icon-zslogin.svg
ZIdentity

Adding ZIdentity Admin Roles

This article describes how to assign roles and permissions to admins who manage the ZIdentity Admin Portal. These admins can manage users and entitlements on the assigned Zscaler services.

Prerequisites

You need to first add users and user groups and then assign them with admin roles.

Assigning Admin Roles

To assign admin roles:

  1. Go to Administration > Entitlements > ZIdentity Roles.
  2. Click Add Role.
  3. In the Add Role window:

    • Name: Enter a name for the admin role.
    • Description (optional): Enter a description for the role.
    • Select one of the following access levels for each of the modules in the ZIdentity Admin Portal:
      • Full: Allows admins full access to the module.
      • View Only: Allows admins to only view the details.
      • Restricted View: Allows admins to view specific details in the module.
      • None: Admins don't have access to the module.
    • You can set the access levels for the following modules in the ZIdentity Admin Portal:
      • Set the access level to Policy > Admin Sign-On.

        Condition: The role must also have Full or View Only access to IP Locations to manage or view Sign-On Policy.

        Close
      • Set the access level to:

        • Policy > Password
        • Administration > Authentication > Authentication Methods.
        Close
      • Set the access level to

        • Directory > Users
        • Directory > User Groups
        • Directory > Attributes

        Condition: This permission doesn't allow access to Directory > Users > Edit User > Security Settings. The role must have Full or View Only access to User Credentials to manage or view the Security Settings of users.

        Close
      • Set the access level to Directory > Users > Edit User > Security Settings.

        Condition: The role must have Full or View Only access to Users and Groups to manage or view the Security Settings of users.

        Close
      • Set the access level to Integration > External Identities.

        Condition: The Restricted View access allows View-Only access to External Identities but doesn't allow the role to view or access the Bear Token field (Integration > External Identities > Edit Primary or Secondary Identity Provider > Provisioning).

        Close
      • Set the access level to Administration > Environment > IP Locations and Administration > Environment > IP Location Groups.

        Close
      • Set the access level to Administration > System > Linked Services.

        Close
      • Set the access level to the Authentication Session section in Administration > Authentication > Authentication Session.

        Close
      • Set the access level to Administration > Entitlements > Administrative.

        Conditions:

        For example, you assign a ZIdentity user as service admin for the ZIA and ZPA services with roles that include full administrative control for the ZIA Admin Portal and Read Only administrative control for the ZPA Admin Portal. When you assign this service admin as an admin for the ZIdentity Admin Portal, the admin only sees the ZIA service listed on the About Administrative Entitlements page and not the ZPA service, because the admin doesn't have full access to administrative controls in ZPA Admin Portal.

        • Admins with Full access to users and groups can do the following on the Administrative Entitlements page:
          • View the users and user groups details.
          • View all users and user group assignments.
          • Assign users and user groups.
          • Remove users and user group assignments.
        • Admins with View Only access to users and groups can do the following on the Administrative Entitlements page:
          • View all users and user group assignments.
        • Admins with Restricted Full access can:
          • Access, view, and search administrative entitlements.
          • View users and user groups of individual tenants if they have “Users and Groups - Full” or “Users and Groups - View” permission.
          • View all users and user groups assignments
          • Assign users, remove user assignments, assign user groups, and remove user group assignments if they have permission on individual tenants to manage administrators.
        Close
      • Set the access level to Administration > Entitlements > Service.

        Conditions:

        • Admins with Full access to users and groups can do the following on the Service Entitlements page:
          • View users and user groups and assignments.
          • Assign users and user groups.
          • Remove users and user group assignments.
        • Admins with View Only access to users and groups can do the following on the Service Entitlements page:
          • View the subscribed services.
          • View all users and user group assignments.
        Close
      • Set the access level to Administration > System > Audit Logs.

        Close
      • Set the access level to Administration > Entitlements > ZIdentity Roles.

        Condition: To edit or delete admin roles that are currently assigned to admins, you must have Full access to Administrative Entitlements and Full or View Only access to Users & Groups.

        When configuring a ZIdentity role, an admin can only set the permission level equal to or less than their role scope. For example, if admin access is set to Full for Roles and View Only for IP Locations for a role, the admin assigned to that role can only add new roles with IP Locations to either View or None, but not as Full. This ensures that admins with lower scope and permission can't configure an admin with a higher scope and permission.

        Close
      • Set the access level to Full, View Only, or None.

        Close
      • Set the access level to Full or None.

        Close
      • Set the access level to Administration > Environment > Branding.

        Close
      • Set the access level to Integration > API Clients and Integration > API Resources.

        Close
      • Set the access level to Administration > Executive Insights.

        The Executive Insights role is assigned to the leadership team (chief executive officer (CEO), chief operating officer (COO), chief financial officer (CFO), etc.) in your organization, allowing them to access the Executive Insights app.

        Close

  4. Click Save.

    The role is successfully added and displayed on the Roles page.

Related Articles
About ZIdentity Admin RolesAdding ZIdentity Admin RolesAdmin Roles and PermissionsAssigning CXO Insight User Role