Examples of Role-Based Administration

With role-based administration, organizations can easily add admins for specific purposes, with differing levels of access to the admin portal. Below are scenarios that illustrate how an organization can leverage Zscaler’s role-based administration to meet specific business needs.

HR Admins for Access Control Policies

Your organization has an office located in the US and another office located in the UK. You require admins with the following conditions:

  • For each office, you need an admin from HR to manage access control policies like URL filtering and bandwidth usage.
  • These admins are responsible for providing reports and analyses on employee web usage to measure productivity and ensure compliance.
  • They are ranked lower than the VP of HR (who has an admin account with an admin rank of 2) to ensure that the VP has final say on access control policies.
  • They have access to logs for an unrestricted period of time.
  • They have full access to Dashboard, Reporting, and Policy and View-Only access to Insights.
  • They do not have access to Administrators Access and cannot see real user names in logs.
  • They cannot view or make changes to any other policy beyond Access Control.
  • They do not need to receive Security, Product, or Service updates.
  • They can sign in to the Zscaler admin portal directly from the organization's SSO provider's portal, and do not need password based login.

To create these admins, add two admin accounts with the specifications outlined below.

  1. Role: In Administration > Authentication > Role Management, add a new administrator role with the following specifications. (This role can then be assigned to both admins since they are performing the same tasks in the admin portal.)

2.     Scope: In Administration > Authentication > Administrator Management, add two new admins. Give the US admin the following specification:

  • Assign the US admin scope over the USA office location.
  • Leave Security Updates, Service Updates, and Product Updates turned off.
  • Leave Password Based Login turned off.

Give the UK admin the following specification:

  • Assign the UK admin scope over the UK office ocation.
  • Leave Security Updates, Service Updates, and Product Updates turned off.
  • Leave Password Based Login turned off.

Security Admins for Security Policies

Your organization requires admins with responsibility over security policy for the organization. However, you require two types of admin accounts: one for the CISO, and one for the Security Response Manager, with the following conditions:

  • A CISO admin account that has:
    • A higher admin rank than the Security Response Manager, but a lower rank than the CEO, who has an admin account with a rank of 1.
    • Access to logs for an unrestricted period of time.
    • Full access to Dashboards, Reporting, Policy, and View-Only access to Insights.
    • No access to Administrators Access
    • Ability to view user names.
    • Ability to configure security policy for the organization.
    • Access to Security, Product, and Service updates.
    • Ability to sign in to the Zscaler admin portal directly from the organization's SSO provider's portal. (Password Based Login not required.)
  • A Security Response Manager admin account that has:
    • A lower admin rank than the CISO.
    • Access to logs for 30 days.
    • Full access to Dashboards and Reporting.
    • View-Only access to Insights and Policy.
    • No access to Administrators Access
    • Ability to view user names.
    • Ability to view security policies but not configure them.
    • Access to Security, Product, and Service updates.
    • Ability to sign in to the Zscaler admin portal directly from the organization's SSO provider's portal. (Password Based Login not required.)

To create these admins, add accounts with the specifications outlined below.

  1. CISO Admin Account
    • Role: In Administration > Authentication > Role Management, add a new administrator role with the following specifications.
  • Scope: In Administration > Authentication > Administrator Management, add an admin with the following specifications:
    • Select scope over the organization.
    • Turn on Security, Service, and Product Updates.
    • Leave Password Based Login turned off.
  1. Security Response Manager Admin Account:
    • Role: In Administration > Authentication > Role Management, add a new administrator role with the following specifications.
  • Scope: In Administration > Authentication > Administrator Management, add an admin with the following specifications:
    • Select scope over the organization.
    • Turn on Security, Service, and Product Updates.
    • Leave Password Based Login turned off.