Profiles offer a fresh approach to access control, addressing many of the shortcomings of traditional organizational roles.
Let’s explore how Profiles are different from traditional approaches to access control via roles and groups, and why they are more effective.
What’s in a Profile?
Profiles are an organization’s current mapping of which users should have access to specific resources, based on their business function within the organization. Profiles are automatically suggested in Zilla by evaluating metadata such as department, title, job code, and location, and profiles can be viewed from the lens of users or applications.
From the user lens, a user profile is based on one or more user characteristics that represent their function or responsibility. For example, Abby Smith is joining Access-Ventures on the Development Team as a Senior Engineer.
Abby’s profile would be a combination of her attributes; she is an employee of Access Ventures and therefore gets access to payroll and other company-wide apps. However, she is also a member of the Development team as a Senior Engineer.
See examples below:
This automated process reduces the need for flawless user attribute data and eliminates the need for dedicated role designers.
Let’s now dive into how profiles evolve throughout the user lifecycle.
AI Profiles Enable Efficiency in Onboarding and Managing Users
AI-powered profile creation allows for rapid deployment of access for new employees without extensive preparation due to the insights that we gain about user attributes. Using the previous example, because we know what an Engineer on the Access-Ventures Development Team should have access to, Abby was given the correct permissions to start her work immediately upon joining the company.
In a few months, when the company performs their semi-annual entitlement certification, Abby’s supervisor will only have to review Abby’s permissions that are not part of her profile.
If Abby changes jobs or departments, her new supervisor and, if possible, her former supervisor, will review Abby’s permissions using her new post-move profile as a template. This will ensure that Abby has a smooth transition and is able to access all the resources she needs for her new position.
Let’s suppose that Abby is directly given privileged access to an application, and the access is not included in her profile. This could trigger a configured policy in Zilla that looks for exceptional privileged access and the administrator could immediately review and address the issue.
How do AI Profiles Work?
Zilla generates profiles very quickly by leveraging AI for profile generation and a federated approval model for profile acceptance and activation.
Profiles are generated with the push of a button – and proposed to an administrator who does not need to have knowledge of business roles. The AI-based profile evaluation looks at every possible combination of user attributes and permissions then suggests the most effective and precise combinations.
The administrator may adjust the results by changing what gets considered and adjusting metrics for profile precision and reach. In any case, the result is a proposed list of powerful access profiles that can be activated by the administrator, or more likely automatically forwarded to the right system or app owner for review.
Zilla automatically identifies a list of owner/approvers for each access granted by a profile. If there is an owner for a permission, resource or group they are the primary approver, otherwise the application owner is notified. Zilla allows for quick and easy delegation to other stakeholders. This means we are asking the right person to validate the profile grant being proposed.
The data owner approval is what makes profiles so practical to deploy and maintain, and so clear and valuable for review and audit.
Reduced Manual Effort for Access Reviews
In addition to their benefits for user lifecycle management, the other major advantage of profiles is their application for User Access reviews. Zilla AI Profiles provide an updated and accurate map of who should have access to what resources based on their role in the organization. With that information – we can make user access reviews simpler, more focused, and more powerful.
Access reviews have many different flavors, but always have some individuals reviewing users’ access to a set of permissions and then approving or removing each granted permission. Reviewers are usually either supervisors of the users being reviewed or the owners of the permissions being reviewed. Profiles enable pre-approval for permissions explained by a user’s role in the company.
Say this is the profile grant:
This means it is always ok for users in the Engineering department to have basic “Members” access to the application Github. This relationship was proposed automatically and was approved and made active by the Application owner of Github. Over time, this grant has been regularly re-evaluated and regularly re-approved by the appropriate owner – so we know that it is current and the approval history is logged for auditors.
Any user entitlement reviews that contain Engineering users or Github permissions would leverage this single profile grant to remove 361 user permissions from the review – as they are already authorized.
The result is that reviewers have considerably fewer items to review (typically a 60% – 75% reduction) and then are focused on exceptional access only. This means they are spending their time looking at the permissions that truly need reviewing and are less likely to just approve all of a user’s access.
Conclusion
Traditional organizational roles have served their purpose. Their limitations are increasingly apparent in today’s dynamic business environment. Profiles offer a modern, efficient, and adaptable solution to the challenge of building and maintaining pre-approved user access based on user attributes. By leveraging AI and automating the creation and maintenance of profiles, organizations can achieve faster, more accurate, and sustainable access control, ensuring that users have the right permissions at the right time.
The shift from traditional roles to profiles marks a significant evolution in access control, providing a robust framework that keeps pace with the ever-changing needs of modern businesses.
Want to learn more about Zilla AI Profiles? Download the AI Profiles solution brief.