ZPA initially provides a default admin account for your organization (i.e., zpaadmin@<your organization's domain>.com or admin@<your organization's domain>.com). You can configure as many additional admins as necessary. For each admin, you can choose a predefined role or create a custom role. To learn more, see About Roles.

If your organization is subscribed to Shift and ZPA, the admin roles for both services are displayed. In this situation, Zscaler recommends selecting either the ZPA Administrator or ZPA Read Only Administrator role when creating new admin accounts for ZPA.

About the Administrators Page

On the Administrators page, the admins are listed as read-only if you are subscribed to ZIdentity. ZPA admins must be assigned in the ZIdentity Admin Portal. To learn more, see About Administrative Entitlements and What Is ZIdentity?

On the Administrators page (Configuration & Control > Administration Control > Administrators), you can do the following:

1. View a list of applied filters available from the current and previous user sessions. Applied filters must be saved to the user session first before they can be viewed. Use the drop-down menu to select the applied filters to view. To learn more, see Using Tables.
2. Hide the filters on the page by clicking Hide Filters. Click Show Filters to display the filters.
3. Refresh the Administrators page to reflect the most current information.
4. Filter the information that appears in the table. By default, no filters are applied. You can also save applied filters to your preferences so that they're visible in future user sessions. To learn more, see Using Tables.
5. Add a new admin.
6. Expand all rows in the table to see more information about each admin.
7. View a list of all admins that are configured for your organization. For each admin, you can see:
   • Admin ID: The username for the admin.
   • Role: The role for the admin.
   • Status: Indicates that the admin is enabled or disabled.
   • Two-Factor Authentication: If two-factor authentication (2FA) is enabled or disabled for the admin.
   • Two-Factor Auth Type: If two-factor authentication is enabled, the authentication type is displayed in this column.
8. Unlock a locked user or administrator.

Locking occurs automatically after three login attempts with invalid credentials and persists for 30 minutes.

9. Edit an existing admin.

The default ZPA Administrator role can be disabled when editing an admin if another role with ZPA Administrator privileges exists. Disabling your own ZPA Administrator role is not allowed. It can take up to two minutes for updates to an admin's permissions for an existing role to take effect.

10. Delete an admin.

The ZPA Administrator role does not have permission to delete any users with Shift role privileges. Only users with Administrator or Shift Administrator privileges can delete users with Shift role privileges.

11. Modify the columns displayed in the table.
12. Display more rows or a different page of the table.
13. Go to the Roles page to add new admin roles or manage existing roles.
14. Go to the Audit Logs page to view and download admin audit log records.
15. Go to the Acceptable Use Policy page to view or update the AUP for your user portals.

16. Go to the Microtenants page to add new Microtenants or manage existing Microtenants.

    The Microtenants page is only visible for Default Microtenant admins.

17. Go to the Client Sessions page to view or delete current sessions.
18. Go to the Disaster Recovery page to view critical application segments, ZPA Private Service Edge groups, or App Connector groups that are designated for disaster recovery. You can also view and configure the disaster recovery settings.

19. Go to the Integrations page to set up File Transfer via Zscaler Internet Access (ZIA).

    The Integrations page is read-only for Microtenant admins.

20. Go to the Client Connector IP Assignment page to manage Zscaler virtual IP addresses and view IP bindings for use with server-to-client connectivity.