icon-zpa.svg
Secure Private Access (ZPA)

Configuring Administrator Roles

This article describes how to add a new admin role. For a complete list of ranges and limits for roles, see Ranges & Limitations.

Currently, the following conditions apply when configuring role-based access control:

  • If an admin does not have permission to access a page within the ZPA Admin Portal, it is still listed within the left-side navigation menu but it is not accessible. If an admin has Read Only access, they can still attempt to add or edit but an error message is displayed when they try to save.
  • For ZIdentity-enabled tenants, admin roles must be assigned in the ZIdentity Admin Portal. To learn more, see About Administrative Entitlements.
  • Only access to Zscaler Client Connector is supported.
  • Submit a Ticket is always accessible to all roles.

Adding an Admin Role

To add a new admin role:

  1. Go to Configuration & Control > Administration Control > Roles.
  2. Click Add.

    The Add Role window appears.

  3. In the Add Role window:

    • Name: Enter a name for the role. The name cannot contain special characters, with the exception of periods (.), hyphens (-), and underscores ( _ ).
    • Description: (Optional) Enter a description for the role.
    • Under Access Control, click Enable for the features that this role must have access to. If the role does not have access to a feature, then the functionality for the feature does not appear in the ZPA Admin Portal for any admin assigned to this role. You can only create a role that has an equal or lower level of access control than your own.

    Choose from the following features:

    • Enable to allow admins Full or Read Only access to the following Administration functionality:

      • Configuration & Control > Administration Control > Administrators
      • Configuration & Control > Administration Control > Audit Logs
      • Configuration & Control > Administration Control > Client Connector IP Assignment
      • Configuration & Control > Administration Control > Disaster Recovery
      • Configuration & Control > Administration Control > Microtenant
      • Configuration & Control > Administration Control > Roles. Access to Roles is always Read Only.
      • Configuration & Control > Administration Control > User Portal AUP
      • Configuration & Control > Administration Control > Integrations > Zscaler Cloud Sandbox
      Close
    • Enable to allow admins Full or Read Only access to API Keys.

      Close
    • Enable to allow admins Full or Read Only access to the following App Connector Management functionality:

      • Configuration & Control > Certificate Management > Certificates
      • Configuration & Control > Certificate Management > Enrollment Certificates
      • Configuration & Control > Private Infrastructure > App Connector Management > App Connector Groups
      • Configuration & Control > Private Infrastructure > App Connector Management > App Connector Provisioning Keys
      • Configuration & Control > Private Infrastructure > App Connector Management > App Connectors
      Close
    • Enable to allow admins Full or Read Only access to the following Authentication functionality:

      • Authentication > User Authentication > Settings > CORS Request
      • Authentication > User Authentication > Settings > SameSite Cookie Attribute
      • Authentication > User Authentication > Emergency Access
      • Authentication > User Authentication > Emergency Access Users
      • Authentication > User Authentication > IdP Configuration. This includes access to Authentication > User Authentication > Settings > Enforce SSO Login for Administrators.

        The IdP Configuration field provides access for SAML and SCIM authentication. To learn more about SCIM authentication settings, see SCIM Management.

      • Tools > Remote Assistance
      • Authentication > User Authentication > SAML Management > SAML Attributes
      • Authentication > User Authentication > Settings > Settings
      Close
    • Enable to allow admins Full or Read Only access to the following Business Continuity Management functionality:

      • Administration Control > Business Continuity > Business Continuity Settings
      • Administration Control > Certificate Management > Certificates
      • Administration Control > Business Continuity >Private Cloud Controllers > Customer Version Profile
      • Administration Control > Business Continuity > Private Cloud Controller Groups
      • Administration Control > Business Continuity > Private Cloud Controller Provisioning Keys
      • Administration Control > Business Continuity > Private Cloud Controllers
      • Administration Control > Business Continuity > Private Clouds
      Close
    • Enable to allow admins Full or Read Only access to Certificates.

      Close
    • Enable to allow admins Full access to the Zscaler Client Connector Portal.

      Close
    • Enable to allow admins Full or Read Only access to Client Sessions.

      Close
    • Enable to allow admins Full or Read Only access to the following Cloud Connector Management functionality:

      • Configuration & Control > Certificate Management > Certificates
      • Configuration & Control > Private Infrastructure > Cloud Connector Management > Cloud Connector
      • Configuration & Control > Private Infrastructure > Cloud Connector Management > Cloud Connector Group
      Close
    • Enable to allow admins Full or Read Only access to the Company profile.

      Close
    • Enable to allow admins Full or Read Only access to the following Configuration functionality:

      • Resource Management > Application Management > Application Segments
      • Configuration & Control > Private Infrastructure > App Connector Management > App Connector Groups
      • Configuration & Control > Certificate Management > Certificates
      • Resource Management > Application Management > Application Segments > Client Hostname Validation
      • Configuration & Control > Certificate Management > Enrollment Certificates
      • Resource Management > Application Management > Application Segments/Segment Groups > DNS Search Domains
      • Authentication > Device authentication > Machine Group
      • Policies. This includes access to Access Policy and Timeout Policy
      • Authentication > User Authentication > SAML Management > SAML Attributes
      • Resource Management > Application Management > Segment Groups
      • Configuration & Control > Private Infrastructure > App Connector Management > Server Groups
      • Configuration & Control > Private Infrastructure > App Connector Management > Servers
      • Configuration & Control > Private Infrastructure > Private Service Edge Management > Private Service Edge Group
      Close
    • Enable to allow admins Read Only access to the Dashboard.

      Close
    • Enable to allow admins Full or Read Only access to the following Diagnostics functionality:

      • Analytics > Diagnostics
      • Analytics > Support Information
      • Analytics > Live Logs
      Close
    • Enable to allow admins Full or Read Only access to the following Log Streaming functionality:

      • Resource Management > Application Management > Application Segments
      • Administration Control > Private Infrastructure > Log Streaming Service > App Connector Groups
      • Configuration & Control > Private Infrastructure > Log Streaming Service > Log Receivers
      • Authentication > User Authentication > SAML Management > SAML Attributes
      • Resource Management > Application Management > Segment Groups
      Close
    • Enable to allow admins Full or Read Only access to the following Machine Management functionality:

      • Configuration & Control > Certificate Management > Enrollment Certificates
      • Authentication > Device authentication > Machine Groups
      • Authentication > Device authentication > Machine Provisioning Keys
      Close
    • Enable to allow Full or Read Only access to the following Notification Management functionality:

      • Configuration & Control > Administration Control > Administrators
      • Configuration & Control > Private Infrastructure > App Connector Management > App Connectors
      • Configuration & Control > Private Infrastructure > Cloud Connector Management > Cloud Connectors
      • Analytics > Diagnostics > Events
      • Configuration & Control > Notifications > Notifications
      • Configuration & Control > Private Infrastructure > Private Service Edge Management > Private Service Edges
      Close
    • Enable to allow admins Full or Read Only access to the following Policies functionality:

      • Configuration & Control > Private Infrastructure > App Connector Management > App Connector Groups
      • Configuration & Control > AppProtection > AppProtection Profiles
      • Resource Management > Application Management > Application Segments
      • Configuration & Control > Private Infrastructure > Cloud Connector Management > Cloud Connector Group
      • Authentication > User Authentication > IdP Configuration
      • Authentication > Device authentication > Machine Groups
      • Resource Management > Application Management > Segment Groups
      • Configuration & Control > Private Infrastructure > Application Management > Server Groups
      • Authentication > User Authentication > SAML Attributes
      • Authentication > User Authentication > SCIM Management > SCIM Attributes
      • Authentication > User Authentication > SCIM Management > SCIM Groups
      • Authentication > User Authentication > SCIM Management > SCIM Users
      • Policies

      This includes access to Access Policy, Client Forwarding Policy, and Timeout Policy.

      Close
    • Enable to allow admins Full or Read Only access to the following Private Service Edge Management functionality:

      • Administration Control > Certificate Management > Access Certificates
      • Administration Control > Certificate Management > Enrollment Certificates
      • Configuration & Control > Private Infrastructure > Private Service Edge Management > Private Service Edge Groups
      • Configuration & Control > Private Infrastructure > Private Service Edge Management > Private Service Edge Provisioning Keys
      • Configuration & Control > Private Infrastructure > Private Service Edge Management > Private Service Edges
      Close
    • Enable to allow admins Full or Read Only access to the following Privileged Remote Access functionality:

      • Resource Management > Application Management > Application Segments
      • Configuration & Control > Certificate Management > Certificates
      • Resource Management > Privileged Remote Access > Credentials
      • Resource Management > Privileged Remote Access > Credential Pools
      • Resource Management > Privileged Remote Access > Privileged Approval
      • Resource Management > Privileged Remote Access > Privileged Console
      • Resource Management > Privileged Remote Access > Privileged Portal
      Close
    • Enable to allow admins Full or Read Only access to the following Privileged Sessions functionality:

      • Resource Management > Privileged Sessions > Session Proctoring
      • Resource Management > Privileged Sessions > Session Recordings
      Close
    • Enable to allow admins Full or Read Only access to the following Security Management functionality:

      • Configuration & Control > AppProtection > AppProtection Controls
      • Configuration & Control > AppProtection > AppProtection Profiles
      • Configuration & Control > AppProtection > AppProtection Controls > ThreatLabZ Controls
      Close
    • Enable to allow admins Full or Read Only access to following SCIM Management functionality.

      • Authentication > User Authentication > IdP Configuration. This includes access to Authentication > User Authentication > Settings > Enforce SSO Login for Administrators.

        This IdP Configuration field provides access for SAML and SCIM authentication. To learn more about SAML authentication settings, see Authentication.

      • Authentication > User Authentication > SCIM Management > SCIM Attributes
      • Authentication > User Authentication > SCIM Management > SCIM Groups
      • Authentication > User Authentication > SCIM Management > SCIM Users
      Close

    A user is always granted the highest level of access control as defined for their role. For example, if a user is assigned a role that permits Full access to Configuration - Policy and Read Only access to Policies - Policy, then Full access is granted to the user for Policies.

    You can click on each section to expand it, or click Expand All.

    The default selections under each enabled feature are recommended by Zscaler. If you make changes, click Reset to recommended settings within a section to revert it to the default. You can also click Reset to recommended settings at the top of the Access Control area to revert all sections to their defaults.

  4. Click Save.

Editing an Admin Role

To edit an admin role:

  1. Go to Configuration & Control > Administration Control > Roles.
  2. In the table, locate the role you want to modify and click the Edit icon.
  3. In the Edit Role window, modify fields as necessary.
  4. Click Save.

It can take up to two minutes for updates to the permissions for existing roles to take effect. If the permissions for a custom role are missing, you must edit the custom role and save the new permissions. A warning icon appears next to the permission group that indicates when permissions are missing. When you expand the group, a warning icon also appears next to the missing permissions.

Deleting an Admin Role

To delete an admin role:

  1. Go to Configuration & Control > Administration Control > Roles.
  2. In the table, locate the role you want to remove and click the Delete icon.
  3. In the confirmation window that appears, click Delete.
Related Articles
About AdministratorsConfiguring ZPA AdministratorsEditing ZPA AdministratorsAbout RolesConfiguring Administrator Roles