Zscaler ZPA question:  How are you handling the access controls to the applications within ZPA? It seems using group-based access controls would be unmanageable. Role-based might now be much better....... Just curious what others are doing to define the access controls. Do they support token-based attributes (i.e. SAML) which can be read and used?

Zscaler Private Access (ZPA) is a cloud-delivered service designed to provide secure access to applications and data, regardless of the user's location. It uses a Zero Trust Network Access (ZTNA) model, meaning that it does not trust any user or device by default, even if they are inside the corporate network.

Access controls in ZPA can be configured based on various factors, and it does provide flexibility in defining access policies. However, the specific features and capabilities may have evolved since my last update. As of my last information:

User and Device Context:

ZPA allows you to define access policies based on user identity, device posture, and other contextual factors. This helps in implementing a more dynamic and context-aware access control.

Zscaler App Connector:

Access controls can be defined using the Zscaler App Connector, which establishes a secure connection between the user's device and the authorized applications. Policies can be set to grant or deny access based on various attributes.

We can configure the correct policies on ZScaler to take action on the basis of the matched condition. 

In Zscaler ZPA, access controls to applications are managed through policies based on user identity, device posture, and contextual information. These policies define who can access specific applications and under what conditions, ensuring secure and granular access control.

We've integrated role-based access controls, utilizing SAML solutions like time-based tokens and push notifications for added security. Single Sign-On (SSO) is also implemented to mitigate password security concerns, streamlining user authentication across our systems. However periodic user access reviews are conducted monthly ensuring access rights are granted based on user need to know basis upon managers approvals.