According to online ITIL training manuals, there are several processes that define the ITIL Service Operation stage of the ITIL lifecycle: Event Management, Incident Management, Request Fulfillment, Problem Management and finally, the focus of this post Access management. The ITIL Access Management Process aims to grant authorized users the right to use a service while preventing access to non-authorized users. As asked in ITIL exam, this is a critical process since it ensures that the business’ data stays secured and that only employees to whom the data is essential to do their work can access the data. This protects the intellectual property of the business. Let’s take a closer look at Access Management.
The 2 objectives of Access Management
The main objective of the access management process is providing users with the rights to be able to use a service or a group of services. There are several services, assets, and configuration items in an IT service provider. And each service or configuration item must be provided only to people or groups who have the rights to use it. For instance, consider that a service is used to list the salary and compensation package details of an employee in a company. Should all employees be able to use this service? Of course not. This service must be granted only for the use of responsible human resources personnel. Similarly, consider another service which makes money transfers between the departments of the company or to the suppliers. This service must be granted for the use of finance department personnel only.
The second objective of the ITIL Access Management Process is the implementation of policies and activities that are defined in Security and Availability Management is also an objective of the access management process. Since the Access Management Process aims to provide the services for the use of the right people or groups, Security and Availability management policies and activities are part of the objectives of Access Management as well. Protection of data and allowing the data or services only to be available for the responsible people or groups is the responsibility of Security Management. And since Access Management grants the rights for people or groups who will use services, the Access Management Process cooperates with Security and Availability Management Process when defining policies and activities.
Policies, principles and basic concepts of the Access Management Process
The services of an IT Service provider are specified in the service catalog. Details regarding these services are access, identity, rights, service or service groups, and directory services. Let’s look at what these details of Access Management entail.
Access Management Term: Access
Access refers to the level and scope of the service functionality or data, that a user is authorized to use. For instance, we have given the example of a service which lists the salary and compensation package details of an employee in an IT Service Provider. This service is accessed by only the responsible human resources personnel and restricted for the other employees of the organization.
Access Management Tern: Identity
Identity refers to information, which characterizes an individual and which verifies his or her status within the organization. The identity of a user helps to use services, assets or configuration items of an IT Service provider. Users log on to the system, checks and use the services of an IT service provider with an identity. And by definition, the identity of a user is unique to that user. Different IT service providers use different identity conventions. It could be the name and surname, email of the user employee, ID of the user or the social security number of the user. These are examples for unique identities to use by an IT Service provider. (CLICK)
Access Management Term: Rights
Rights refer to the current settings, whereby a user gains access to a service or a group of services. For instance, rights to read, write, execute etc. If a service or configuration item will be viewed, then read right is provided to a relevant group. If a service or configuration item will be updated, then write right is provided to the relevant group. If a service or configuration item will be run, for instance, a script, then the execute right is provided to the relevant group.
Access Management Term: Service or Service Groups
It is more efficient to provide access to a complete group of services. There will be human resources department related services, finance department related services, sales department services etc. in an organization. Or this grouping can be based on functionality. For instance, money withdrawal related services of a bank, or balance update related services of a telecom operator etc. Since these group of services are meaningful and used together, providing access to these service or service groups is more efficient.
Access Management Term: Directory Services
Directory services refer to specific types of tools that are used to manage access and rights. For instance, IT department, human resource department, sales department etc. are grouped in directory services and when a new user joins the company, the user is assigned to one of the groups identified in the directory services. Then, all the relevant applications, access, and rights to the user are granted automatically.
Access Management is a key process of the ITIL Service Operation stage of the ITIL service lifecycle. This stage which is devoted to ensuring that users can access and use services for the reasons intended. Access management ensures that any sensitive information is protected from unauthorized users. This protects the intellectual property of the business. It also protects the business against users using their services without paying for it. Therefore, access management serves as the gatekeeper process in the ITIL Service Operation stage.