OOB CASB access control

My client has many SaaS apps including OneDrive, Sharepoint, and SalesForce. They would like to block access for all OOB users (internal employees and external collaborators) for their SaaS apps.

The OOB CASB documentation states that you can control access for internal employees and external collaborators, but it does not explain how. I’ve searched the Zscaler knowledge base and have gone through all the SaaS items on the ZIA portal (SaaS Security API and SaaS Application Tenants), but can’t find where you can control access for OOB users to your SaaS apps.

Does Zscaler OOB CASB allow you to control access or not?

OOB is always out of band. Not inline. For example. If there is malware or sensitive data in onedrive will be identified by dlp or malware policies and take out of band action. Its not inline. Actions will be based on the actions allowed by saas providers.

Right, OOB CASB allows you to apply DLP policies and prevent Malware.

The documentation also states that you can control access for OOB users (e.g., block user access to the SaaS app when the user is OOB). But, there does not seem to be a way to actual do this.


Will block if the connection is inline using url filtering,
cloud app controls, proxy , ssl inspection and so and so. OOB API will not block inline. You can leverage other capabilities.

Zscaler should update their documentation: You cannot control access to your sanctioned SaaS apps for out-of-band users.

If you are referring unmanaged user machines, there is a feature to protect your corporate saas tenant and sensitive data using identity proxy and browser isolation methods.

Lets discuss about your use cases, we shall try to derive the solution to protect the sensitive data on your corporate saas tenants.

Hi @GregL,
You can provide feedback to the online documentation by using the icon at the bottom of the article.
Could you please share the article you are referring to?