In this tutorial, we will discuss about the ITIL Access Management Process, which is also known as various other terms such as ITIL User Access Management, Identity Management, Process. In this chapter, you will learn the Definition, Objective, Purpose, Scope, Activities, Roles, and Sub-Process of Access Management - ITIL V3 Process.
What is ITIL Access Management Process?
It is the process of granting authorized users the right to use a service while preventing access to non-authorized users. ITIL Access Management process is also sometimes referred to as the ITIL User Access Management or Identity Management Process.
The Access Management (ITIL V3) is responsible for executing the policies and actions defined in the Information Security Management process. It makes sure that every individual within an organization is able to use the systems that help them execute their job, but only have the amount of access they actually need.
ITIL Access Management Objective:
The primary objective of ITIL Access Management Process is to grant authorized users the right to use a service while preventing access to non-authorized users.
Some other important objectives of this user access management process are as follows:
- Manage access to services based on policies and actions defined in Information Security Management.
- Processing any request for granting access to services, changing access rights, restricting access, and ensuring that the rights being provided or changed are properly granted.
- Grant access to services, data or functions, only if they are authorized to get that access.
- Manage access to services, prevent improper use of access rights, and remove access when people change roles or jobs.
- Help to protect the confidentiality, integrity, and availability of the organization’s services, assets, facilities, and information.
The Scope of ITIL Access Management:
According to ITIL, Access is the term that describes the level and extent of the service functionality granted to a user based on the user identity. Here, User Identity refers to the attributes that uniquely distinguishes one individual from another and also verify their status within the organization.
On the other hand, the User rights (or privileges) refer to the actual settings configured within a service that controls that level of access of a user or user group. For example, view, read, write, execute, delete, modify, etc.
As described, the ITIL Access Management process runs on the information security principle of “least privilege” (or “least authority”), which tells that each user must only have limited access to the information or resources necessary to their job. Access management enables the organization to keep a secure environment that not only prevents unauthorized usage but also debars data breaches that can reduce customer trust and incur financial penalties.
Access Management is closely related to many other ITIL processes and functions. Some of them are described below:
Service Desk: Access requests are usually processed by raising Service Requests. First, the Service Desk will validate the request by ensuring that it is appropriately approved, the user is a legitimate employee, supplier or customer and qualify for access. Service Desk will then delegate the responsibility for providing access to the appropriate team.
IT Operations Management: The most common scenario is that the Service Desk will delegate the Access Management related tasks to IT Operations Management. IT Operators team will be then responsible for providing or revoking access to key systems or resources. The logical access rights are controlled by the IT Operations Control team, whereas physical access rights are controlled by IT Facilities Management.
ITIL Access Management Process Activities:
ITIL v3 very clearly defines the process hierarchy for Access Control, stating that access should be granted according to the rules set by the Information Security Policy. ITIL Access Management process doesn’t define or modify any policy; it just follows the existing policy.
The user access management defines six steps or activities which are listed below, and usually, they are followed sequentially:
(i) Request Access: This is the first step in enforcing ITIL Access Management Process. Requests may arrive from the service desk via a Service Request or from a Request for Change (RFC). Access may involve starting from not having access to having access, or from having one level of access to another level. This activity should define who can request access, what information is required, and how the request will be processed by the system.
(ii) Verification: This activity verifies that a user who requests access is eligible to ask for it. The user must prove their identity and provide a valid business reason for the request. Different levels of access may require different amounts of verification. For example, access to view and edit MIS reports should require many different approvals than creating a new user with default permissions.
(iii) Providing Rights: Once the user has been verified, the next step is to provide access. This may involve assigning permissions to the user profile if needed or even creating credentials in each system that a user requests to access. It is the responsibility of Access Management to ensure that the access provided doesn't conflict with any other access rights already given.
(iv) Monitoring Identity Status: Monitoring Identity status changes are very important, especially for larger organizations. This is where having a catalogue of access that has already been assigned is vital. Automatically monitoring Identity status and security changes ensure that access is only being given according to policy.
(v) Logging and Tracking Access: By logging and tracking access changes, organization ascertains that the access being allowed is only used as intended. Tracking changes also protect the organization from security breaches and risks. Events such as unauthorized access, unusual application activity, and excessive incorrect login attempts should be assessed to ensure protection from security breaches.
(vi) Removing or Restricting Rights: This activity involves removing access once the purpose of providing access completes. This occurs when users switch their roles over the course of their employment, working in different departments or on different systems or even leaving the organization.
ITIL Access Management Sub-Process:
As defined by ITIL v3, user access management is having two sub-processes operating under it. Below are the objectives and short descriptions about them, followed by a diagram illustrating the ITIL Access Management Process Flow:
1) Maintenance of Catalog of User Roles and Access Profiles:
This sub-process is responsible for building and maintaining an active repository (catalogue) of all the user roles and access profiles within an organization. This process also makes sure that the catalogues of User Roles and Access Profiles are still harmonized with the services offered to customers, and also prevents unwanted assignment of access rights.
The access given to roles should also be evaluated periodically, to enable granting and removing access based on the process rather than by one-off requests.
2) Processing of User Access Requests:
This sub-process is responsible for verifying the user, providing access rights, monitoring the identity status, removing or restricting access, and to log and track access. The success of this sub-process depends on the accuracy of previous sub-process (Maintenance of Catalog of User Roles and Access Profiles) in maintaining accurate user profiles and access repository.
Below is a diagram describing the interconnection between these two sub-processes and the process flow:
Important Terminologies and Definitions:
Access or Access Rights or Access Levels:
- A set of rules defining what services or service levels a user is allowed to access.
- For Example: In a file server, the Access Rights are defined as whether the user can read a file, read and write a file, edit a file, or delete a file.
Request for Access Rights:
- Also referred to as “Access Requests”. It is the way a user requests to grant, change or revoke the right to use a particular service or access certain assets.
User Identity Record:
- A record for identifying a user or person and to know about his current access level.
- It is also used to grant access rights to that user or person.
User Identity Request:
- A request to create, modify or delete a User Identity.
- It defines the role of a user in the organizational hierarchy.
- It is used to assign the necessary Access rights to that person based on the roles that individual users.
User Role Access Profile:
- A dataset that defines the level of access to a service or group of services for a certain type of user (User Role).
- It defines the default level of access for user roles, the programs that they can run, and the modifications that they can make.
ITIL Access Management Roles and Responsibilities:
- This role is the Process Owner of ITIL Access Management.
- This Access Manager role is responsible for granting authorized users the right to use a service while preventing access to non-authorized users.
- The Access Manager typically follows and executes policies defined by Information Security Management.
We hope that you have enjoyed the above article describing the ITIL Access Management Process. Be with us to explore free training on Leading Technologies and Certifications.
Leave us some comments if you have any question or doubts about ITIL User Access Management, we will be happy to help you.