This article describes how to assign roles and permissions to admins who manage the ZIdentity Admin Portal. These admins can manage users and entitlements on the assigned Zscaler services.

Prerequisites

You need to first add users and user groups and then assign them with admin roles.

Assigning Admin Roles

To assign admin roles:

1. Go to Administration > Entitlements > ZIdentity Roles.
2. Click Add Role.

3. In the Add Role window:

   • Name: Enter a name for the admin role.
   • Description (optional): Enter a description for the role.
   • Select one of the following access levels for each of the modules in the ZIdentity Admin Portal:
     • Full: Allows admins full access to the module.
     • View Only: Allows admins to only view the details.
     • Restricted View: Allows admins to view specific details in the module.
     • None: Admins don't have access to the module.
   • You can set the access levels for the following modules in the ZIdentity Admin Portal:
     • Admin Sign-On Policy

       Set the access level to Policy > Admin Sign-On.

       Condition: The role must also have Full or View Only access to IP Locations to manage or view Sign-On Policy.

       Close
     • Authentication Methods

       Set the access level to:

       • Policy > Password
       • Administration > Authentication > Authentication Methods.

       Close
     • Users & Groups

       Set the access level to

       • Directory > Users
       • Directory > User Groups
       • Directory > Attributes

       Condition: This permission doesn't allow access to Directory > Users > Edit User > Security Settings. The role must have Full or View Only access to User Credentials to manage or view the Security Settings of users.

       Close
     • User Credentials

       Set the access level to Directory > Users > Edit User > Security Settings.

       Condition: The role must have Full or View Only access to Users and Groups to manage or view the Security Settings of users.

       Close
     • External Identities

       Set the access level to Integration > External Identities.

       Condition: The Restricted View access allows View-Only access to External Identities but doesn't allow the role to view or access the Bear Token field (Integration > External Identities > Edit Primary or Secondary Identity Provider > Provisioning).

       Close
     • IP Locations & Groups

       Set the access level to Administration > Environment > IP Locations and Administration > Environment > IP Location Groups.

       Close
     • Linked Services

       Set the access level to Administration > System > Linked Services.

       Close
     • Authentication Session

       Set the access level to the Authentication Session section in Administration > Authentication > Authentication Session.

       Close
     • Administrative Entitlements

       Set the access level to Administration > Entitlements > Administrative.

       Conditions:

       • The admins that are assigned this role can access the configuration on the Administrative Entitlements: Administrative page only for the services to which they are assigned as service admins, where their role includes the following permission set to Full:
         • Administration > Administration Controls in the ZIA Admin Portal.
         • Configuration & Control > Administration Control > Administrators in the ZPA Admin Portal.
         • Administrator Management in the ZDX Admin Portal.
         • Administrator Management in the Zscaler Client Connector Portal.
         • Administrator Management in the Zscaler Cloud & Branch Connector Admin Portal.

       For example, you assign a ZIdentity user as service admin for the ZIA and ZPA services with roles that include full administrative control for the ZIA Admin Portal and Read Only administrative control for the ZPA Admin Portal. When you assign this service admin as an admin for the ZIdentity Admin Portal, the admin only sees the ZIA service listed on the About Administrative Entitlements page and not the ZPA service, because the admin doesn't have full access to administrative controls in ZPA Admin Portal.

       • Admins with Full access to users and groups can do the following on the Administrative Entitlements page:
         • View the users and user groups details.
         • View all users and user group assignments.
         • Assign users and user groups.
         • Remove users and user group assignments.
       • Admins with View Only access to users and groups can do the following on the Administrative Entitlements page:
         • View all users and user group assignments.
       • Admins with Restricted Full access can:
         • Access, view, and search administrative entitlements.
         • View users and user groups of individual tenants if they have “Users and Groups - Full” or “Users and Groups - View” permission.
         • View all users and user groups assignments
         • Assign users, remove user assignments, assign user groups, and remove user group assignments if they have permission on individual tenants to manage administrators.

       Close
     • Service Entitlements

       Set the access level to Administration > Entitlements > Service.

       Conditions:

       • Admins with Full access to users and groups can do the following on the Service Entitlements page:
         • View users and user groups and assignments.
         • Assign users and user groups.
         • Remove users and user group assignments.
       • Admins with View Only access to users and groups can do the following on the Service Entitlements page:
         • View the subscribed services.
         • View all users and user group assignments.

       Close
     • Audit Logs

       Set the access level to Administration > System > Audit Logs.

       Close
     • Roles

       Set the access level to Administration > Entitlements > ZIdentity Roles.

       Condition: To edit or delete admin roles that are currently assigned to admins, you must have Full access to Administrative Entitlements and Full or View Only access to Users & Groups.

       When configuring a ZIdentity role, an admin can only set the permission level equal to or less than their role scope. For example, if admin access is set to Full for Roles and View Only for IP Locations for a role, the admin assigned to that role can only add new roles with IP Locations to either View or None, but not as Full. This ensures that admins with lower scope and permission can't configure an admin with a higher scope and permission.

       Close
     • Guest Domains

       Set the access level to Full, View Only, or None.

       Close
     • Remote Assistance

       Set the access level to Full or None.

       Close
     • Branding

       Set the access level to Administration > Environment > Branding.

       Close
     • API Clients & Resources

       Set the access level to Integration > API Clients and Integration > API Resources.

       Close
     • Executive Insights

       Set the access level to Administration > Executive Insights.

       The Executive Insights role is assigned to the leadership team (chief executive officer (CEO), chief operating officer (COO), chief financial officer (CFO), etc.) in your organization, allowing them to access the Executive Insights app.

       Close

   See image.

   

   Close

4. Click Save.

   The role is successfully added and displayed on the Roles page.