and department).

Effect of Scope on Admin

An admin’s scope affects the following areas. Click an item below for more details.

Admins can only define rules and settings for their assigned locations or departments. Click an item below for more details.

Admin with Scope over Location

For example, consider Admin A, assigned scope over two locations, Germany and France. When she creates a policy rule:

  • She is required to make a selection for the Locations criteria. Because of her scope, only Germany and France are available for selection.
  • She can choose any or all users, departments, and groups. The rule applies, however, only to users, department, or group members who are in Germany or France.

In the scenario depicted below, Admin A creates a rule and specifies Germany as a location. She then chooses any user, group, or department. The rule applies only to users inside the orange box.

Admin with Scope over Department

As another example, consider Admin B, assigned scope over two departments, HR and IT. When he creates a policy rule:

  • He is required to make a selection for the Departments criteria. Only the HR and IT departments are available for selection.
  • He is required to make a selection for the Users criteria. Only users from the HR and IT departments are available for selection. 

(Note that if he selects a department in the Departments criteria, the rule applies to all users in that department, no matter which users he selects in the Users criteria. Thus, specifying users in the Users criteria is useful only if Admin B is selecting users from a department different than the one he selects in the Departments criteria (for example, if he selects the IT department in the Departments criteria and then selects users from HR in the Users criteria).

  • He is required to select a group. The rule applies to all members of the specified group, regardless of their department. To limit the rule to just members of the department specified in the Departments criteria, Zscaler recommends that admins choose a group that contains just those department members. For example, if an admin wants to make sure a rule applies just to members of Finance, the admin must create a group with just the Finance department members and then select that group. Zscaler recommends that you avoid selecting “Any” for group.
  • He can select any (or all) locations. The rule applies only to specified users and department or group members in the selected locations.

In the scenario depicted below, Admin B creates a rule and specifies the following for each criteria:

  • Users: John Doe from IT
  • Departments: HR
  • Groups: HR-Group
  • Location: Germany, France, and Belgium

This rule applies only to users inside the orange box.

Admins can edit a rule or setting only if their scope is equal to or greater than the scope assigned the rule or setting. Note that along with scope, admin rank also impacts which rule or setting an admin can edit. For example, consider a URL filtering rule that has a location criterion of Germany and France. Only an admin with scope over both Germany and France can edit this rule. Admin A, who has scope only over Germany, would not be able to edit this rule.

If admins have permission to manage admins, their scope limits the scope that they can assign other admins. For example, if Admin A, who has scope over Germany, creates an admin, and she wants to assign a scope by location, only Germany is available as an option. However, if she wants to assign the admin a scope in the department category, she can choose any (or all) departments.

Only admins who have scope over the entire organization can create or edit organization-wide policies, settings, and resources. For example, only admins with organizational scope can edit security policies or create custom URL categories.

The following table outlines how admin scope impacts the ability to access the Zscaler admin portal features.

Dashboard
Features Admin Scope Impact
  • Web Overview
  • Security
  • Web Browsing
  • Cloud Applications
  • Mobile Applications
  • Email Overview
  • DNS Overview
  • Firewall Overview

 

Admins can only view traffic information for areas over which they have scope.

Analytics
Features Admin Scope Impact
Reporting
  • Interactive Reports
  • Scheduled Reports

 

Admins can only access reports for areas over which they have scope.

Insights
  • Web Insights
  • Mobile Insights
  • Email Insights
  • Firewall Insights
  • DNS Insights

 

Admins can only access insights for areas over which they have scope.

Policy
Features Admin Scope Impact
Web > Security
  • Malware Protection
  • Advanced Threat Protection
  • Sandbox
  • Browser Control

 

Admins require organizational scope to edit policies.

Web > Access Control
  • URL & Cloud App Control
  • File Type Control
  • Bandwidth Control
  • SSL Inspection

 

Admins can only define rules for their assigned locations or departments.

Web > Data Loss Prevention
  • Data Loss Prevention

 

Admins can only define rules for their assigned locations or departments.

Mobile > Zscaler App Configuration
  • Zscaler App Portal

 

Currently, all admins can edit policies here.

Mobile > Security
  • Mobile Malware Protection

 

Admins require organizational scope to edit policies.

Mobile > Access Control
  • Mobile App Store Control

 

Admins can only define rules for their assigned locations or departments.

Firewall > Access Control
  • Firewall Control
  • DNS Control
  • FTP Control

 

Admins can only define rules for their assigned locations or departments.

Administration
Features Admin Scope Impact
Settings > Account Management
  • My Profile
  • Company Profile
  • Alerts
  • Print All Policies   
  • Scope does not impact My Profile and Print All Policies.
  • For Company Profile, admins require organizational scope to make changes.
  • For Alerts, if specifying users, departments, or locations, admins can only set alerts for users in their assigned departments or for their assigned locations. For example, if Admin A, who has scope over Germany, creates an alert, and she wants to have the alert apply by location, only Germany is available as an option. For Admin B who has scope over the HR and IT departments, only HR and IT are available as options for department, and if specifying users, only users from those departments are available as options. 

 

Settings > Cloud Configuration
  • Nanolog Streaming Service
  • Advanced Settings
  • Virtual ZENs
  • ICAP Settings

 

Admins require organizational scope to make changes.

Authentication > Authentication Configuration 
  • Authentication Settings
  • User Management
  • Identity Proxy Settings
  • For Authentication Settings, admins require organizational scope to make changes.
  • For User Management, if admins are assigned scope over specific departments, they can only manage users from that department. If admins are assigned organizational scope or scope over locations, admins can manage all users.

 

Authentication > Administration Controls
  • Administrator Management
  • Role Management
  • Audit Logs
  • Backup & Restore
  • For Administrator Management, the admins’ scope limits the scope that they can assign other admins. To make changes to Auditors in Administrator Management, admins must have organizational scope.
  • For Role Management, admin requires organizational scope to make changes.
  • For Audit Logs, admins require organizational scope to make changes.
  • For Backup & Restore, Admins with limited scope may back up policies, but only Admins with organizational scope can restore policies.

 

Resources > Traffic Forwarding
  • Locations
  • VPN Credentials
  • Hosted PAC Files
  • eZ Agent Configuration
  • SecureAgent Notifications
  • For Locations:
    • Admins require organizational scope to add locations.
    • If the admin’s scope is limited by location, the admin can make changes only for that location.
    • If the admin has scope over organizations or departments, the admin can make changes to all locations.
  • For all other features, admins require organizational scope to make changes.

 

Resources > Access Control
  • URL Categories
  • Bandwidth Classes
  • Time Intervals
  • End User Notifications

 

Admins require organizational scope to make changes.

Resources > Firewall
  • Network Services
  • Network Applications
  • IP Groups   
  • For Network Services, admins with organizational scope can add and edit Services and Services Groups, while admins with limited scope can add Services and Service Groups, but not edit them.
  • For Network Applications, admins with organizational scope can add and edit Applications Groups, while admins with limited scope can add Application Groups, but not edit them.
  • For IP Groups, admins with organizational scope can add and edit Source and Destination IP groups, while admins with limited scope can add Source and Destinations IP Groups, but not edit them.

 

Resources > Data Loss Prevention
  • DLP Dictionaries & Engines
  • DLP Notification Templates

Admins require organizational scope to make changes.

Benefit of Role and Scope

The process of creating an admin by assigning a role and scope ensures that rules and settings configured by that admin are not impacted even if the admin account is modified or deleted at some point in the future. This is because a rule or setting is associated with an admin’s role (the role’s admin rank, to be specific) and scope rather than a particular admin. Furthermore, if an admin account is deleted, you do not lose all the distinct permissions and functional scopes associated with that admin. You can simply reassign the same role and scope to another admin.

For example, your organization’s CISO may have an admin account with access to all security-related policies and scope over the organization. If that CISO leaves the organization and his account is deleted, the policy rules he created would not be affected and would remain in place. Further, you can easily assign the next CSO the same role and scope as the previous CISO, without redefining permissions and functional scopes from scratch.