Process: A67 - Identity and Access Management
Identity and Access Management aims to assist the internal IT organization with the cost-effective management of the IT resources required for the provision of IT services. To get more information, select Description (introduction and list of tool mentors), Work Breakdown Structure (workflow diagram and table), Team Allocation (table of roles), or Work Product Usage (table of work products).
DescriptionWorkflowRolesWork Products
Purpose

The purpose of the Identity and Access Management process is to establish and maintain a registry of IT user identities and their associated access rights for each service. The registry provides a key reference for the authorization or rejection by the Security Management process of service usage attempts.

See the definition of identity.  The process provides the ability to control and track who has access to data and services. It contributes to achieving the appropriate confidentiality, availability, and integrity of the organization’s data.

See the definition of rights.  This definition is narrower than those established in ISO standards relating to security. For the purposes of this process, the user might not be directly linked to one or more persons; it can take the form of an IT product or system for which access rights must be established and tracked, and for which an identity is therefore established.1

1ISO/IEC 15408-1, Information technology – Security techniques – Evaluation criteria for IT security. "Part 1: Introduction and general model." Widely known as the Common Criteria.

Relationships
Context
Description

Read the Identity and Access Key Concepts.

Important links

Outcomes

As a result of the successful implementation of the Identity and Access Management process:

  • An accurate and complete identity registry and associated rights is maintained
  • There is a definitive source so that decisions can be made allowing users have access to information and the services they need while unauthorized access attempts are denied
  • Authorized access to data and services is aligned with security policies
  • Records of access attempts can be audited
  • The data necessary to demonstrate compliance in relation to service and information access is available

Scope

This process operates within the set of controls described by the IT Security Policy, which itself takes direction from the Business Security Policy. The users for whom (or which) an identity is registered include not only those outside the IT organizational entity but also all resources involved in running the IT capability itself. Levels of control of identities and access rights will vary depending upon the scope of access required and the level of potential harm (fraud) from malicious access.

Access policies can be dynamic, reflecting the need to vary access rights depending on the time of day or the role being performed. The process must recognize that the authority to give access rights, or even to delegate the authority to give access rights, is a normal activity for many users.

Includes

  • An identity schema aligned with business and security policies
  • Establishment and maintenance of identities
  • Establishment and maintenance of access rights
  • Translation of business rules for roles and group authorities so as to enact then within the identity schema
  • Access to the registry for those processes providing affiliated security services, like physical access (Facilities Management)
  • Raising warnings or revoking access rights when access attempt thresholds are breached

Excludes

  • Definition, implementation, and operation of authentication mechanisms (Security Management)
  • Enforcement of access rights (Security Management)
  • Definition of the rules for business role and group authorities – defined by the business
  • Physical security and access (Facilities Management)
  • Security policies – defined by the business and Security Management

Key performance indicators

  • Percent increase in identity and access requests processed
  • Percent of identity and access requests accepted
  • Number of incidents due to incorrect access rights
  • Number of incidents due to incorrect identity usage
  • Number of password resets

Relation to other processes

  • Security Management creates the overall security policy.  The identity management and access management aspects of that policy are enforced by Identity and Access Management.  
  • Request Fulfillment routes pertinent service requests to Identity and Access Management.
  • When a solution is deployed by Deployment Management, one aspect of that deployment is providing access to that solution. 
  • One aspect of implementing a change request from Change Management may involve identity management or access management.

For more information

For more information, see Access Management in the ITIL® documentation.

In addition, see the IBM® Service Management web page.

Properties
Event Driven
Multiple Occurrences
Ongoing
Optional
Planned
RepeatableYes
More Information
Concepts

©Copyright IBM Corp. 2005, 2008. All Rights Reserved.