Versions Compared

Version Old Version 22 New Version 23
Changes made by

Matt McIrvin

Dana Ward

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note: If selecting “Yes - Reviewers get an additional option to request a Change to the existing permission” for “Allow Requesting Permission Change”, any review marked as Change will be tracked on the Report tab as a Revoke.The last several settings all have to do with controlling how review items are automatically assigned to a reviewer, and, in some cases, automatically pre-processed. This can save your organization a lot of time.

  • Allow self-review: This setting can be used to control whether reviewers are allowed to review their own permissions. By default, there is no restriction on this.

    • If this is set to “Reassign self reviews to the application Technical Owner”, then when populating the campaign, a review that would go to the reviewee will instead go to the Technical Owner, or if that is not possible, to the first available campaign monitor (or if neither is possible, it will remain unassigned).

    • If this is set to “Reassign self reviews to the application monitor”, then a review that would go to the reviewee will instead go to the first available campaign monitor, or if that is not possible, to the Technical Owner (or if neither is possible, it will remain unassigned).

    • This setting also disables the individual reassignment of reviews to the reviewee. In bulk reassignments and review delegation, the above rules will be honored.

  • Require Comments: By default, reviewers' comments on review items are optional. With this setting, you can make them mandatory for certain review actions: Maintain actions, Revoke actions, or all actions. Zilla will require the reviewer to enter an explanatory comment when they make the selected type(s) of action.

    • If Change actions are enabled, “Require comments on all actions” will make comments mandatory for them.

  • Require Comments on Flagged Items/Violations: This makes review comments mandatory for any review items that have policy violation flags on them (currently, this applies to Segregation of Duties violations).

The last several settings all have to do with controlling how review items are automatically assigned to a reviewer, and, in some cases, automatically pre-processed. This can save your organization a lot of time.

  • Limit Review to Unreviewed Permissions: If set to “Yes”, this allows you to limit the review only to permissions that have not already been reviewed within some period of time. The default is 90 days.

    • Note that for this feature to filter out permissions, the permissions must have been continuously present in Zilla since they were was last reviewed. If the permissions were removed from Zilla since then by an application sync (including CSV upload) and then reconstituted by another sync, Zilla will treat them as new permissions that need to be reviewed again.

  • Limit Review by Account Type: Your application may have distinct types of account (actual users vs. bots, guest accounts, admin accounts, etc.) You can filter the review here to only cover accounts of certain types.

    • You can choose to only include certain account types, or to exclude certain account types and include all others. The types are a comma-separated list that is case-insensitive: for example, User,BOT,guest

    • Special feature: Reviewing groups. Zilla represents user groups as accounts with the type “Group”. In many applications (e.g. Azure Active Directory), the permissions belonging to these accounts will then be inherited by group members. By default, Zilla access reviews exclude accounts of type “Group”. By changing this setting to “No limit”, or by explicitly including groups, you can choose to review the permissions belonging to groups just as you would the permissions belonging to any type of account.

    • Note that this option filters on the type of the account, rather than the type of the permission (which you can do on a per-application basis, covered under “Limiting permission types in the review” above).

See the following pages explaining some specific settings:

  • Business rolesGenerate Review Based on Pre-defined Business Roles: Automatically filtering access reviews using business roles

  • Designated Reviewers and Delegates: Fine-tuning review assignments with Designated Reviewers and Review Delegates

  • Assign Review to Resource Owner: Some permissions are resource permissions, having to do with access to or control of a particular application resource, such as a database. In some cases, these resources have a resource owner already defined. If “Assign Review to Resource Owner” is set to Yes, these review items will be automatically assigned to the resource owner. This setting takes precedence over Designated Reviewers, but not over delegation; that is, if the resource owner has a delegate, the delegate will be the reviewer.

  • Assign Review to Permission Owner: Some permissions (permissions, roles, groups, etc.) may have a permission owner already defined. (This can be set by editing the Available Permissions pane of the application’s Profile tab, as described in https://zilla.atlassian.net/wiki/spaces/ZILLASUP/pages/edit-v2/2352775169?draftShareId=ddaf37c2-6f29-4d65-9ab1-a8a213d1d509 ). If “Assign Review to Permission Owner” is set to Yes, these review items will be automatically assigned to the permission owner. This setting takes precedence over assignment to Designated Reviewers and Resource Owners, but not over delegation; that is, if the permission owner has a delegate, the delegate will be the reviewer.

...

The custom message at the top will be incorporated into notifications sent to reviewers when the campaign launches, letting them know they have a review to do. The campaign can also send automated reminders some numbers number of days after the campaign starts , or some number of days before it is due to end. (Note that in the second case, if the campaign’s end date is less than this number of days in the future, the reminders will go out immediately!)

For further customizations to the emails Zilla sends on your behalf, such as (but not limited to) changing greetings, language or updating logos, please contactsupport@zillasecurity.com.

If you enable these features, additional controls will appear. You can separately customize the reminder messages for these emails , and control whether or not the reviewer’s manager will get a Cc: of the email.

...