Access Management: Difference between revisions
From IT Process Wiki
mNo edit summary |
|||
| Line 1: | Line 1: | ||
<seo metakeywords="itil access management, access management itil, itil access management process, access management process" metadescription="Access Management: ITIL process definition - | <seo metakeywords="itil access management, access management itil, itil access management process, access management process" metadescription="Access Management: ITIL process definition - Sub-processes - Terms - Additional information on ITIL Access Management." /> | ||
<imagemap> | <imagemap> | ||
Image:ITIL-Wiki-de-es.jpg|DE - ES - Access Management|100px | Image:ITIL-Wiki-de-es.jpg|DE - ES - Access Management|100px | ||
| Line 8: | Line 8: | ||
<br style="clear:both;"/> | <br style="clear:both;"/> | ||
<p> </p> | |||
''' | ''ITIL Access Management'' aims to grant authorized users the right to use a service, while preventing access to non-authorized users. The Access Management processes essentially execute policies defined in [[IT Security Management|Information Security Management]]. Access Management is sometimes also referred to as ''Rights Management'' or ''Identity Management''. | ||
'''Part of''': [[ITIL V3 Service Operation|Service Operation]] | '''Part of''': [[ITIL V3 Service Operation|Service Operation]] | ||
'''Process Owner''': [[Access Management# | '''Process Owner''': [[Access Management#Access Manager|Access Manager]] | ||
<p> </p> | |||
== ITIL Access Management | == ITIL Access Management == | ||
==== Access Management Process ==== | |||
Access Management was added as a new process to ITIL V3. The decision to include this dedicated process was motivated by | Access Management was added as a new process to ITIL V3 ''(ITIL 2007)''. The decision to include this dedicated process was motivated by Information security reasons, as granting access to IT services and applications only to authorized users is of high importance from an [[IT Security Management|Information Security]] viewpoint. | ||
[[Image:Access-management-itil.jpg|right|thumb|375px|alt=Access Management ITIL|[https://wiki.en.it-processmaps.com/images/pdf/process_overview_access_management_itilv3.pdf ITIL Access Management]]] | |||
In ''ITIL 2011'' an interface between [[Access Management]] and Event Management has been added, to emphasize that (some) Event filtering and correlation rules should be designed by Access Management to support the detection of unauthorized access to services ''(see figure 1)''. | |||
A dedicated activity has been added to revoke [[Access Management#Access Rights|access rights]] if required, to make this point clearer. | |||
In ITIL 2011 it has been made clearer in the Request Fulfilment and Incident Management processes that the requester's authorization must be checked. | |||
= | <span id="Sub-Processes">''These are the [[Access Management|ITIL Access Management]] sub-processes:''</span> | ||
<p> </p> | |||
; | ;<span id="ITIL Access Management Catalogue">Maintenance of Catalogue of User Roles and Access Profile</span> | ||
:Process Objective: To make sure that the catalogue of [[Access Management#User Role|User Roles]] and [[Access Management#User Role Access | :Process Objective: To make sure that the catalogue of [[Access Management#User Role|User Roles]] and [[Access Management#User Role Access Profile|Access Profiles]] is still appropriate for the services offered to customers, and to prevent unwanted accumulation of [[Access Management#Access Rights|access rights]]. | ||
; | ;<span id="ITIL Access Management Requests">Processing of User Access Requests</span> | ||
:Process Objective: To process [[Access Management#Request for Access Rights|requests to add, change or revoke access rights]], and to make sure that only authorized users are granted the right to use a service. | :Process Objective: To process [[Access Management#Request for Access Rights|requests to add, change or revoke access rights]], and to make sure that only authorized users are granted the right to use a service. | ||
<p> </p> | |||
==== Downloads ==== | |||
Use the following links to open the process overview of Access Management showing the most important interfaces: | Use the following links to open the process overview of Access Management showing the most important interfaces: | ||
* [[Media: | * [[Media:Access-management-itil.jpg|ITIL Access Management (.JPG)]] | ||
* [https://wiki.en.it-processmaps.com/images/pdf/process_overview_access_management_itilv3.pdf ITIL Access Management (.PDF)] | * [https://wiki.en.it-processmaps.com/images/pdf/process_overview_access_management_itilv3.pdf ITIL Access Management (.PDF)] | ||
<p> </p> | |||
==== ITIL Terms ==== | |||
;<span id="Access Rights">Access Rights</span> | ;<span id="Access Rights">Access Rights</span> | ||
:A set of data defining what services a user is allowed to access. This definition is achieved by assigning the user, identified by his User Identity, to one or more User Roles. | :A set of data defining what services a user is allowed to access. This definition is achieved by assigning the user, identified by his User Identity, to one or more [[Access Management#User Role|User Roles]]. | ||
;<span id="Request for Access Rights">Request for Access Rights</span> | ;<span id="Request for Access Rights">Request for Access Rights</span> | ||
| Line 57: | Line 66: | ||
;<span id="User Role">User Role</span> | ;<span id="User Role">User Role</span> | ||
:A role as part of a catalogue or hierarchy of all the roles (types of users) in the organization. Access rights are based on the roles that individual users have as part of an organization. | :A role as part of a catalogue or hierarchy of all the roles (types of users) in the organization. [[Access Management#Access Rights|Access rights]] are based on the roles that individual users have as part of an organization. | ||
;<span id="User Role Access Profile">User Role Access Profile</span> | ;<span id="User Role Access Profile">User Role Access Profile</span> | ||
:A set of data defining the level of access to a service or group of services for a certain type of user ( | :A set of data defining the level of access to a service or group of services for a certain type of user ([[Access Management#User Role|User Role]]). User Role Access Profiles help to protect the confidentiality, integrity and availability of assets by defining what information computer users can utilize, the programs that they can run, and the modifications that they can make. | ||
;<span id="User Role Requirements">User Role Requirements</span> | ;<span id="User Role Requirements">User Role Requirements</span> | ||
:Requirements from the business side for the catalogue or hierarchy of user roles (types of users) in the organization. Access rights are based on the roles that individual users have as part of an organization. | :Requirements from the business side for the catalogue or hierarchy of user roles (types of users) in the organization. [[Access Management#Access Rights|Access rights]] are based on the roles that individual users have as part of an organization. | ||
<p> </p> | |||
==== ITIL Roles ==== | ==== ITIL Roles ==== | ||
;Access Manager - Process Owner | ;<span id="Access Manager">Access Manager - Process Owner</span> | ||
:The Access Manager grants authorized users the right to use a service, while preventing access to non-authorized users. | :The Access Manager grants authorized users the right to use a service, while preventing access to non-authorized users. | ||
:The Access Manager essentially executes policies defined in | :The Access Manager essentially executes policies defined in Information Security Management. | ||
<p> </p> | |||
{| border="1" align="center" cellpadding="5" cellspacing="0" style="text-align:center;" valign="top" | |||
|- | |||
| valign="top" colspan="2" style="background:#ffffdd;" align="center"| '''Responsibility Matrix: ITIL Access Management''' | |||
|- | |||
! width="75%" align="center" style="background:#ffffee;" | ITIL Role / Sub-Process | |||
! style="background:#ffffee;" | [[Access Management#Access Manager|Access Manager]] | |||
|- | |||
| align="left" |[[#ITIL Access Management Catalogue|Maintenance of Catalogue of User Roles and Access Profile]] | |||
| A[[Access Management#Accountable|<small>[1]</small>]]R[[Access Management#Responsible|<small>[2]</small>]] | |||
|- | |||
| align="left" |[[#ITIL Access Management Requests|Processing of User Access Requests]] | |||
| AR | |||
|- | |||
|} | |||
<p> </p> | |||
'''Remarks''' | |||
<span id="Accountable">[1] ''A: Accountable'' according to the RACI Model: Those who are ultimately accountable for the correct and thorough completion of the Access Management process.</span> | |||
<span id="Responsible">[2] ''R: Responsible'' according to the RACI Model: Those who do the work to achieve a task within Access Management.</span> | |||
<p> </p> | |||
==== Process Implementation: Notes ==== | |||
There are a number of different approaches to implementing [[Access Management]]. Depending on the size of an organization the methods applied can be rather complex. In this context, ITIL does not provide a detailed explanation of all aspects of Access Management. | |||
Well-defined interfaces between the business and Access Management are vital to achieve high security standards. Typically, responsibilities of both sides are defined in a dedicated Information Security Policy. This policy would, for example, stipulate that HR is to inform Access Management without delay about employees entering or leaving the company. | |||
< | <p> </p> | ||
<!-- This page is assigned to the following categories: --> | <!-- This page is assigned to the following categories: --> | ||
[[Category:ITIL V3]][[Category:ITIL process]][[Category:Service Operation|Access Management]][[Category:Access Management|!]] | [[Category:ITIL V3]][[Category:ITIL 2011]][[Category:ITIL process]][[Category:Service Operation|Access Management]][[Category:Access Management|!]] | ||
<!-- --- --> | <!-- --- --> | ||
Revision as of 16:22, 17 October 2011
<seo metakeywords="itil access management, access management itil, itil access management process, access management process" metadescription="Access Management: ITIL process definition - Sub-processes - Terms - Additional information on ITIL Access Management." />
ITIL Access Management aims to grant authorized users the right to use a service, while preventing access to non-authorized users. The Access Management processes essentially execute policies defined in Information Security Management. Access Management is sometimes also referred to as Rights Management or Identity Management.
Part of: Service Operation
Process Owner: Access Manager
ITIL Access Management
Access Management Process
Access Management was added as a new process to ITIL V3 (ITIL 2007). The decision to include this dedicated process was motivated by Information security reasons, as granting access to IT services and applications only to authorized users is of high importance from an Information Security viewpoint.
In ITIL 2011 an interface between Access Management and Event Management has been added, to emphasize that (some) Event filtering and correlation rules should be designed by Access Management to support the detection of unauthorized access to services (see figure 1).
A dedicated activity has been added to revoke access rights if required, to make this point clearer.
In ITIL 2011 it has been made clearer in the Request Fulfilment and Incident Management processes that the requester's authorization must be checked.
These are the ITIL Access Management sub-processes:
- Maintenance of Catalogue of User Roles and Access Profile
- Process Objective: To make sure that the catalogue of User Roles and Access Profiles is still appropriate for the services offered to customers, and to prevent unwanted accumulation of access rights.
- Processing of User Access Requests
- Process Objective: To process requests to add, change or revoke access rights, and to make sure that only authorized users are granted the right to use a service.
Downloads
Use the following links to open the process overview of Access Management showing the most important interfaces:
ITIL Terms
- Access Rights
- A set of data defining what services a user is allowed to access. This definition is achieved by assigning the user, identified by his User Identity, to one or more User Roles.
- Request for Access Rights
- A request to grant, change or revoke the right to use a particular service or access certain assets.
- User Identity Record
- A set of data with all the details identifying a user or person. It is used to grant rights to that user or person.
- User Identity Request
- A request to create, modify or delete a User Identity.
- User Role
- A role as part of a catalogue or hierarchy of all the roles (types of users) in the organization. Access rights are based on the roles that individual users have as part of an organization.
- User Role Access Profile
- A set of data defining the level of access to a service or group of services for a certain type of user (User Role). User Role Access Profiles help to protect the confidentiality, integrity and availability of assets by defining what information computer users can utilize, the programs that they can run, and the modifications that they can make.
- User Role Requirements
- Requirements from the business side for the catalogue or hierarchy of user roles (types of users) in the organization. Access rights are based on the roles that individual users have as part of an organization.
ITIL Roles
- Access Manager - Process Owner
- The Access Manager grants authorized users the right to use a service, while preventing access to non-authorized users.
- The Access Manager essentially executes policies defined in Information Security Management.
| Responsibility Matrix: ITIL Access Management | |
| ITIL Role / Sub-Process | Access Manager |
|---|---|
| Maintenance of Catalogue of User Roles and Access Profile | A[1]R[2] |
| Processing of User Access Requests | AR |
Remarks
[1] A: Accountable according to the RACI Model: Those who are ultimately accountable for the correct and thorough completion of the Access Management process.
[2] R: Responsible according to the RACI Model: Those who do the work to achieve a task within Access Management.
Process Implementation: Notes
There are a number of different approaches to implementing Access Management. Depending on the size of an organization the methods applied can be rather complex. In this context, ITIL does not provide a detailed explanation of all aspects of Access Management.
Well-defined interfaces between the business and Access Management are vital to achieve high security standards. Typically, responsibilities of both sides are defined in a dedicated Information Security Policy. This policy would, for example, stipulate that HR is to inform Access Management without delay about employees entering or leaving the company.
