How do I add admin roles?

About Admin Roles

The role admins are assigned dictates the level of access they have to the admin portal. Zscaler provides a default super admin role which has full access to the admin portal. This role is assigned to the default admin, but you can assign this role to other admins as necessary. For each additional role you create, you must define the role’s access by specifying:

  • Admin rank
  • Permissions
  • Functional scopes

Admin Rank

Admin rank enables you to create a hierarchy among admins and ensure that policies and settings configured by admins with higher rank cannot be overridden by admins with lower rank.

For example, if the CISO, who has the highest rank, sets a rule for the organization blocking all access to pornography, no lower-ranked admin can create a pornography rule that overrides the one set by the CISO.

The admin rank ranges from 0 (high) to 7 (low). The highest rank, 0, belongs to the super admin. For each additional role you create, you can assign an admin rank between 1 (high) and 7 (low). 

NOTE: By default, the admin rank feature is disabled. To use this feature, you must enable admin rank in Administration > Settings > Advanced Settings. 

The admin rank affects admins in the following areas.

Rule-Based Policies

Rule-based policies in the admin portal include:

  • URL & Cloud App Control
  • File Type Control
  • Bandwidth Control
  • Data Loss Prevention
  • Mobile App Control
  • Firewall Control
  • DNS Control

When creating rules for any of the above policies, admins must assign the rule an admin rank that is equal to or lower than their own rank. The rule’s admin rank in turn automatically determines the rule order, so that rules with a higher admin rank are always given precedence in the rule order. Rules with the same admin rank can be manually moved before or after another rule with the same rank.

Admins can edit a rule or change a rule’s place in the rule order only if the rule’s admin rank is equal to or lower than their own admin rank. 

Role Management

Admins who have permission to manage roles can only create or edit roles with equal or lower rank.

Administrator Management

Admins who have permission to manage other admin accounts can only create or edit accounts with equal or lower rank. 

Specifying Users for Rules

Admins are also users that can be specified in the criteria for a particular rule (for example, an admin can be chosen as a user to whom a URL filtering rule applies). Thus, if admins add another admin as a user for a rule, they can only select admins that have equal or lower admin rank.

Permissions

Permissions allow you to control an admin’s access to the major features of the admin portal. For each admin, you must select permissions in the following categories:

Logs Limit (Days)

Logs Limit (Days)

Admins can view real-time logs of every transaction performed by your users regardless of where they are in the world. By specifying permissions in Logs Limit (Days), you can control the number of days admins are allowed to view logs. You can select a time frame from 30 days to Unrestricted. By default, admins can view logs for an unrestricted amount of time. If you need temporary access to the logs to verify compliance, admins can only view logs for the specified number of days. For example, if a logs limit of 30 days is chosen, then admins can only view logs for 30 days.

Dashboard Access

Dashboard Access

 

In Dashboards, admins can view predefined dashboards that enable real-time visibility into your organization’s Internet traffic in a range of areas. Admins can customize the dashboards as long as they have permission to do so. You can select from the following permissions:

  • Full: Allows admins to view, edit, and delete dashboards
  • View Only: Allows admins only to view all dashboards

Reporting Access

Reporting Access

 

In Analytics > Reporting, admins can access a wide range of standard reports and can also create custom reports. By specifying permissions in Reporting Access, you can control the access admins have to these features. You can select from the following permissions:

  • Full: Allows admins access to all features in Interactive Reports and Scheduled Reports. However, only admins with the super admin role can delete any custom report. Otherwise, admins can delete their own custom reports only.
  • View Only:
    For Interactive Reports: Allows admins to view standard reports and custom reports created by other admins.
    For Scheduled Reports: Allows admins full access to features.
  • None: Does not allow access to Reporting and Insights. Analytics tab is not visible.

Insights Access

Insights Access

 

In Analytics > Insights, admins can interactively mine logs for data on specific transactions. By specifying permissions in Insights Access, you can control the access admins have to this feature. Note that this permission category appears only if the role has been given Full or View Only permission to Reporting Access; otherwise, this category does not appear. You can select from the following permissions:

  • View Only: Allows admins full access to Insights. However, the role must be given Full permission to Reporting Access to obtain detailed transaction logs in the View Logs feature in Insights. Admins cannot view these detailed transaction logs if they have View Only permission to Reporting Access.
  • None: Does not allow access to Insights. Insights is not visible in Analytics.

Policy Access

Policy Access

 

Admins can view or configure policies and settings in the Policy and Administration tabs. Note that if you give the role Full or View Only permission to Policy Access, you can specify which features admins can use or view by enabling specific Functional Scopes. You can select from the following permissions:

  • Full: Allows admins full access to features in the Policy and Administration tabs.
  • View Only:  Allows admins to view, but not edit, items in the Policy and Administration tabs.
    The only exception is with items in Administration > Settings > Account Management. With View Only permission, admins can still make changes to My Profile and still use the Print All Policies feature.
  • None: Does not allow access to policies. The Policy tab is not visible and items in Administration are not visible.
    The only exception is with items in Administration > Settings > Account Management. Admins can still view the Company Profile and makes changes to My Profile.

Administrators Access

Administrators Access

 

In Administration > Authentication > Administration Controls, admins can add other admins, create audit logs, as well as back up and restore policies. Note that this permission category appears only if the role has been given Full permission to Policy Access; otherwise, this category does not appear. You can select from the following permissions:

  • Full: Allows admins to add, edit, and delete admin accounts that have admin ranks equal to or lower than their own account.
    • For Administrator Management: Only admins with organizational scope can add, edit, and delete admin accounts, and admins can only add, edit, and delete admin accounts that have admin ranks equal to or lower than their own rank. To make changes to Auditors in Administrator Management, admins must have a super admin role and organizational scope.
    • For Role Management: Admins can only add, edit, and delete roles that have equal or lesser scope, and admins can only add, edit, and delete roles with admin ranks equal to or lower than their own rank.
    • For Audit Logs: Admins must have organizational scope to make changes.
    • For Backup & Restore: Admins with limited scope may back up policies, but only Admins with organizational scope can restore policies.
  • None: Does not allow access. Administration Controls is not visible in Administration > Authentication.

User Names

You can specify whether real user names are visible to admins when they view dashboards, reports, or insights.

  • Visible: User names are visible in reports and dashboards.
  • Obfuscated: User names are obfuscated in reports and dashboards.

To learn more, see How do I obfuscate user names in the Zscaler service? If an admin is assigned a role with user name obfuscation, but requires access to real user names, an auditor’s permission is required. See What is an Auditor?

Functional Scopes

If a role has Full or View Only permission to Policy Access, you can specify with more granularity which features the role can access in the Policy and Administration tabs by specifying Functional Scopes. When a role does not have access to a feature, the feature does not show up in the UI for that role. Functional scopes you can enable or disable include:

The one area not covered by Functional Scopes is:

Access Control

Policy > Web > Access Control >

  • URL & Cloud App Control
  • File Type Control
  • Bandwidth Control
  • SSL Inspection
  • FTP Control

Policy > Mobile > Access  Control >

  • Mobile App Control

Administration > Resources > Access Control >

  • URL Categories
  • Bandwidth Classes
  • Time Intervals
  • End User Notifications

Policy > Mobile > SecureAgent Configuration >

  • Mobile Portal

NOTE: The role must also have Traffic Forwarding enabled in Functional Scopes to access this feature.

Advanced Settings

Administration > Settings > Cloud Configuration >

  • Advanced Settings

NOTE: Access to the last three items in Advanced Settings (Services Forwarded to HTTP Web Proxy, Services Applicable to DNS Transactions Policies, and Services Forwarded to FTP Proxy) are not controlled by this functional scope. Access to these items are instead controlled by the Firewall & DNS functional scope.

Authentication Configuration

Administration > Authentication > Authentication Configuration >

  • Authentication Settings
  • User Management
  • Identity Proxy Settings

Note that you can specify with more granularity which of these three features the role can access.

Data Loss Prevention

Policy > Web > Data Loss Prevention >

  • Data Loss Prevention

Administration > Resources > Data Loss Prevention

  • DLP Dictionaries & Engines
  • DLP Notification Templates

Virtual ZEN Configuration

Administration > Settings > Cloud Configuration > Virtual ZENS

Firewall & DNS

Policy > Firewall > Access Control >

  • Firewall Control
  • DNS Control

Administration > Resources > Firewall >

  • Network Services
  • Network Applications
  • IP Groups

Administration > Settings > Cloud Configuration > Advanced Settings >

  • Services Forwarded to HTTP Web Proxy
  • Services Applicable to DNS Transactions Policies
  • Services Forwarded to FTP Proxy

NSS Configuration

Administration > Settings > Cloud Configuration >

  • Nanolog Streaming Service

Security

Policy > Web > Security >

  • Malware Protection
  • Advanced Threat Protection
  • Sandbox
  • Browser Control

Policy > Mobile > Security

  • Mobile Malware Protection

SSL Policy

Policy > Web > Access Control >

  • SSL Inspection

Traffic Forwarding

Administration > Resources > Traffic Forwarding >

  • Locations
  • VPN Credentials
  • Hosted PAC Files
  • eZ Agent Configuration
  • SecureAgent Notifications

Note that you can specify with more granularity which of these five features the role can access.

Policy > Mobile > SecureAgent Configuration >

  • Mobile Portal

NOTE: The role must also have Access Control enabled in Functional Scopes to access this feature.

Account Management

Account Management

Account Management can be found in Administration > Settings. Items under Account Management include:

  • My Profile
  • Company Profile
  • Alerts
  • Print All Policies

Access to these items are controlled by the Policy Access permission.

  • If an admin is given Full permission in Policy Access, the admin has full access to all features in Account Management.
  • If an admin’s permission is View Only in Policy Access, the admin can:
    • Edit My Profile
    • View Company Profile
    • View Alerts
    • Use the Print All Policies feature
  • If an admin’s permission is None in Policy Access, the admin can still edit My Profile and view Company Profile.

Configuring Admin Roles

Adding roles is the first step Zscaler recommends you take when configuring Role-Based Administration. After adding roles, you can move on to adding administrators.

When configuring (adding, editing, or deleting) roles:

  • You must have permission to do so, as explained above.
  • You can only create, edit, or delete roles with equal or lower rank.
  • You must have organizational scope.

To configure admin roles:

  1. Go to Administration > Authentication > Administration Controls > Role Management.
  2. Click Add and do the following:
    • Enter a Name for the role.
    • In Permissions:
      • Select an Admin Rank for the role, if this feature is enabled in Advanced Settings. You can select a rank from 1 to 7.
      • Log Limit (Days): Select a time frame from 30 days to Unrestricted.
      • Dashboard Access: Select Full or View Only.
      • Reporting Access: Select Full, View Only, or None.
      • Insights Access: Select View Only or None. Full or View Only permission is required for Reporting Access to enable Insights Access.
      • Policy Access: Select Full, View Only, or None.
      • Administrators Access: Select Full or None. Full permission is required for Policy Access to enable Administrators Access.
      • User Names: Select Visible or Obfuscated.
    • In Functional Scope, select the features the admin can access.
      • Access Control
      • Advanced Settings
      • Authentication Configuration
      • Data Loss Prevention
      • Firewall & DNS
      • NSS Configuration
      • Security
      • SSL Policy
      • Traffic Forwarding

3.   Click Save and activate the change.

You can edit or delete roles as necessary at any time.