[VIDEO] Administrator / RBAC Management

When Branch or Cloud Connectors are booted, they automatically locate the geographically nearest and best performing Zscaler PoPs to connect to for both primary and secondary data tunnels. In some situations, however, a customer may wish to have more control over this automation. For instance, in some regulatory or compliance use-cases, a requirement exists that the ZIA proxy exists within the same country as where the traffic originates. Or, when private Virtual Zscaler Enforcement Nodes are deployed, a customer may wish to manually steer traffic towards these appliances instead of public gateways. Likewise, for troubleshooting purposes, allowing one to flexibly control where their Cloud Connector appliances terminate is advantageous. Furthermore, the ability to export logs off of the appliance itself can be granted when configuring a Log and Control Gateway.

In this video, we’ll explore:
[0:00 to 1:39] Overview of Role-Based Access Control within Cloud Connector portal
[1:39 to 3:38] Configuring and RBAC
[3:38 to 4:20] Key Takeaways


Hello, my name is Aaron and I’m one of the Principal Technical Product Specialists for Zscaler Cloud Workload Protection.

In this video, we’re going to be discussing Administrators and Role Management within the Cloud Connector portal.

Zscaler’s role-based administration enables you to control what different admins can do in the Zscaler Cloud Connector Portal. You can delegate responsibilities among admins and granularly control their level of access to the Zscaler Cloud Connector Portal to ensure they do not create conflicting policies and settings.

To facilitate role-based administration, each admin account comprises a role and scope:

Using an admin role or partner admin role, you can specify which features admins can access in the Zscaler Cloud Connector Portal

Using an admin scope, you can specify which areas of the organization (for example, which departments or which locations) admins can configure policies or settings for in the Zscaler Cloud Connector Portal

A great example of where role-based administration within the Cloud Connector portal is when using service accounts. Service accounts are discussed in greater detail in the pre-requisite videos for AWS and Azure, but are used to authenticate and provision the Cloud Connector appliance. These types of accounts are not designed to be used for portal administration - only to authenticate and authorize a connecting appliance. Hence, we can use roles to limit the functionality and scope of these accounts, should they ever become compromised.

Zscaler provides a default admin account that has full access to the Zscaler Cloud Connector Portal and scope over the entire organization. This account cannot be edited or deleted. With role-based administration, you can add as many additional admins as necessary to meet the specific needs of the organization. You can also edit and delete admins as necessary at any time. Remember, Cloud Connector portal also supports SAML v2.0, so authentication for these accounts can be passed from the IdP.

To get started, navigate to the Role Management section within the Administration menu of the Cloud Connector portal. Note that a Super Admin role already exists with new deployments to provide unlimited access to the default administrator account…

Click Add Cloud Connector Role…

Provide a name for your new role. Here, we’ll assume that we are creating a service account role for our Cloud Connector appliances:

In our case, the account should never require dashboard access, so we can remove this functionality.

Likewise, our service account will never need to create or edit Templates, so we can remove this function as well.

Since our Cloud Connector appliances create new locations when they register, we’ll leave Location Management at full.

There’s no reason to provide API Key management access to this service account, so we’ll disable this function.

Obviously, this account is used for the purpose of provisioning new appliances, so we’ll set Cloud Connector Provisioning to full.

We won’t be creating any new administrators with this account, so we’ll disable Administrator Management.

Further, this account will not be used to adjust the traffic Forwarding policy, so we’ll set that to none.

Remote Assistance isn’t necessary either, so this will be set to View Only.

NSS Logging management should also be set to None.

Click the Save button…

Head over to the Administrator Management section of the Administration menu…

Click Add Cloud Connector Admin…

Provide a login ID. If using SAML, ensure this ID aligns with the SAML username that will be passed to the Cloud Connector portal upon successful authentication.

Provide an e-mail and friendly name for this account.

In the Role dropdown, select the role just created.

In the scope dropdown, choose whether this account is authorized to make changes at an Organization level (to all Cloud Connector locations), or on a specific location only. This can be useful for organizations that have geographically dispersed IT departments. Here, we’ll leave it at Organization.

Set a password for the account and click the save button. That’s it! Your new account is ready to use.

You may choose to do a test login of the account before providing the credentials to the end-user or device. In our case, we disabled dashboard access, so our message here is normal.

– Cloud Connector portal provides administrator management and role-based access control.

– A default super-admin account is provided when the portal is initially provisioned. This account cannot be removed or edited.

– Portal account privileges are controlled through roles and scopes. Roles define the individual permissions of an account while scope defines the areas of the organization in which this account is allowed to exercise its roles

– You can configure new roles in the Role Management section of the Cloud Connector portal. These roles and a subsequent scope can then be tied to the account through the Administrator Management section of the portal.

1 Like