Access Management ?& ITIL V3
The process for granting authorized users the right to use a Service while preventing access to non-authorized users.
Terminology of Access Management
Access Management – Activities
Access (or restriction) can be requested using one of any number of mechanisms e.g.
Standard request generated by the HR system – when a person is hired, fired or promoted etc
Service Request submitted via the Request Fulfillment system
Executing a pre-authorized script or option.
Rules for requesting access are normally documented as part
of the Service Catalogue.
Each request for access should be verified by checking:
The user requesting access is who they say they are e.g. by providing their username and password.
That they have legitimate requirements for that service. This requires some independent verification e.g. notification from HR, authorization from an appropriate manager, submission of an RFC, policy stating that the user may have access to an optional service if they need it.
Access Management does not decide who has access to
which IT service. It executes the policies and regulations
defined during Service Strategy and Service Design and
enforces decision to restrict or provide access, rather than
making the decision.
As soon as the user is verified, they are provided with the user
rights for the requested service.
Monitoring identity status
As users work in the organization, their roles change and so
also do their needs to access services. E.g.
Promotions or demotions
Resignation or death
Logging & tracking access
Access Management not only responds to requests, but is also
responsible for ensuring that the rights provided are being
Information Security Management plays an important role in
detecting unauthorized access and comparing it with the rights
that were provided by Access Management.
Removing or restricting rights
Access Management is also responsible for revoking rights to
use a service. It executes decisions and policies made during
the design phase and also decisions made by managers in the
organization. Removing access is normally done for the
User changes roles
User transfers or travels to an area where different regional
Inputs & Outputs
Access Management is triggered by a request for a user(s) to
access a service(s). This could originate from any of the
Human Resources Management
Manager of a department
Identity of users, includes information about them that distinguishes
them as an individual and verifies their status e.g.
Drivers license number etc
Voice recognition patterns
Metrics that can be used to measure the effectiveness and
efficiency of the Access Management process are:
Number of requests for access (e.g. Service Requests, RFC’s)
Instances of access granted, by service, user and department etc
Instances of access granted by department or individual granting rights
Number of incidents requiring a rest of access rights
Number of incidents caused by incorrect access settings.
Verify the identity of users
Verify the identity of the approving person or body
Verify that a user qualifies for access to a specific service
Link multiple access rights to a user
Determine status of a user at any time
Manage changes to a user’s access requirements
Restrict access rights to unauthorized users
And develop and maintain a database of all users
and the rights they have been granted.
Value to business
Access Management provides the following value:
Controlled access to services ensures that the organization is able to maintain more effectively the confidentiality of its information.
Employees have the right level of access to execute their jobs effectively.
Less likelihood of errors being made in data entry or in the use of a critical service by an unskilled user.
Ability to audit use of services and to trace the abuse of services
Ability to more easily revoke access rights when needed
Could be needed for regulatory compliance (e.g. COBIT, SOX etc).