Zscaler Policies and Objects

After you create a Zscaler Policy Orchestration Point, a Discovery is automatically initiated and currently defined policies and objects in Zscaler are identified and mapped to the relevant building blocks and Policies of the Platform.

Policy and Object Discovery

Once discovered and mapped, the objects will appear both on the Orchestration Workspace as well as relevant Identity and/or Authorization Workspaces, as detailed below.

Identity Workspace Changes Following Discovery

For each Identity Source, a unique Identity Workspace is created within the Platform Environment. In each Identity Workspace, for each fetched attribute in Zscaler, a corresponding Attribute in the Identity Template is created. See Mapping Identity Attributes and Mapping Attribute Sources.

Authorization Workspace Changes Following Discovery

The Policies from the Zscaler tenant appear in the Authorization Workspace after the initial Discovery. When you click on a Policy in the Workspace, the Policy Details screen opens, showing the associated Application (Zscaler), and the Zscaler POP details. Each ZPA Policy that is mapped to the Platform can be seen as a visual representation by clicking on the Map button or as structured Rego code, by clicking on the Code button.

When viewing the Map, you can click on elements of the Policy, such as the Identities

• When you click on the Identity icon in the Map, the Identity side panel opens, displaying information about the name and description of the Identity, as well as the Set or Rules. Here, the Identity Attribute discovered in Zscaler is displayed, as well as the Value. The value shows which Identity type is given access to the Applications for this Policy.
• When you click on the Applications icon in the Map, you can see the Assets, such as which Application Segment or Application Segment Group is defined for this Policy.

Note that when creating a Policy from a third party vender (such as Zscaler ZPA), a Fill in POP Details section appears on the Details tab of the Policy Settings screen.

This section is created automatically during the discovery process and contains:

• Vendor Policy ID
• Vendor Policy Name
• Order

Orchestration Workspace Changes Following Discovery

In the Orchestration Workspace, Policies are listed on the Vendor Policies tab. Zscaler Application Segments and Application Segment Groups are are listed on the Objects tab. You can configure an Application Segment or an Application Segment Group to be used as an Identity Information Source.

When either an Application Segment or an Application Segment Group is configured to be used as an Identity Information Source, they can be used in Rules that determine the Policy logic.