Automatically filtering access reviews using business roles

Owned by Matt McIrvin
Last updated: Nov 02, 2023 by Hannah Liberty
4 min read

Business roles are a feature of Zilla we can set up for you to make your access review process faster and easier. These are named roles that key automatically on features of a user’s record (such as the user’s title, or department, or any other property present in the user’s record in Zilla, including custom metadata that your organization has defined). They carry authorized application permissions with them.

Viewing business roles

When you have business roles set up in Zilla, you can see them in the “Business Roles” tab under Settings:

Here, for instance, users in the Engineering department are all considered to have the “Engineering Staff” role, which includes certain named permissions for Jira and Confluence. When you do an access review that includes these apps, you can enable Zilla to automatically maintain these particular permissions--no need to review them all manually.

Campaign settings for using business roles

Any type of campaign can take advantage of this feature during the preview stage. When you create a new supervisory or application access review campaign, on the campaign’s About tab, click “Campaign Settings > Edit”. If business roles have been set up for your organization, you will see a new option at the bottom of the dialog, “Generate Review Based on Pre-defined Business Roles”:

If this is set to “No”, all permissions for the selected users and apps will appear in the review, subject to the constraints of the other settings.

There are two “Yes” options.

  • “Yes - Only review permissions that are exceptions to the pre-defined business roles” will omit in-role permissions entirely. Only permissions that are not in a given user’s roles will be included in the review. (With judiciously chosen roles, this could pare the size of the review down quite a lot!)

  • Suppose you don’t want those permissions to go completely unnoticed in the review, but you still want to speed things along. Selecting “Yes - Include permissions matching business roles in the review but mark them as maintained and assigned to the business owner.” will do two things.

    • The permissions that match the user’s roles will remain included in the review, but the review items will be automatically pre-marked “Maintain”.

    • The review items will be reassigned to the owner of the application as reviewer, even if this is not an application owner review. The app owner can then just submit them all together, if everything seems OK.

Note: Inactive/Deleted users will never be omitted from a review or pre-marked to “Maintain”.

Examples

Here’s an example using our demo data. This is a supervisory access review covering several applications and over a hundred users. Without role filtering, there are 276 permissions to review, spread out over many supervisors. That’s a lot!

But, as it turns out, nearly all of these permissions are in-role, using our list of business roles. If we go to “Campaign Settings > Edit” under the About tab, then select the “Yes - Only review permissions that are exceptions to the pre-defined business roles” option, then save the settings, the review will be automatically regenerated. Suddenly the list becomes much shorter, as you can see by going to the “Preview Campaign” tab:

Only 18 permissions to review now! But suppose you want a data trail of review items for the other 258 permissions. Under the campaign settings edit dialog, instead select “Yes - Permissions matching pre-defined business roles are assigned to the application business owner”. When you save the settings, the campaign will automatically regenerate and now, under the “Preview Campaign” tab, it looks like this:

All 276 permissions are back, but the vast majority of them have been assigned to two reviewers, Belazel Simmel and Cristinel Bouloucos, who are the business owners of the applications in question. And they don’t have a lot left to do either, since the permissions that were processed in this way have all been pre-marked as “Maintain”:

In Cristinel Bouloucos' review, you can see one permission that isn’t auto-maintained--that is an out-of-role permission that was in this reviewer’s task regardless. Of course, once the review is underway, if the reviewer disagrees with any of these automatic Maintain decisions, they can modify them manually.

Expanding one of the auto-Maintained review items reveals an automatically generated comment mentioning that it was automatically processed:

Business roles in the campaign PDF report

For a running or completed campaign, it’s possible to download a PDF report summarizing the campaign and listing all of its reviewed permissions. If the campaign used business-role filtering, the PDF report will also contain a table listing all of the business roles present when the campaign was created, and any automatically-maintained entries in the report will have a comment identifying them as such.

Please contact support@zillasecurity.com with any questions.