Automatically filtering access reviews using Profiles
Zilla AI Profiles™ feature can be used to automatically filter an access review to save your organization large amounts of review work.
Campaign settings for using profiles
Any type of campaign can take advantage of this feature during the preview stage. When you create a new supervisory or application access review campaign, on the campaign’s About tab, click “Campaign Settings > Edit”. On the “What To Review” tab, you will see an option labeled “Generate Review Based on Active Profiles”:
If this is set to “No”, all permissions for the selected users and apps will appear in the review, subject to the constraints of the other settings.
There are two “Yes” options.
“Yes - Only review permissions that are exceptions to active profiles” will omit entirely the permissions that match active profiles. Only permissions that are not granted to a given user by an active profile will be included in the review. (With the right profiles active, this could pare the size of the review down quite a lot!)
Suppose you don’t want those permissions to go completely unnoticed in the review, but you still want to speed things along. Selecting “Yes - Permissions matching active profiles are assigned to the application business owner.” will do two things.
The permissions granted by active profiles will remain included in the review, but the review items will be automatically pre-marked “Maintain”.
The review items will be reassigned to the owner of the application as reviewer, even if this is not an application owner review. The app owner can then just submit them all together, if everything seems OK.
Note: Inactive/Deleted users will never be omitted from a review or pre-marked to “Maintain”.
Examples
Here’s an example using our demo data. This is a supervisory access review covering nine applications and over a hundred users. Without profiles filtering, there are 421 permissions to review, spread out over many supervisors. That’s a lot.
But, as it turns out, once we’ve generated profiles, determined that they were legitimate and activated them, nearly all of these permissions match active profiles. We go to “Campaign Settings > Edit” under the About tab, then select the “Yes - Only review permissions that are exceptions to activated profiles” option, save the settings, then click “Regenerate Campaign”. Suddenly the list becomes much shorter, as you can see by going to the “Preview Campaign” tab:
Only 13 permissions to review now! But suppose you want a data trail of review items for the other 408 permissions. Under the campaign settings edit dialog, instead select “Yes - Permissions matching active profiles are assigned to the application business owner.” When you save the settings and regenerate the campaign, now, under the “Preview Campaign” tab, it looks like this:
All 421 permissions are back, but the vast majority of them have been automatically assigned to four reviewers, who are the business owners of the applications in question. They don’t have a lot left to do either, since the permissions that were processed in this way have all been pre-marked as “Maintain”:
In Cristinel Bouloucos' review, you can see two permissions that aren’t auto-maintained--those are out-of-profile permissions that were in this reviewer’s task regardless. Of course, once the review is underway, if the reviewer disagrees with any of these automatic Maintain decisions, they can modify them manually.
Expanding one of the auto-Maintained review items reveals an automatically generated comment that tells you what profile it matches:
If the permission matches several profiles, the comment will currently only list the first match Zilla found.
Active profile report in the campaign evidence package
For a completed campaign, an evidence package is available for download containing information about the campaign and the sources of information used to complete it. If the campaign used profiles filtering, in addition to its other contents, the evidence package will contain reports in PDF and CSV form listing the active profiles that were used to filter it. These reports may also be downloaded individually from the campaign’s Audit Logs tab.
In the main campaign PDF report, any automatically maintained entries will also have a comment identifying them as such.
Please contact support@zillasecurity.com with any questions.