This section describes key differences in AppGate ZTNA admin permissions between hosted and connected Collectives. Understanding these differences helps you assess any impact on your operational processes.
To protect hosted Collectives, their hosted resources, and ZTP, restrictions apply to the capabilities described below.
NOTE
This section does not list every difference between deployment models. AppGate plans to reduce these differences over time through the AppGate ZTNA and ZTP roadmaps. Contact your AppGate representative for information about current differences.
Resource Tags
By default, AppGate ZTNA applies the "Customer" tag to each resource—such as policies, entitlements, and claim scripts—and to each ZTNA admin account. ZTNA admins cannot currently create, assign, edit, or remove additional tags. A future release of AppGate ZTNA will address this limitation.
Remediation: Contact Support for assistance.
Admin Roles
Newly provisioned hosted Collectives include a "Customer Administrator" role by default. This role gives the ZTNA admin the maximum set of permissions currently supported in the hosted deployment model.
When you migrate a Collective from a connected or isolated deployment, AppGate ZTNA modifies all existing admin roles as needed to restrict permissions that could disrupt AppGate's ability to securely host and manage the Collective.
ZTNA admins cannot currently create new admin roles or modify the configuration of existing admin roles.
Remediation: Contact Support for assistance.
Appliance Settings
Permissions for managing appliances depend on where the appliance is deployed. ZTNA admins have all permissions needed to provision, configure, and manage AppGate ZTNA appliances deployed outside ZTP.
For all hosted appliances, ZTNA admins have view-only permissions.
Global Settings
ZTNA admins can view, but not modify, settings on the Global Settings screen of the ZTNA admin UI.
Remediation: Contact Support for assistance.
Denylisted Users
ZTNA admins can view, but not modify, the Denylist.
Remediation: Contact Support for assistance.
MFA for Administrators
ZTNA admins can view, but not modify, the MFA for Admins settings. This restriction ensures AppGate privileged operators retain access to monitoring and support functions.
NOTE
AppGate privileged operators are the individuals who manage, monitor, and operate ZTP and hosted AppGate ZTNA resources at AppGate.
Remediation: Restrict access to the ZTNA admin UI to users connecting through an AppGate ZTNA client, then enforce multifactor authentication using one or both of the following methods:
Enforce MFA through the connected identity provider at authentication.
In the entitlement for that access, require a user action that triggers a one-time password (OTP) request.
Contact Support for additional assistance.
Default Site
In newly provisioned hosted Collectives, ZTNA admins can view, but not modify, the Default Site. Upon request, a designated AppGate privileged operator removes this Site, and you replace it with a customer-defined Site.
NOTE
AppGate privileged operators are the individuals who manage, monitor, and operate ZTP and hosted AppGate ZTNA resources at AppGate.
Remediation: Contact Support for assistance.