Zscaler administrators override groups

Hello community,

When we assign an administrator’s role to a user that is already enrolled with Zscaler, this overrides the groups of the user and only leaves the default group “Service Admin”.
We have Azure AD as the Idp.
I don’t know why the groups attributes do not reappear, is this normal behaviour?
Thanks,
Jenny

Hi @70036f8b1a65b3a0dfb5, Admins need to be provisioned seperate from users, this should be done from the Manage Administrators screen.

Assigned Service Admin group to a user will not give said user admin privileges.

Hope this helps,
Scott-

Hello Skott,

Thank your your answer.
Yes, we are creating the administrators from the Administrator management of course.
Let me rephrase it:
1- we provision users with SCIM so it should update a user’s group automatically.
2- Our Identity provider is Azure AD and we are using SAML for authentication.
3- We have for example user 1 who is working perfectly fine using the Zscaler client connector and have the group group 1 for example assigned to him.
4- I create an administrator for user 1, we aren’t using SAML for the authentication.
5- the user 1 can’t now work with the Zscaler client connector because the group 1 is no longer assigned to him.
6- The user 1 now has only the group “Service Admin” assigned to him.
7- The SCIM isn’t updating the user’s groups.

Is this is the expected behaviour?
Thanks,
Jenny

It’s my understanding the username for the user/admin should be unique. Tagging @mjasyal to be certain.

Yes. This is expected behavior. When you create an admin account with the same username, it deletes all the user attributes previously associated with the user, After the creation, if thouse groups/departments are updated again, then it will learn and retain that information.
One way to fix this issue is:

1. Create the Admin account
2. Once the account has been created, you’ll notice that the group/department information is lost
3. On Azure, remove the user from the Zscaler auth application. This will trigger a SCIM update to remove the user from the DB.
4. After an hour, add the user back in the application. This will trigger another SCIM update to add the user back in, along with the right groups and departments.

Hello Manish, Scott,

Thank you so much for the clarification. We are only using ZIA and not ZPA so per design the SCIM will push group updates without adding/deleting the user no?
So, also, when we deleted this admin, his user ( the same login ID) was also deleted. This is also the expected behaviour?
Thanks,
Jenny

I don’t understand your first question.
Regarding the second question, yes. The user gets deleted when the admin account gets deleted.

Hello Manish,

Thank you again for your answer.
My first question was that supposedly with SCIM you do not need to add/delete a user for the group updates to be pushed no?

If a user gets deleted, shouldn’t he be synched again with SCIM automatically with no action from our end?

thanks,
Jenny

Not exactly. When the IdP syncs the user through SCIM, it has no visibility into what happened to the user after it was synced. So if the user got deleted on Zscaler for any reason, or if the groups got removed, then there is no way for the IdP to know about this occurrence. So the only way to get that information again is to manually remove and re-add the user on the IdP side.
If however, there is any change on the IdP end, then it will immediately inform Zscaler about the change via SCIM.

We just faced this same issue and added the user back into the IdP (Azure AD). SCIM provisioning just brought the deleted user account back and now showing up in User Management.

Will be looking at removing all of our admin accounts and recreating them as unique accounts so we don’t run into the Service Admin clash with the regular account IDs.

Important Bug Fixes (Upcoming)

• Deleting an admin user will retain the normal user now also in the case of admin auth is by
  SSO.