31. 08. 2016 Mirko Morandini EriZone & OTRS

Using EriZone for Access Management and Provisioning

Access Management1

A critical part of IT Service Management is the management of access to all kinds of IT-related resources, including not only the access to IT systems, networks and software, but also the provisioning of devices such as phones and laptops, contracts (e.g. phone or data contracts with 3rd party operators) and often also items regarding facility management, such as badges and transponders for access to restricted areas.

Access Management is the process of granting authorized users the right to use a service or device, while restricting access to non-authorized users.

For services provided to company employees, accesses will be granted depending on regulations and internal policies, applied depending on the role in the organization and the specific tasks the employees are assigned to. For external customers, access and provisioning can governed by service contracts and business agreements. Moreover, access can be granted or restricted depending on an authorization given by a direct line manager or by a change advisory board, and depending on technical limitations and availability issues.

For example, to an employee who changes its role from IT administration to consulting, access will be granted to certain business applications, mobile phone and tablet provided, etc. At the same time, all root accesses to IT systems and the badge for server room access need to be withdrawn.

[box] Authorization: to give official permission for something to happen, or to give someone official permission to do something

[Cambridge Dictionary:Authorization]. [/box]

The access management process is initiated by placing a service request, which needs to be delivered by the service management team if this is defined by the applicable policy.

Following our example, such an access by policy is typically granted by request of the HR department during the employee’s role change. For access and for the provisioning of new devices which are not given by policy to a certain role in a company, an approval process may be necessary.

In EriZone, using the Access Management and Process modules, it is possible to define the processes for delivering on a service request, based on roles and policies. Depending on the position of an employee, with a ticket either a direct delivery or a one or two-tier authorization process can be initiated. The authorization request is forwarded to the employee’s direct line manager (or to another role as defined in the company policies). Ideally, the information on the specific manager is available in the company’s Active Directory. Alternatively, it can be saved internally in EriZone.

EriZone can be configured to give authorizations on the agent interface, on the customer interface, or on a simple and reduced smartphone interface, where only the most important information and the Approve / Reject buttons are shown. The authorization interfaces will be enabled depending on the own role.

After acceptance, the service request ticket is moved to the team in charge with service delivery, the service is delivered by granting access or by handing over the device, and the ticket can finally be closed with success.

For the HR department, which needs to initiate various access and provisioning activities at once for a single staff member with a certain role, the “Access Management” module provides a convenient way for initiating bulk requests on employee hiring, change of position and leaving. With the features that will be shortly available with version 3.6, these requests can also be organized in a guided sequential process.

approval

 

Mirko Morandini

Mirko Morandini

Mirko Morandini, PhD, is part of the EriZone team since 2015. As a consultant, he guided the implementation of EriZone in various projects in the DACH area and in Italy.

Author

Mirko Morandini

Mirko Morandini, PhD, is part of the EriZone team since 2015. As a consultant, he guided the implementation of EriZone in various projects in the DACH area and in Italy.

Leave a Reply

Your email address will not be published. Required fields are marked *

Archive