Profiles

Zilla AI Profiles™ and profile grants are designed to improve efficiency by allowing data owners to pre-approve user permissions based on users' attributes. They enable more streamlined and accurate user onboarding and reduce the volume of permissions that must be individually reviewed during access reviews.

Profile grants can be either birthright or suggested level, giving administrators more control over which permissions are provisioned during onboarding. Both birthright and suggested profile grants can be used to pre-approve permissions in an access review.

1 Terminology
2 Generate profiles
3 Review new profiles
4 Activate new profile grants
5 Change the level of profile grants
6 Customize profile generation
7 Take action on profile grants in batches

Terminology

Profile

A profile is a collection of users defined by a combination of one or more attributes in your organization (for example, Department=Engineering, Title=Engineer). A user may be associated with zero or more profiles, and there may also be a profile for all users.

Profile grant

A profile grant is a permission matching a specific profile definition (for example, Department=Engineering, Permission=Github Members). Grants are recommended by Zilla based on a high percentage of profile users already having the permission. The application or permission owner may activate a recommended profile grant.

Birthright level

A birthright level profile indicates that all users in the profile should have the permission.

Suggested level

A suggested level profile indicates that all users in the profile may have the permission.

Profile grant states

New: Suggested grants that are not yet activated.
Activated: Grants that are used for onboarding and access reviews.
Deactivated: Grants that are no longer used.

Profile actions

Activate grant: Makes profile grants eligible for onboarding and access reviews.
Deactivate grant: Makes profile grants ineligible for onboarding and access reviews.
Reassign approver: The permission owner or the business owner of the permission’s application is the approver of the profile grant by default, but the grant can be reassigned to the business, technical, or any additional owner of the application.
Edit level: Override our suggestion of either birthright or suggested level.

Generate profiles

The Zilla administrator initiates profile generation. Zilla uses machine learning to analyze the tenant’s data to recommend a collection of profiles each with one or more profile grants. Profile grants originate in the New state and must be activated before they can be used in an access review or for provisioning. By default, an application or permission owner is responsible for reviewing and activating profile grants, but Zilla admins can also activate.

See Generate Profiles for a step-by-step guide.

Review new profiles

When Profile generation completes, the profiles are presented in a table on the Profiles page with additional summary information.

Use the tabs at the top of the page to choose whether to view All Grants, grants By Profile, or grants By Application.

The Active User Permissions summary displays the count of permissions across all accessible applications that are mapped to active users. The Total Grants summary displays the total number of grants in New, Active, and Deactivated states. The Total Profiles summary displays the average number of profile grants per profile and the number of applications with profiles.

Search and Filter provide the ability to search for profiles and filter by Profile, Application, Permission, Privileged, Birthright or Suggested Level, Approver, and Status.

The table displays the following:

Profile: User attributes shared by a population of users
Users: Number of users matching the profile
New/Active Grants: Number of profile grants within the profile that are in either a new or active state
Last Updated: Displays when the profile grant’s status was last updated
Actions: Click View to see a list of grants for the profile to take an action

Activate new profile grants

Before a profile grant can be used by the Zilla application in either onboarding or user access reviews, it needs to be activated. Activation is the responsibility of the application’s technical owner by default, but any admin can also activate a profile grant.

See Activate and Deactivate Profile Grants for additional information.

Change the level of profile grants

Make sure the level of the profile grants meet the needs of the organization. Both birthright and suggested levels are pre-approved for access reviews and provisioning. However, with provisioning birthright level permissions can be assigned together in a policy action, but suggested level permissions need to be requested separately. Level accuracy is the responsibility of the by default, but any admin can also activate a profile grant.

See Change the Level of a Profile Grant for additional information.

Customize profile generation

After the initial profile generation, the admin can re-generate profiles at any time and specify the scope in terms of the population and which demographic values to use. The user demographic fields available to choose from are based on the tenant's collected user metadata. In order to be included, the field must be collected and populated. The administrator can also change the system defaults regarding minimum quality and population of profiles.

See Customize Profile Generation for additional information.

For additional information about using profiles in an access review, see Automatically filtering access reviews using Profiles.

Take action on profile grants in batches

In addition to taking action on individual profile grants, it is possible to take action on a filtered set of profile grants. You can activate grants, deactivate grants, reassign approvers and edit the level for the set of profile grants.

See Take Action on Profile Grants in Batches for additional information.