What is admin scope?
With role-based administration, an admin's scope specifies which areas of the organization an admin can manage in the admin portal. The default admin has scope over the entire organization. For each additional admin you create, you must select one of the following scopes:
Note that you can assign scope over the entire organization, or, either location or department (you cannot combine location and department).
Effect of Scope on Admin
An admin’s scope affects the following areas. Click an item below for more details.
Admin with Scope over Location
For example, consider Admin A, assigned scope over two locations, Germany and France. When she creates a policy rule:
- She is required to make a selection for the Locations criteria. Because of her scope, only Germany and France are available for selection.
- She can choose any or all users, departments, and groups. The rule applies, however, only to users, department, or group members who are in Germany or France.
In the scenario depicted below, Admin A creates a rule and specifies Germany as a location. She then chooses any user, group, or department. The rule applies only to users inside the orange box.
Admin with Scope over Department
As another example, consider Admin B, assigned scope over two departments, HR and IT. When he creates a policy rule:
- He is required to make a selection for the Departments criteria. Only the HR and IT departments are available for selection.
- He is required to make a selection for the Users criteria. Only users from the HR and IT departments are available for selection.
(Note that if he selects a department in the Departments criteria, the rule applies to all users in that department, no matter which users he selects in the Users criteria. Thus, specifying users in the Users criteria is useful only if Admin B is selecting users from a department different than the one he selects in the Departments criteria (for example, if he selects the IT department in the Departments criteria and then selects users from HR in the Users criteria).
- He is required to select a group. The rule applies to all members of the specified group, regardless of their department. To limit the rule to just members of the department specified in the Departments criteria, Zscaler recommends that admins choose a group that contains just those department members. For example, if an admin wants to make sure a rule applies just to members of Finance, the admin must create a group with just the Finance department members and then select that group. Zscaler recommends that you avoid selecting “Any” for group.
- He can select any (or all) locations. The rule applies only to specified users and department or group members in the selected locations.
In the scenario depicted below, Admin B creates a rule and specifies the following for each criteria:
- Users: John Doe from IT
- Departments: HR
- Groups: HR-Group
- Location: Germany, France, and Belgium
This rule applies only to users inside the orange box.
Editing Rules or Settings
Admins can edit a rule or setting only if their scope is equal to or greater than the scope assigned the rule or setting. Note that along with scope, admin rank also impacts which rule or setting an admin can edit. For example, consider a URL filtering rule that has a location criterion of Germany and France. Only an admin with scope over both Germany and France can edit this rule. Admin A, who has scope only over Germany, would not be able to edit this rule.
Assigning Scope for New Admins
If admins have permission to manage admins, their scope limits the scope that they can assign other admins. For example, if Admin A, who has scope over Germany, creates an admin, and she wants to assign a scope by location, only Germany is available as an option. However, if she wants to assign the admin a scope in the department category, she can choose any (or all) departments.
Access to Organizational Resources
Only admins who have scope over the entire organization can create or edit organization-wide policies, settings, and resources. For example, only admins with organizational scope can edit security policies or create custom URL categories.
Access to Admin Portal Features
Benefit of Role and Scope
The process of creating an admin by assigning a role and scope ensures that rules and settings configured by that admin are not impacted even if the admin account is modified or deleted at some point in the future. This is because a rule or setting is associated with an admin’s role (the role’s admin rank, to be specific) and scope rather than a particular admin. Furthermore, if an admin account is deleted, you do not lose all the distinct permissions and functional scopes associated with that admin. You can simply reassign the same role and scope to another admin.
For example, your organization’s CISO may have an admin account with access to all security-related policies and scope over the organization. If that CISO leaves the organization and his account is deleted, the policy rules he created would not be affected and would remain in place. Further, you can easily assign the next CSO the same role and scope as the previous CISO, without redefining permissions and functional scopes from scratch.