Secure Private Access (ZPA)
Configuring Administrator Roles
This article describes how to add a new admin role. For a complete list of ranges and limits for roles, see Ranges & Limitations.
Currently, the following conditions apply when configuring role-based access control:
- If an admin does not have permission to access a page within the ZPA Admin Portal, it is still listed within the left-side navigation menu but it is not accessible. If an admin has Read Only access, they can still attempt to add or edit but an error message is displayed when they try to save.
- For ZIdentity-enabled tenants, admin roles must be assigned in the ZIdentity Admin Portal. To learn more, see About Administrative Entitlements.
- Only access to Zscaler Client Connector is supported.
- Submit a Ticket is always accessible to all roles.
Adding an Admin Role
- Go to Configuration & Control > Administration Control > Roles.
Click Add.
The Add Role window appears.
See image.In the Add Role window:
- Name: Enter a name for the role. The name cannot contain special characters, with the exception of periods (.), hyphens (-), and underscores ( _ ).
- Description: (Optional) Enter a description for the role.
- Under Access Control, click Enable for the features that this role must have access to. If the role does not have access to a feature, then the functionality for the feature does not appear in the ZPA Admin Portal for any admin assigned to this role. You can only create a role that has an equal or lower level of access control than your own.
Choose from the following features:
- Administration Control
Enable to allow admins Full or Read Only access to the following Administration functionality:
- Configuration & Control > Administration Control > Administrators
- Configuration & Control > Administration Control > Audit Logs
- Configuration & Control > Administration Control > Client Connector IP Assignment
- Configuration & Control > Administration Control > Disaster Recovery
- Configuration & Control > Administration Control > Microtenant
- Configuration & Control > Administration Control > Roles. Access to Roles is always Read Only.
- Configuration & Control > Administration Control > User Portal AUP
- Configuration & Control > Administration Control > Integrations > Zscaler Cloud Sandbox
- API Key Management
Enable to allow admins Full or Read Only access to API Keys.
Close - App Connector Management
Enable to allow admins Full or Read Only access to the following App Connector Management functionality:
- Configuration & Control > Certificate Management > Certificates
- Configuration & Control > Certificate Management > Enrollment Certificates
- Configuration & Control > Private Infrastructure > App Connector Management > App Connector Groups
- Configuration & Control > Private Infrastructure > App Connector Management > App Connector Provisioning Keys
- Configuration & Control > Private Infrastructure > App Connector Management > App Connectors
- Authentication
Enable to allow admins Full or Read Only access to the following Authentication functionality:
- Authentication > User Authentication > Settings > CORS Request
- Authentication > User Authentication > Settings > SameSite Cookie Attribute
- Authentication > User Authentication > Emergency Access
- Authentication > User Authentication > Emergency Access Users
Authentication > User Authentication > IdP Configuration. This includes access to Authentication > User Authentication > Settings > Enforce SSO Login for Administrators.
The IdP Configuration field provides access for SAML and SCIM authentication. To learn more about SCIM authentication settings, see SCIM Management.
- Tools > Remote Assistance
- Authentication > User Authentication > SAML Management > SAML Attributes
- Authentication > User Authentication > Settings > Settings
- Business Continuity Management
Enable to allow admins Full or Read Only access to the following Business Continuity Management functionality:
- Administration Control > Business Continuity > Business Continuity Settings
- Administration Control > Certificate Management > Certificates
- Administration Control > Business Continuity >Private Cloud Controllers > Customer Version Profile
- Administration Control > Business Continuity > Private Cloud Controller Groups
- Administration Control > Business Continuity > Private Cloud Controller Provisioning Keys
- Administration Control > Business Continuity > Private Cloud Controllers
- Administration Control > Business Continuity > Private Clouds
- Certificate Management
Enable to allow admins Full or Read Only access to Certificates.
Close - Client Connector Portal
Enable to allow admins Full access to the Zscaler Client Connector Portal.
Close - Client Sessions
Enable to allow admins Full or Read Only access to Client Sessions.
Close - Cloud Connector Management
Enable to allow admins Full or Read Only access to the following Cloud Connector Management functionality:
- Configuration & Control > Certificate Management > Certificates
- Configuration & Control > Private Infrastructure > Cloud Connector Management > Cloud Connector
- Configuration & Control > Private Infrastructure > Cloud Connector Management > Cloud Connector Group
- Company Information
Enable to allow admins Full or Read Only access to the Company profile.
Close - Configuration
Enable to allow admins Full or Read Only access to the following Configuration functionality:
- Resource Management > Application Management > Application Segments
- Configuration & Control > Private Infrastructure > App Connector Management > App Connector Groups
- Configuration & Control > Certificate Management > Certificates
- Resource Management > Application Management > Application Segments > Client Hostname Validation
- Configuration & Control > Certificate Management > Enrollment Certificates
- Resource Management > Application Management > Application Segments/Segment Groups > DNS Search Domains
- Authentication > Device authentication > Machine Group
- Policies. This includes access to Access Policy and Timeout Policy
- Authentication > User Authentication > SAML Management > SAML Attributes
- Resource Management > Application Management > Segment Groups
- Configuration & Control > Private Infrastructure > App Connector Management > Server Groups
- Configuration & Control > Private Infrastructure > App Connector Management > Servers
- Configuration & Control > Private Infrastructure > Private Service Edge Management > Private Service Edge Group
- Dashboard
Enable to allow admins Read Only access to the Dashboard.
Close - Diagnostics
Enable to allow admins Full or Read Only access to the following Diagnostics functionality:
- Analytics > Diagnostics
- Analytics > Support Information
- Analytics > Live Logs
- Log Streaming
Enable to allow admins Full or Read Only access to the following Log Streaming functionality:
- Resource Management > Application Management > Application Segments
- Administration Control > Private Infrastructure > Log Streaming Service > App Connector Groups
- Configuration & Control > Private Infrastructure > Log Streaming Service > Log Receivers
- Authentication > User Authentication > SAML Management > SAML Attributes
- Resource Management > Application Management > Segment Groups
- Machine Management
Enable to allow admins Full or Read Only access to the following Machine Management functionality:
- Configuration & Control > Certificate Management > Enrollment Certificates
- Authentication > Device authentication > Machine Groups
- Authentication > Device authentication > Machine Provisioning Keys
- Notification Management
Enable to allow Full or Read Only access to the following Notification Management functionality:
- Configuration & Control > Administration Control > Administrators
- Configuration & Control > Private Infrastructure > App Connector Management > App Connectors
- Configuration & Control > Private Infrastructure > Cloud Connector Management > Cloud Connectors
- Analytics > Diagnostics > Events
- Configuration & Control > Notifications > Notifications
- Configuration & Control > Private Infrastructure > Private Service Edge Management > Private Service Edges
- Policies
Enable to allow admins Full or Read Only access to the following Policies functionality:
- Configuration & Control > Private Infrastructure > App Connector Management > App Connector Groups
- Configuration & Control > AppProtection > AppProtection Profiles
- Resource Management > Application Management > Application Segments
- Configuration & Control > Private Infrastructure > Cloud Connector Management > Cloud Connector Group
- Authentication > User Authentication > IdP Configuration
- Authentication > Device authentication > Machine Groups
- Resource Management > Application Management > Segment Groups
- Configuration & Control > Private Infrastructure > Application Management > Server Groups
- Authentication > User Authentication > SAML Attributes
- Authentication > User Authentication > SCIM Management > SCIM Attributes
- Authentication > User Authentication > SCIM Management > SCIM Groups
- Authentication > User Authentication > SCIM Management > SCIM Users
- Policies
This includes access to Access Policy, Client Forwarding Policy, and Timeout Policy.
Close - Private Service Edge Management
Enable to allow admins Full or Read Only access to the following Private Service Edge Management functionality:
- Administration Control > Certificate Management > Access Certificates
- Administration Control > Certificate Management > Enrollment Certificates
- Configuration & Control > Private Infrastructure > Private Service Edge Management > Private Service Edge Groups
- Configuration & Control > Private Infrastructure > Private Service Edge Management > Private Service Edge Provisioning Keys
- Configuration & Control > Private Infrastructure > Private Service Edge Management > Private Service Edges
- Privileged Remote Access
Enable to allow admins Full or Read Only access to the following Privileged Remote Access functionality:
- Resource Management > Application Management > Application Segments
- Configuration & Control > Certificate Management > Certificates
- Resource Management > Privileged Remote Access > Credentials
- Resource Management > Privileged Remote Access > Credential Pools
- Resource Management > Privileged Remote Access > Privileged Approval
- Resource Management > Privileged Remote Access > Privileged Console
- Resource Management > Privileged Remote Access > Privileged Portal
- Privileged Sessions
Enable to allow admins Full or Read Only access to the following Privileged Sessions functionality:
- Resource Management > Privileged Sessions > Session Proctoring
- Resource Management > Privileged Sessions > Session Recordings
- Security Management
Enable to allow admins Full or Read Only access to the following Security Management functionality:
- Configuration & Control > AppProtection > AppProtection Controls
- Configuration & Control > AppProtection > AppProtection Profiles
- Configuration & Control > AppProtection > AppProtection Controls > ThreatLabZ Controls
- SCIM Management
Enable to allow admins Full or Read Only access to following SCIM Management functionality.
Authentication > User Authentication > IdP Configuration. This includes access to Authentication > User Authentication > Settings > Enforce SSO Login for Administrators.
This IdP Configuration field provides access for SAML and SCIM authentication. To learn more about SAML authentication settings, see Authentication.
- Authentication > User Authentication > SCIM Management > SCIM Attributes
- Authentication > User Authentication > SCIM Management > SCIM Groups
- Authentication > User Authentication > SCIM Management > SCIM Users
A user is always granted the highest level of access control as defined for their role. For example, if a user is assigned a role that permits Full access to Configuration - Policy and Read Only access to Policies - Policy, then Full access is granted to the user for Policies.
You can click on each section to expand it, or click Expand All.
The default selections under each enabled feature are recommended by Zscaler. If you make changes, click Reset to recommended settings within a section to revert it to the default. You can also click Reset to recommended settings at the top of the Access Control area to revert all sections to their defaults.
See image.- Click Save.
Editing an Admin Role
- Go to Configuration & Control > Administration Control > Roles.
- In the table, locate the role you want to modify and click the Edit icon.
- In the Edit Role window, modify fields as necessary.
See image. - Click Save.
It can take up to two minutes for updates to the permissions for existing roles to take effect. If the permissions for a custom role are missing, you must edit the custom role and save the new permissions. A warning icon appears next to the permission group that indicates when permissions are missing. When you expand the group, a warning icon also appears next to the missing permissions.
See image.
Deleting an Admin Role
To delete an admin role:
- Go to Configuration & Control > Administration Control > Roles.
- In the table, locate the role you want to remove and click the Delete icon.
- In the confirmation window that appears, click Delete.