# Zscaler {% hint style="warning" %} **Early Access:** The Zscaler integration is provided as an Early Access feature. Please contact our support team for more details. {% endhint %} ## Overview Zscaler is a cloud-based security platform that provides secure internet and private application access. The Veza integration for Zscaler enables visibility into Zscaler access controls by discovering users, administrators, groups, and roles. This integration enables: * Map access across users, groups, and administrative roles * Identify accounts with elevated admin privileges * Analyze role-based access control and permission assignments * Track administrative scope and user status across the Zscaler tenant See [Notes and supported entities](#notes-and-supported-entities) for details on discovered data. ## Prerequisites Before configuring the integration: * **Network connectivity**: Connection from Veza to Zscaler via a [deployed Insight Point](/4yItIzMvkpAvMVFAamTf/integrations/connectivity/insight-point.md) or direct connection * **Service account**: A Zscaler admin account with **read-only** access. The integration only reads user, group, and role data from Zscaler APIs, so full administrator privileges are not required * **API key**: A Cloud Service API key generated from the Zscaler admin portal | Requirement | Details | | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Zscaler admin role | An admin account with the **View Only** role (or higher). See Zscaler's documentation on [managing roles and permissions](https://help.zscaler.com/workflow-automation/managing-roles-and-permissions) for details on available roles. | | API key | A Cloud Service API key generated from the Zscaler admin portal | {% hint style="info" %} For security best practices, Veza recommends creating a dedicated service account with the **View Only** admin role, following the principle of least privilege. {% endhint %} ## Configuring Zscaler Before adding the integration to Veza, create an API client on the Zscaler platform for the connection. For detailed instructions on managing API keys and admin roles, see the [official Zscaler documentation](https://help.zscaler.com/workflow-automation/managing-roles-and-permissions). 1. Browse to your Zscaler instance's admin portal (e.g., `https://admin.zscalerthree.net/`) and log in. 2. In the left-hand navigation menu, click **Administration**, then click **Cloud Service API Security** under the **Authentication** heading. 3. Click **Add API Key** in the upper-left corner of the screen to create a new API key, or record the value in the **Key** column for an existing key. 4. Record the **Base URL** value shown at the top of the screen (e.g., `zsapi.zscalerthree.net/api/v1`). The segment between `zsapi` and `.net` is the **Cloud Name** required during Veza configuration. **Required permissions:** | Permission | Purpose | | ------------------------------------ | ------------------------------------------------------------------------------- | | **View Only** admin role (or higher) | Enables Veza to read users, groups, roles, and admin users from the Zscaler API | ## Configuring Zscaler on the Veza platform 1. In Veza, go to the **Integrations** page 2. Click **Add Integration** and search for Zscaler 3. Click **Next** to begin configuration 4. Enter the required information (see table below) 5. Click **Create Integration** to save and start the first extraction ### Configuration options | Field | Required | Notes | | ----------------- | -------- | ----------------------------------------------------------------------- | | **Insight Point** | Yes | Choose default data plane or deployed Insight Point | | **Name** | Yes | A unique display name for this Zscaler connection | | **Api Key** | Yes | The Cloud Service API key created on the Zscaler platform | | **Cloud Name** | Yes | The Zscaler cloud name (e.g., `zscalerthree`) | | **User Name** | Yes | The username of an admin account with at minimum the **View Only** role | | **Password** | Yes | The password for the admin account | ## Notes and supported entities Zscaler manages access through users, groups, and administrative roles. Standard users are assigned to groups and may or may not have admin privileges. Admin users are assigned an administrative role that carries a set of permissions. Users without an explicit admin role assignment are automatically given a `default` role. ### Discovered entities Veza discovers the following entity types: * **Zscaler User**: User accounts, including both standard and admin users * **Zscaler Group**: Groups used to organize users * **Zscaler Role**: Administrative roles with associated permissions ### Key attributes #### User | Veza Attribute | Zscaler Attribute | Notes | | --------------------------------- | ----------------------------- | ------------------------------------------------------------------------------------------------ | | `Is Active` | Derived | `true` when user is not deleted and not disabled. For admin users, based on disabled status only | | `email` | `email` | User's email address | | `admin_user` | — | Derived; `true` if the user has an admin role assignment | | `admin_scope` | `adminScope` | Administrative scope for admin users | | `department` | `department.name` | The user's department name | | `comments` | `comments` | Comments on the user object (truncated to 4096 characters) | | `zscaler_user_type` | `type` | The user's type (SUPERADMIN, ADMIN, AUDITOR, GUEST, REPORT\_USER, or UNAUTH\_TRAFFIC\_DEFAULT) | | `temp_auth_email` | `tempAuthEmail` | Temporary email used for initial user authentication | | `is_auditor` | `isAuditor` | Admin users only. `true` if the user is marked as an auditor | | `is_noneditable` | `isNonEditable` | Admin users only. `true` if the user is marked as noneditable | | `is_password_expired` | `isPasswordExpired` | Admin users only. `true` if the user's password is expired | | `is_password_login_allowed` | `isPasswordLoginAllowed` | Admin users only. `true` if the user can log in with a password | | `is_exec_mobile_app_enabled` | `isExecMobileAppEnabled` | Admin users only. `true` if executive mobile app access is enabled | | `is_security_report_comm_enabled` | `isSecurityReportCommEnabled` | Admin users only. `true` if security report communications are enabled | | `is_service_update_comm_enabled` | `isServiceUpdateCommEnabled` | Admin users only. `true` if service update communications are enabled | {% hint style="info" %} Attributes marked "Admin users only" are populated only for users with an admin role assignment. These attributes will be empty for standard (non-admin) users. {% endhint %} #### Group | Veza Attribute | Zscaler Attribute | Notes | | -------------- | ----------------- | ----------------------------------------------------------- | | `comments` | `comments` | Comments on the group object (truncated to 4096 characters) | #### Role | Veza Attribute | Zscaler Attribute | Notes | | ---------------- | ----------------- | ------------------------------------------------------------------------------- | | `is_auditor` | `isAuditor` | `true` if the role applies to auditors | | `is_noneditable` | `isNonEditable` | `true` if the role is marked as noneditable | | `rank` | `rank` | Admin rank for the role (roles of higher rank can manage objects at lower rank) | ### Permissions and effective access Zscaler permissions are tied to administrative roles. Each role carries a set of named permissions defined in the Zscaler platform. Veza maps these permissions to the role entity in the Access Graph. Roles without explicit Zscaler permissions are mapped with an `Uncategorized` permission type. Standard users without an admin role assignment receive a synthetic `default` role with `Uncategorized` permissions. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/zscaler.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.