ZPA — Zscaler Private Access
~80 tools across application segments, server groups, access policies, app connector groups, PRA, and isolation.
Tool families
- Application Segments — Standard + BA + PRA segments, including
get_zpa_app_segments_by_type - Access Policies — Access, forwarding, timeout, isolation rules
- Policy Registry — Umbrella policy registry tools
- App Connector Groups + Connectors — Plus enrollment certificates
- Server Groups, Segment Groups, Service Edge Groups — Network primitives
- Provisioning Keys — Edge / connector enrollment
- Application Servers — Legacy per-server objects
- PRA Portals + Credentials — Privileged Remote Access
- BA Certificates — Browser Access certificates
- App Protection — Inspection policies + profiles
- Posture, Trusted Networks, Isolation — Conditional-access primitives
- IdP, SAML/SCIM Attributes, SCIM Groups — Identity surfaces
- Microtenants — Per-microtenant scoping
Critical gotcha
⚠️ ZPA dependency chain matters. To onboard an application:
- Create app connector group
- Create server group (references the connector group)
- Create segment group
- Create application segment (references both)
- Create access policy rule
Skipping dependencies causes cryptic 400 errors.
⚠️
customer_idis required. Every ZPA tool needsZSCALER_CUSTOMER_IDin the environment.
Toolsets
ZPA is split into 19 resource-family-scoped sub-toolsets:
zpa_app_segments,zpa_access_policies,zpa_policyzpa_app_connector_groups,zpa_connectorszpa_server_groups,zpa_segment_groups,zpa_service_edge_groupszpa_provisioning_keys,zpa_application_serverszpa_pra,zpa_ba_certificates,zpa_app_protectionzpa_posture,zpa_trusted_networks,zpa_isolationzpa_idp,zpa_microtenants,zpa_misc
See Toolsets for the full list.