Just as Access Management provides rights to use a Service, it is also responsible for revoking those rights. Again, this is not a decision that it makes on its own. Rather, it will execute the decisions and policies made during Service Strategy and Design and also decisions made by managers in the organization.
Removing access is usually done in the following circumstances:
When the user has changed roles and no longer requires access to the service
Transfer or travel to an area where different regional access applies.
In other cases it is not necessary to remove access, but just to provide tighter restrictions. These could include reducing the level, time or duration of access. Situations in which access should be restricted include:
When the user has changed roles or been demoted and no longer requires the same level of access
When the user is under investigation, but still requires access to basic services, such as e-mail. In this case their e-mail may be subject to additional scanning (but this would need to be handled very carefully and in full accordance with the organizationís security policy)
When a user is away from the organization on temporary assignment and will not require access to that service for some time.
4.5.6 Triggers, input and output/inter-process interfaces
Access Management is triggered by a request for a user or users to access a service or group of services. This could originate from any of the following:
An RFC. This is most frequently used for large-scale service introductions or upgrades where the rights of a significant number of users need to be updated as part of the project.
AService Request. This is usually initiated through the Service Desk, or directly into the Request Fulfilmentsystem, and executed by the relevant Technical or Application Management teams.
A request from the appropriate Human Resources Management personnel (which should be channelled via the Service Desk). This is usually generated as part of the process for hiring, promoting, relocating and termination or retirement.
A request from the manager of a department, who could be performing an HR role, or who could have made a decision to start using a service for the first time.
Access Management should be linked to the Human Resource processes to verify the userís identify as well as to ensure that they are entitled to the services being requested.
Information Security Management is a key driver for Access Management as it will provide the security and data protection policies and tools needed to execute Access Management.
Change Management plays an important role as the means to control the actual requests for access. This is because any request for access to a service is a change, although it is usually processed as a Standard Change or Service Request (possibly using a model) once the criteria for access have been agreed through SLM.
SLM maintains the agreements for access to each service. This will include the criteria for who is entitled to access each service, what the cost of that access will be, if appropriate and what level of access will be granted to different types of user (e.g. managers or staff).
There is also a strong relationship between Access Management and Configuration Management. The CMS can be used for data storage and interrogated to determine current access details.