In order to use IT services, users must have access to those services.  To access a service, a user must have an identity which has the associated rights to use that service. 

Different users may have different rights to a service, depending upon the role they perform.  In addition, because a user may play different roles in different services, those rights may vary by service. 

Each user has one or more identities.  Ideally, these are kept to a low number.  Identity requests and access requests are typically triggered as service requests.