Service Operations

1Introduction 2Serv. Mgmt. 3Principles 4Process 5Activities 6Organization 7Consideration 8Implementation 9Issues AAppendeces

4. Service Operation Processes


4.5 Access Management

Access Management is the process of granting authorized users the right to use a service, while preventing access to non-authorized users. It has also been referred to as Rights Management or Identity Management in different organizations.

4.5.1 Purpose, Goals and Objectives
Access Management provides the right for users to be able to use a service or group of services. It is therefore the execution of policies and actions defined in Security and Availability Management.

4.5.2 Scope
Access Management is effectively the execution of both Availability and Information Security Management, in that it enables the organization to manage the confidentiality, availability and integrity of the organization's data and intellectual property. Access Management ensures that users are given the right to use a service, but it does not ensure that this access is available at all agreed times - this is provided by Availability Management.

Access Management is a process that is executed by all Technical and Application Management functions and is usually not a separate function. However, there is likely to be a single control point of coordination, usually in IT Operations Management or on the Service Desk.

Access Management can be initiated by a Service Request through the Service Desk.

4.5.3 Value to Business
Access Management provides the following value:

4.5.4 Policies, Principles and Basic Concepts
Access Management is the process that enables users to use the services that are documented in the Service Catalogue. It comprises the following basic concepts:

4.5.5 Process Activities, Methods And Techniques Requesting Access
Access (or restriction) can be requested using one of any number of mechanisms, including:

Rules for requesting access are normally documented as part of the Service Catalogue. Verification
Access Management needs to verify every request for access to an IT service from two perspectives:

The first category is usually achieved by the user providing their username and password. Depending on the organization's security policies, the use of the username and password are usually accepted as proof that the person is a legitimate user. However, for more sensitive services further identification may be required (biometric, use of an electronic access key or encryption device, etc.).

The second category will require some independent verification, other than the user's request. For example:

For new services the Change Record should specify which users or groups of users will have access to the Service. Access Management will then check to see that all the users are still valid and automatically provide access as specified in the RfC. Providing Rights
Access Management does not decide who has access to which IT services. Rather, Access Management executes the policies and regulations defined during Service Strategy and Service Design. Access Management enforces decisions to restrict or provide access, rather than making the decision.

As soon as a user has been verified, Access Management will provide that user with rights to use the requested service. In most cases this will result in a request to every team or department involved in supporting that service to take the necessary action. If possible, these tasks should be automated.

The more roles and groups that exist, the more likely that Role Conflict will arise. Role Conflict in this context refers to a situation where two specific roles or groups, if assigned to a single user, will create issues with separation of duties or conflict of interest. Examples of this include:

Role Conflict can be avoided by careful creation of roles and groups, but more often they are caused by policies and decisions made outside of Service Operation - either by the business or by different project teams working during Service Design. In each case the conflict must be documented and escalated to the stakeholders to resolve.

Whenever roles and groups are defined, it is possible that they could be defined too broadly or too narrowly. There will always be users who need something slightly different from the pre-defined roles. In these cases, it is possible to use standard roles and then add or subtract specific rights as required - similar to the concept of Baselines and Variants in Configuration Management (see Service Transition publication). However, the decision to do this is not in the hands of individual operational staff members. Each exception should be coordinated by Access Management and approved through the originating process.

Access Management should perform a regular review of the roles and groups that it has created and manage to ensure that they are appropriate for the services that IT delivers and supports - and obsolete or unwanted roles/groups should be removed. Monitoring Identity Status
As users work in the organization, their roles change and so also do their needs to access services. Examples of changes include:

Access Management should understand and document the typical User Lifecycle for each type of user and use it to automate the process. Access Management tools should provide features that enable a user to be moved from one state to another, or from one group to another, easily and with an audit trail. Logging And Tracking Access
Access Management should not only respond to requests. It is also responsible for ensuring that the rights that they have provided are being properly used.

In this respect, Access Monitoring and Control must be included in the monitoring activities of all Technical and Application Management functions and all Service Operation processes.

Exceptions should be handled by Incident Management, possibly using Incident Models specifically designed to deal with abuse of access rights. It should be noted that the visibility of such actions should be restricted. Making this information available to all who have access to the Incident Management system will expose vulnerabilities.

Information Security Management plays a vital role in detecting unauthorized access and comparing it with the rights that were provided by Access Management. This will require Access Management involvement in defining the parameters for use in Intrusion Detection tools.

Access Management may also be required to provide a record of access for specific Services during forensic investigations. If a user is suspected of breaches of policy, inappropriate use of resources, or fraudulent use of data, Access Management may be required to provide evidence of dates, times and even content of that user's access to specific Services. This is normally provided by the Operational staff of that service, but working as part of the Access Management process. Removing Or Restricting Rights
Just as Access Management provides rights to use a Service, it is also responsible for revoking those rights. Again, this is not a decision that it makes on its own. Rather, it will execute the decisions and policies made during Service Strategy and Design and also decisions made by managers in the organization.

Removing access is usually done in the following circumstances:

In other cases it is not necessary to remove access, but just to provide tighter restrictions. These could include reducing the level, time or duration of access. Situations in which access should be restricted include:

4.5.6 Triggers, Input And Output / Interprocess Interfaces
Access Management is triggered by a request for a user or users to access a service or group of services. This could originate from any of the following:

Access Management should be linked to the Human Resource processes to verify the user's identify as well as to ensure that they are entitled to the services being requested.

Information Security Management is a key driver for Access Management as it will provide the security and data protection policies and tools needed to execute Access Management.

Change Management plays an important role as the means to control the actual requests for access. This is because any request for access to a service is a change, although it is usually processed as a Standard Change or Service Request (possibly using a model) once the criteria for access have been agreed through SLM.

SLM maintains the agreements for access to each service. This will include the criteria for who is entitled to access each service, what the cost of that access will be, if appropriate and what level of access will be granted to different types of user (e.g. managers or staff).

There is also a strong relationship between Access Management and Configuration Management. The CMS can be used for data storage and interrogated to determine current access details.

4.5.7 Information Management Identity
The identity of a user is the information about them that distinguishes them as an individual and which verifies their status within the organization. By definition, the identity of a user is unique to that user. Since there are cases where two users share a common piece of information (e.g. they have the same name), identity is usually established using more than one piece of information, for example:

A user identity is provided to anyone with a legitimate requirement to access IT services or organizational information. These could include:

Most organizations will verify a user's identity before they join the organization by requesting a subset of the above information. The more secure the organization, the more types of information are required and the more thoroughly they are checked.

Many organizations will be faced with the need to provide access rights to temporary or occasional staff or contractors/suppliers. The management of access to such personnel often proves problematic - closing access after use is often as difficult to manage, or more so, than providing access initially. Well-defined procedures between IT and HR should be established that include failsafe checks that ensure access rights are removed immediately they are no longer justified or required.

When a user is granted access to an application, it should already have been established by the organization (usually the Human Resources or Security Department) that the user is who they say they are.

At this point, all that information is filed and the file is associated with a corporate identity, usually an employee or contractor number and an identity that can be used to access corporate resources and information, usually a user identity or 'username' and an associated password. Users, Groups, Roles And Service Groups
While each user has an individual identity, and each IT service can be seen as an entity in its own right, it is often helpful to group them together so that they can be managed more easily. Sometimes the terms 'user profile' or 'user template' or 'user role' are used to describe this type of grouping.

Most organizations have a standard set of services for all individual users, regardless of their position or job (excluding customers - who do not have any visibility to internal services and processes). These will include services such as messaging, office automation, Desktop Support, telephony, etc. New users are automatically provided with rights to use these services. However, most users also have some specialized role that they perform. For example, in addition to the standard services, the user also performs a Marketing Management role, which requires that they have access to some specialized marketing and financial modelling tools and data.

Some groups may have unique requirements - such as field or home workers who may have to dial in or use Virtual Private Network (VPN) connections, with security implications that may have to be more tightly managed.

To make it easier for Access Management to provide the appropriate rights, it uses a catalogue of all the roles in the organization and which services support each roleR. This catalogue of roles should be compiled and maintained by Access Management in conjunction with HR and will often be automated in the Directory Services tools (see section 5.8).

In addition to playing different roles, users may also belong to different groups. For example, all contractors are required to log their timesheets in a dedicated Time Card System, which is not used by employees. Access Management will assess all the roles that a user plays as well as the groups that they belong to and ensure that they provide rights to use all associated services.

4.5.8 Metrics
Metrics that can be used to measure the efficiency and effectiveness of Access Management include:

4.5.9 Challenges, Critical Success Factors and Risks
Conditions for successful Access Management include:

[To top of Page]

Visit my web site