ITIL Intermediate OSA - Access Management Tutorial

Welcome to lesson 6 ‘Access Management’ of the ITIL Intermediate OSA Tutorial, which is a part of the ITIL Intermediate OSA Certification Course. In this module, we will learn all about Access Management and its features.

Let us begin with the objectives of this lesson.


By the end of this ‘Access Management’ lesson, you will be able to:

  • Understand the purpose, objective, scope, and value to the business of Access Management

  • Explain the end-to-end process flow for access management process inclusive of components, activities, and operation including its organizational structure, as well as any interfaces with other processes.

  • Explain the measurement model and the metrics that would be used to support access management within OSA practices and the benefits and business value that can be gained from access management as related to OSA.

In the next section, we will learn about the purpose and objective of access management.

You too can join the high earners’ club. Enroll in our ITIL OSA Course and earn more today.

Access Management - Purpose and Objectives

The purpose of Access Management is to provide the “Right” for users to be able to use a service or group of services.

Objectives of Access Management include:

  • Managing access to services based on policies and actions defined in information Security management

  • Efficiently respond to requests for granting access to services, changing access rights or restricting access

  • Oversee access to services and ensure rights being provided are not improperly used

The next section talks about the scope of access management.

Access Management - Scope

What is the scope of access management?

Scope means the boundary within which the process should work on. The scope of Access Management include:

  • The execution of Information Security Management enabling the organization to maintain data confidentiality, integrity and availability is the main scope of work.

  • Access Management ensures that users are given the right to use a service, but it does not ensure that this access is available at all agreed times – this is provided by Availability Management.

  • Access Management is a process that is executed by all Technical and Application Management functions and is usually not a separate function. However, there is likely to be a single control point of coordination, usually in IT Operations Management or on the Service Desk.

  • Access Management can be initiated by a Service Request through the Service Desk.

Moving on, let us look into access management as value to the business.

Access Management - Value to the Business

How does access management add value to the business?

Access Management provides value by controlling access to services ensuring that the organization is able to maintain more effectively the confidentiality of its information. It adds value by providing, all the employees, the right level of access to execute their jobs effectively.

Following are the other values of Access Management:

  • There is less likelihood of errors being made in data entry or in the use of a critical service by an unskilled user (e.g. production control systems)

  • The ability to audit the use of services and to trace the abuse of services

  • The ability to easily revoke access rights when needed

  • An important security consideration may be needed for regulatory compliance (e.g. SOX, HIPAA, and COBIT).

Let us learn about the policies in the next slide.

Access Management Policies

Let us go through the different policies stated for access management:

  • Access Management administration and associated activities should be guided and directed by the policies and controls defined by information security management

  • Access Management should log and track accesses to use of services and ensure rights being provided are appropriately used

  • Access Management should maintain access to services in alignment with changes in personnel events such as transfers and termination

  • Access Management should maintain an accurate history of who has accessed or tried to access services. This provides information to those conducting auditing and compliance activities.

  • Policies for handling, escalating and communicating security events should be clearly defined and documented in accordance with the information security policy.

Access Management Key Concepts

Access Management is the process that enables users to use the services that are documented in the Service Catalogue. It comprises the following basic concepts of access, identity, rights, Service groups and directory services:

  • Access refers to the level and extent of a service’s functionality or data that a user is entitled to use.

  • Identity refers to the information about them that distinguishes them as an individual and which verifies their status within the organization. By definition, the Identity of a user is unique to that user.

  • Rights (also called privileges) refer to the actual settings whereby a user is provided access to a service or group of services. Typical rights, or levels of access, include read, write, execute, change, delete.

  • Services or service groups - Most users do not use only one service, and users performing a similar set of activities will use a similar set of services. Instead of providing access to each service for each user separately, it is more efficient to be able to grant each user – or group of users – access to the whole set of services that they are entitled to use at the same time.

  • Directory Services refers to a specific type of tool that is used to manage access and rights. So far, we have learned about the purpose, objective, scope, policies, and concepts of access management.

Let us move on to the activities or techniques in the next slide.

Access Management Activities

Let us go through different activities of Access Management process as follows:

Requesting access

This would be the first activity which will actually trigger the process. Access (or restriction) can be requested using one of any number of mechanisms, including:

  • A standard request which is generated by the Human Resource system. This is generally done whenever a person is hired, promoted, transferred or when they leave the company

  • A Request for Change

  • A Service Request submitted via the request fulfillment system


Once the requisition of access is raised, Verification, which is the next activity that will kick off. Access Management needs to verify every request for access to an IT service from two perspectives:

  • The user requesting access is who they say they are

  • The user has a legitimate requirement for that service

Providing Rights

After the verification, it is time for Providing Rights. Access Management does not decide who has access to which IT services. Rather, Access Management executes the policies and regulations defined during Service Strategy and Service Design.

Access Management enforces decisions to restrict or provide access, rather than making the decision.As soon as a user has been verified, access management will provide that user with rights to use the requested service.

In most cases, this will result in a request to every team or department involved in supporting that service to take the necessary action. If possible, these tasks should be automated.

How about investing your time in ITIL Intermediate OSA Certification? Check out our Course Preview now!

Monitoring Identity Status

This is another activity of the access management process. As users are within the organization, their roles change and so do their needs to access services. Examples of changes include:

  • Job Change

  • Promotions and Demotions

  • Transfers

  • Resignation or death

  • Retirement

  • Disciplinary Action

  • Dismissals

Access Management should understand and document the typical User Lifecycle for each type of user and use it to automate the process. Access Management tools should provide features that enable a user to be moved from one state to another or from one group to another, easily and with an audit trail.

Logging and Tracking Access

This is another important activity of access management. Access Management should not only respond to requests. It is also responsible for ensuring that the rights that they have provided are being properly used.

In this respect, Access Monitoring and Control must be included in the monitoring activities of all Technical and Application Management functions and all Service Operation processes.

Removing or restricting rights

This access is usually done in the following circumstances:

  • Death Resignation

  • Dismissal

When the user has changed roles and no longer requires access to the service Transfer or travel to an area where different regional access applies.

Like any other process, let us look into the inputs and outputs of access management.

Access Management Triggers

Access Management is triggered by a request for a user or users to access a service or group of services.

An RFC can trigger the access management. This is most frequently used for large-scale service introductions or upgrades where the rights of a significant number of users need to be updated as part of the project.

A Service Request can trigger the access management. This is usually initiated through the Service Desk, or directly into the Request Fulfillment system, and executed by the relevant Technical or Application Management teams.

A request from the appropriate Human Resources Management personnel (which should be channeled via the Service Desk) could also trigger the access management. This is usually generated as part of the process for hiring, promoting, relocating and termination or retirement.

A request from the manager of a department, who could be performing an HR role, or who could have made a decision to start using a service for the first time can also trigger the process.

Like problem management, does access management work in tandem with other functional management systems? Let us get the answer to this question in the next slide.

Access Management Inputs and Outputs

Inputs of the access management process could be:

  • Information Security Policies

  • Operational and Service Level Requirements

  • Authorized RFCs

  • Authorized request to grant or terminate access rights

Outputs of the access management could be:

  • Provision of access to IT services in accordance with information security policies

  • Access Management records and history of access granted to services

  • Access Management records and history where access has been denied and the reasons for the denial

  • Timely communication concerning inappropriate access or abuse of services.

The next slide talks about the triggers of access management.

Access Management Interfaces

Access Management interfaces with Information Security Management, Change Management, and Service Level Management. They are described as follows:

Information Security Management

This is a key driver for access management as it will provide the security and data protection policies and tools needed to execute access management.

Change Management

It plays an important role as the means to control the actual requests for access. This is because any request for access to a service is a change, although it is usually processed as a Standard Change or Service Request (possibly using a model) once the criteria for access have been agreed through SLM.

Service Level Management

SLM maintains the agreements for access to each service. This will include the criteria for who is entitled to access each service, what the cost of that access will be, if appropriate and what level of access will be granted to different types of user (e.g. managers or staff).

Configuration Management

There is also a strong relationship between access management and configuration management. The CMS can be used for data storage and interrogated to determine current access details.

We have looked at how ISM is the key driver of access management.

Let us now learn how to manage information of access management in the next section.

Access Management - Information Management

The information management of access management will include identity and users, groups, roles and service groups. These are discussed as follows:


The identity of a user is the information about them that distinguishes them as an individual and which verifies their status within the organization. By definition, the identity of a user is unique to that user.

Since there are cases where two users share a common piece of information (e.g. they have the same name), identity is usually established using more than one piece of information, for example, Name, Address, Contact details, e.g. telephone, e-mail address, etc.

Users, Groups, Roles and Service Groups:

While each user has an individual identity, and each IT service can be seen as an entity in its own right, it is often helpful to group them together so that they can be managed more easily. Sometimes the terms ‘user profile’ or ‘user template’ or ‘user role’ are used to describe this type of grouping.

However, most users also have some specialized role that they perform. For example, in addition to the standard services, the user also performs a marketing management role, which requires that they have access to some specialized marketing and financial modeling tools and data.

To make it easier for access management to provide the appropriate rights, it uses a catalog of all the roles in the organization and which services support each role.

This catalog of roles should be compiled and maintained by access management in conjunction with HR and will often be automated in the Directory Services tools. To measure the efficiency of any process, metrics play a key role in the process.

Let us learn about the access management metrics in the next slide.

Access Management Metrics

Metrics that can be used to measure the efficiency and effectiveness of access management include:

  • The number of requests for access (Service Request, RFC, etc.)

  • Instances of access granted, by service, user, department, etc.

  • Instances of access granted by department or individual granting rights

  • The number of incidents requiring a reset of access rights

  • The number of incidents caused by incorrect access settings.

Like all other modules, access management faces its own challenges and risks. Let’s look into them in detail.

Access Management Challenges and Risks

Following are the challenges the access management process might face:

  • Monitoring and reporting on access activity as well as incidents and problems related to access can be a huge challenge.

  • Verifying the identity of a user is a great challenge almost every service provider suffers because of the huge number of users.

  • Verifying that a user qualifies for access to a specific service is a very important task but at the same time it may become a challenge to follow every time the user asks for any kind of access

  • Linking multiple access rights to an individual user can be the challenge.

  • Determining the status of users at any time and Managing changes to a user’s access requirements

  • Restricting access rights to an unauthorized user can also become a challenge for the process

Similarly, the risks that the access management process might face are:

  • Lack of appropriate supporting technologies to manage and control access to services

  • Controlling access from back door sources

  • Managing and controlling access to services by external third party suppliers

  • Ensuring that necessary levels of access to services and the necessary management controls are provided in a manner that does not necessarily hinder the ability of users to conduct business can be a major risk concerned.

In the next slide, we will learn about the critical success factors of access management.

Wish to have in-depth knowledge of ITIL Intermediate OSA? Check out our Course Preview!

Access Management CSFs and KPIs

Let us discuss some sample CSFs for access management. Each organization should identify appropriate CSFs and KPIs based on its objectives for the process. Each sample CSF is followed by a small number if typical KPIs that support the CSF. These KPIs should not be adopted without careful consideration.

Each organization should develop KPIs that are appropriate for its level of maturity, its CSFs and its particular circumstances. Achievement against KPIs should be monitored and used to identify opportunities for improvement, which should be logged in the continual service improvement (CSI) register for evaluation and possible implementation.

The following table depicts the CSFs and their corresponding KPI:



Ensuring that the confidentiality, integrity, and availability of services are protected in accordance with the information security policy

  • Percentage of incidents that involved inappropriate security access or attempts at access to services

  • Number of audit findings that discovered incorrect access settings for users that have changed roles or left the company

  • Number of incidents requiring a reset of access rights

  • Number of incidents caused by incorrect access settings

Provide appropriate access to services on a timely basis that meets business needs

  • Percentage of requests for access

Provide timely communication about improper access or abuse of services on a timely basis

  • Average duration of access related incidents


Like all other previous lessons, we have covered the purpose, objectives, scope, inputs and outputs, triggers, challenges, risks, activities, information management and metrics of access management.

The next lesson talks about Service Desk.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*