Neven Zitek As part of an IT organization, how would you rate your relationship with the Human Resources (HR) department? If your answer is “good,” I’ll assume that you joined your IT organization very recently. As far as I can tell, it has been a constant battle between HR and IT regarding granting and revoking user rights within IT systems when a new employee is hired, promoted, demoted or leaving the company. HR considers access to IT resources to be purely an IT topic, and IT expects that HR will provide timely and informed feedback regarding IT services and user access rights within those services required for the employee in question.
Figure 1 – Access Management at its worst
To make things even worse, if there is no IT Service Catalogue defined, it’s almost impossible to maintain any form of Access Management. Ten years ago, when I shifted my carrier direction from telecom into the IT industry, I was amazed by IT staffs’ ability to maintain records about who needs to access what – just by memorizing their organization’s internal structure and employees’ functions within the company. And we’re talking about a company with 1000+ employees. Wow.
The first issues began to surface when the next generation of IT staff started to replace older colleagues – as they weren’t so familiar with the delicate eco-system that their predecessors nourished, and weren’t willing to take any responsibility for possible mistakes within access configuration.
Process activities of Access Management
The role of Access Management is to enable users (and groups of users) with appropriate levels of access to the services presented in the IT Service Catalogue. Access is the term that describes the level and extent of the service functionality available to the user, and is related to the user identity, which uniquely distinguishes one individual from another, verifying / confirming their status within the organization. User rights (or privileges) refer to actual settings within a service that are granted to the user or user group, e.g. read, write, list, execute, delete, change, etc. With all necessary basics covered, lets look at process activities of the Access Management.
1. Requesting Access
It all starts with requesting access to the service by using any of these common methods:
- Standard request from HR system when person is hired, promoted, transferred or leaving company
- Request for Change via Change Management process
- Service Request through Service Desk function, more specific Request Fulfillment process
- Auto-provisioning system, such as downloading application, which automatically handles user, accounts, and enables access to the needed service (e.g. feedbacks, surveys, or similar)
Rules about how to access services are generally described within the Service Catalogue.
2. Verification
Access Management should verify each request from the two following perspectives:
- Is requester who they claim to be?
- Is request legitimate for that service?
We check the identity of the requester by username / password combination, or by any other method (e.g. using biometric data). However, in order to verify a request for legitimacy, we need something more than the user request, such as: notification from HR, approval from process owner / manager, submission of Change Management RFC, or a policy that defines access to the service in question without the need for any previous means of confirmation.
3. Providing rights
It’s important to note that Access Management doesn’t decide who gets access to a particular service, but executes policies and regulations defined during the Service Strategy phase. Access Management will provide necessary rights by sending a request to every department responsible for the service(s) in question. If possible, those tasks should be automated.
4. Monitoring identity status
Working within any organization means that employees will come and go, and change functions and positions; therefore, their needs for IT services will change accordingly. Access Management should understand the lifecycle of a typical user of IT services in order to prepare and automate its own processes accordingly.
When preparing such processes, Access Management is responsible to design them in such a manner that will enable an easy change of user status, or group transfer, with a clear and recorded audit trail.
5. Logging and tracking access
Ensuring that rights provided are used properly, Access Monitoring and Control must be included in monitoring activities of all Service Operation processes. Information Security plays a vital role in detecting unauthorized access, compared to access rights granted by Access Management – therefore, IS should include Access Management in its definition of parameters in Intrusion Detection and Prevention tools.
6. Removing or restricting access rights
Just as Access Management is responsible for providing proper rights to access service, it’s also responsible for revoking or restricting them. In short, removing rights is the same as (3) Providing Rights, but in reverse.
Figure 2 – Well-organized Access Management relies on other parts of Service Management to do their part as well, e.g. Change Management, Service Desk, and Information Security
“As you’ve arranged the thread so must you weave it”*
Even if you work in a somewhat smaller organization, you’ll notice that Access Management, Change Management, Incident Management, and all the other processes are nothing more than individual threads in your great tapestry called Service Management. In this example, Access Management is closely dependent on Change Management, Information Security, etc., in order to fulfill its purpose. Therefore, when your processes include or depend on other processes outside the IT organization (e.g. HR), make sure they understand the importance of that single thread in your tapestry. Otherwise, your tapestry may end up being used as a rug.
*) Latin proverb
Download a free sample of the Access Management process template to learn how the Access Management process and respective roles and responsibilities are set.
