Академический Документы
Профессиональный Документы
Культура Документы
Access Management
Contents
1. PURPOSE ......................................................................................................................................................... 4
3. SCOPE ............................................................................................................................................................. 6
7. REFERENCE ................................................................................................................................................... 36
3
Hartono Subirto 2016
Access Management
1. PURPOSE
The purpose of this document is to describe the Access Management process for the NOC
network operations that will grant authorized users access to NOC services, while
preventing access to non-authorized users.
4
Hartono Subirto 2016
Access Management
Chapter–3: Scope: This chapter describes the scope of the document and the Access
Management process.
Chapter–4: General Assumptions: This chapter describes the underlined assumptions made
for both the document and Access Management process.
Chapter–5: Access Management Framework: This chapter exhibits the interaction of Access
Management process with other related ITIL processes and also describes the high level
process sequence for Access Management based on ITIL framework.
Chapter–6: Access Management Process: In this chapter Access Management process and
sub processes (if any) will be depicted and specified using rigorous BPMN and process
specification templates.
5
Hartono Subirto 2016
Access Management
3. SCOPE
NOC Staff
NOC Operations Teams (Network and IT Functions)
Maintenance Centre
Suppliers
The exhaustive description of NOC resources and infrastructure details are described in
following dedicated documents:
6
Hartono Subirto 2016
Access Management
4. GENERAL ASSUMPTIONS
The following are the general assumptions made for Access Management process:
Access rules are already established and readily available to the process.
The roles defined in all processes within this document can be attached to the existing
position e.g. Access Manager role, can be played by a Shift Manager. Also the
distribution of roles to positions is dynamically handled based on the dynamics of shifts,
availability of resources, knowledge, load, soft threshold breaches etc. For instance,
Capacity Manager role can be assigned in 1st shift to Problem Manager, and in the 2nd
Shift this might be assigned to the Access Manager.
Any activity related assumptions are explicitly identified in related Process Specification
table in Chapter 6.
7
Hartono Subirto 2016
Access Management
The following depiction shows the points of interaction of NOC Access Management
process with other related ITIL processes. The arrows moving into Access Management
process signify the inputs from the other processes to Access Management Process, and the
arrows moving out of the Access Management process signify the inputs from Access
management process to other related ITIL processes. All these processes depicted below are
defined in their own respective dedicated documents
Service Level
Management
Information
Security Change
management Management
SLA/ OLA
Access Rules & Policy changes
Request
Problem
Potential problems Service requests Fulfillment
Management
Management
The Access Management process comprises of following high level sequence of activities:
Request Access
Establish Identity
Update Ticket
8
Hartono Subirto 2016
Access Management
Request Notification
Close Ticket
NOC Access Management process follows sequential steps mentioned below (Section 5.2-
5.9). Section 6.1 Process Model sheds more light on the flow of Access Management
process.
Access Requester. This refers to NOC staff who can send in the access request to the
Service Desk through a call or via e-mail.
Request Fulfillment Process. This refers to the access requests raised via Request
Fulfillment process.
Change Management Process. This refers to the access request required by the
Change Management process.
It is important to notice that all sort of access requests: access addition, access amendment,
and access restrictions, can be raised via this Access Management process.
Once the access request has been sent, before Service Desk initiates the process, identity of
the requester has to be verified and established. The identity of a requester is the
information that uniquely distinguishes requester as a valid individual and verifies his status
within the organization. Service Desk searches the customer database to accomplish this.
The customer database maintains up to date record of the users with their details and
current status. Since there may be a case when two or more users share a common piece of
information (E.g. they have the same name), identity is established via two pieces of
information. The prime piece of information would be Staff ID (in case the mode of request
is phone call) or the corporate email used (in case the mode of request is email) and the
second piece of information can be one of the following:
Name
Address
Phone Number
Email ID
Other unique personal information
9
Hartono Subirto 2016
Access Management
For requests emerging out of other processes even though the identity establishment
happens in the parent process, it is advisable to re establish the identity.
Once the user identity is authenticated, the next step is to open a ticket as per NOC
ticketing rules. The Service Desk opens a ticket for the request in the system, assigns Ticket
ID, fills in the require fields and identifies the category of the request made. If the request is
non-access related category, Service Desk identifies the relevant process it belongs to, and
notifies the requester.
Access rules are maintained by Information Security Officer. The Information Security officer
on periodic basis compiles a function-wise list of all currently active User IDs and
communicates the list to respective stakeholders. It contains the following information for
each user:
User ID;
Current access and privilege levels;
Number of days since last access; and
Time period for temporary duration access
The Stakeholders reviews the current active user list and informs the Information Security
officer if there are any changes. More roles and groups that exist, it is more likely that the
role conflicts would happen. It is the responsibility of Information Security Officer to
carefully create roles and groups, so as to avoid roles conflicts. Access rules are managed by
establishing Access Control Matrix. Appendix A provides a template for access management.
The Access Manager decides whether the access request is valid or not based on the Access
rules. In case the request is not valid, the ticket is updated and the requester is notified
along with the justification for the rejection of the Access request.
Once the Access request gets validated the request is processed. It is very important that all
the access to the systems should be logged and tracked. All User activities are logged and
routinely checked by Information Security officer to identify any abuse of access rights. All
the activities including the following are logged and reflected in the systems audit trails:
10
Hartono Subirto 2016
Access Management
Once the request had been performed the ticket gets updated on the progress.
For each access request, the ticket number and timeline is communicated and notified to
the requester. A periodical notification is sent to the requester on the status of request.
Upon completing the process, Service Desk informs the Access Requester via email and
telephonic call, and upon confirmation Service Desk closes the ticket.
Before the formal closure the Service Desk confirms the category, makes sure that the
documentation is complete and conducts a brief customer satisfaction survey.
11
Hartono Subirto 2016
Access Management
Periodic checks
Phone Call
Customer Rules Up
Database to date
Removal/ addition/ restriction
Removal/ addition/ restriction Get request
Establish Identity
+
Identify Category
Access Validate Request Access
Related? Rules
Yes
No
Valid request
Open Ticket
+
Delegate to other
processes Valid
+
Invalid
Grant Access and
Log Events
Update Ticket
Notify Requester
default
Close Ticket
12
Hartono Subirto 2016
Access Management
Specification Description
Summary/Purpose To grant authorized users the right to use a service, while preventing access
to non-authorized users.
Related ITIL Practices Information Security Management Process, Service level Management,
Change Management, Availability Management, Incident Management.
Assumptions Only authorized requester within NOC operations raises access request
Phone Call
Trigger
Email
Access Management
Basic Course of Event 1. Service Desk get request from NOC users, Change Management process
or Request Fulfillment Process.
2. Service Desk establishes identity of the access requestor by checking
customer database.
3. Service Desk identifies category of the request.
4. Upon identifying the request Service Desk opens access related ticket
5. Access Manager validates the request.
6. Access Manager grants access and log events.
7. Service Desk updates Ticket.
8. Service Desk notifies requester.
9. Service Desk closes the ticket.
10. End.
Invalid Request
1. Service Desk updates Ticket.
2. Service Desk notifies requester.
3. Service Desk closes the ticket.
13
Hartono Subirto 2016
Access Management
4. End.
Exception Path NA
A genuine request
14
Hartono Subirto 2016
Access Management
Actors/Agents Access Requester, Request Fulfillment, Change Manager, Service Desk, Access
Manager, Security Officer
Provides Feedback.
15
Hartono Subirto 2016
Access Management
Provides Feedback.
Provides Feedback.
Opens a ticket
Notifies Customer
Closes Ticket
16
Hartono Subirto 2016
Access Management
Phone Customer
Database
Primary ID/
Provide Credential Ask for credentials
Secondary Identity
Verify Credentials
Match Found
Inform Requestor
Establish Identity
Inform Requestor
17
Hartono Subirto 2016
Access Management
Specification Description
Related Operational NA
Policies
Phone call
Trigger
Email(optional)
Establish Identity (Phone)
Basic Course of Event 1. Service Desk asks the phone caller for primary and secondary credentials.
2. Customer provides credentials to Service Desk.
3. Service Desk obtains identification credentials.
4. Service Desk verifies credentials from customer database.
5. Service Desk checks Primary ID and Secondary ID provided.
6. Service Desk establishes Identity upon match finding.
7. Service Desk informs Requestor.
8. End.
18
Hartono Subirto 2016
Access Management
Post -conditions The request emerging from users who are not authenticated is
terminated.
Related KPIs NA
Related CTQs NA
19
Hartono Subirto 2016
Access Management
Escalation NA
20
Hartono Subirto 2016
Access Management
Access
Category
Access Ticket ID
Categorization rules
Access Priority
Access Requester
Access Requester
Requester details
Request
Record Establish
SLA/ OLA Time to finish
timeline
Access Description
Description
Resolution
Notify the
Requester
Current Status
Closure Time
and date
21
Hartono Subirto 2016
Access Management
Specification Description
Accuracy of record
Related Business Driver
Related Operational NA
Policies
Notify Customer
22
Hartono Subirto 2016
Access Management
1. Service Desk identifies Ticket ID, Identity of request Owner, and timeline.
2. Service Desk notifies the requester.
3. End.
NA
Alternative Path
NA
Exception Path
Preconditions NA
Related KPIs NA
Related CTQs NA
23
Hartono Subirto 2016
Access Management
Escalation NA
Service Desk Collects access information from customer, Request Fulfillment and change
manager.
Opens Ticket and populates the following fields from various sources:
Access Date and Time
Access Owner
Establish Timeline
Access Description
Resolution
Current Status
Related Problem
Closure Time and date
24
Hartono Subirto 2016
Access Management
Service Desk
25
Hartono Subirto 2016
Access Management
Specification Description
Summary/Purpose Explanation of the sub process for delegating non access request to applicable
process
Related Operational NA
Policies
NA
Alternative Path
NA
Exception Path
Preconditions NA
Related Risks NA
26
Hartono Subirto 2016
Access Management
Related KPIs NA
Related CTQs NA
Delegation NA
Escalation NA
27
Hartono Subirto 2016
Access Management
Access Request
update Customer Record
Request
Record
NO
Receive
Confirmation
Confirmation
received?
Yes
28
Hartono Subirto 2016
Access Management
Specification Description
Related Operational NA
Policies
Trigger Non Access request, Approved Access request, Access Request update
Notify Requester
Basic Course of Event 1. For non access request, access update and approved access request
Service Desk obtains contact details from customer or Change
Management process or Request management process.
2. Service Desk calls and /or emails customer.
3. The Customer, Change Manager, Request Fulfillment Manager confirms
acceptance.
4. Service Desk receives confirmation via email.
5. End
Alternative Path NA
29
Hartono Subirto 2016
Access Management
Preconditions NA
Related Risks NA
Related KPIs NA
Related CTQs NA
Escalation NA
30
Hartono Subirto 2016
Access Management
Request Fulfillment
Receives the notification and confirms the acceptance
Manager
31
Hartono Subirto 2016
Access Management
Access record
Requester Notified
Verify Category
Category ok?
Update
YES
Access record
Check
Documentation
Documentation Update
ok?
YES
Update Access
Survey record
Information
Access record
32
Hartono Subirto 2016
Access Management
Specification Description
Related Operational NA
Policies
Close Ticket
Basic Course of Event 1. Service Desk verifies category.
2. Service Desk checks documentation.
3. Service Desk conducts satisfaction survey via email.
4. Customer or Change Manager or Request Fulfillment sends feedback via
email.
5. Service Desk updates access information.
6. Service Desk closes the request formally.
7. End.
Alternative Path NA
NA
Exception Path
Extension points NA
33
Hartono Subirto 2016
Access Management
Related KPIs NA
Related CTQs NA
Escalation NA
34
Hartono Subirto 2016
Access Management
Receives customer satisfaction survey and after evaluation of the service sends
Change Manager
it to Service Desk.
Request Fulfillment Receives customer satisfaction survey and after evaluation of the service sends
Manager it to Service Desk.
Service Desk Checks whether the category has been correctly identified.
Verified the documentation, if the documentation is not updated updates
it.
Conducts satisfaction Survey (email) and updates the survey record
Formally closes the ticket and access request.
35
Hartono Subirto 2016
Access Management
7. REFERENCE
This chapter serves as a prime reference to Chapter 6 and presents the details supporting
Chapter 6 in tabular formats. This chapter consists of various variable values which would
frequently evolve or change as NOC Access Management process matures or changes.
At minimal this document would be updated by NOC operation team biannually. However,
if need arises this document may be updated earlier than its prescribed revision period.
7.2 Risk
RR-001 Service Desk email can undergo a TBD High NA To put spam
SPAM attack, resulting in its control system,
unavailability or least bad and furthermore
performance. provide redundant
infrastructure for
emails.
36
Hartono Subirto 2016
Access Management
RR-004 The mechanism to identify the Establish Low NA The Service Desk
Fraudulent calls made by insider identity line should be a
users is not in place. direct number and
all the call logs to
Service Desk
should be logged
and periodically
run through.
RR-005 Service Desk email can undergo a Establish medium NA Service Desk
SPAM attack, resulting in its identity should have a
unavailability or least state of the art
performance. anti spam
solution.
RR-006 The ticketing System for the Open High NA There should be a
organization is down. Ticket ticketing
procedure to
handle access in
case the ticketing
system is offline
RR-007 The analyst closes the ticket Ticket High NA Analyst should not
before the problem was settled. Close be provided with
any capability to
close the ticket.
QA ID Description Threshold
DQ ID Description Threshold
37
Hartono Subirto 2016
Access Management
OP-002 Security officer is available only in business Shift, Non working TDB
hours days
7.6 KPI
Note: the above section refers to internal KPIs, which would be managed and monitored by
Access Manager as per the timescale mentioned in the respective KPI.
7.7 CTQ
variation
variation
Maximum time to MTCT The maximum time allowed to close the ticket, if TBD
close ticket no feedback received from requester
39
Hartono Subirto 2016
Access Management
GLOSSARY/ ACRONYMS
Terminology Description
Abstract Time Scale Time Scale that will be quantified both during operations and continuous
process improvement. These time identifiers are correlated with the soft
thresholds that are dynamically specified during life span of the process.
Access Refers to the level and extent of a service functionality or data that a user is
entitled to use.
Access Request Closure A formal closure of the ticket by the Service Desk after fulfilling request and
confirmation from the requester
Access requester They are the authorized users within the network operations who require
access to network information and systems. Requesters include THE OPERATOR,
NOC, MC and Suppliers.
Business Rules Business Rules are intended to assert business structure or to control or
influence the behaviour of the Business. Business rules describe the operations,
definitions and constraints that apply to an organization
40
Hartono Subirto 2016
Access Management
Data Quality The totality of features and characteristics of data that bears on their ability to
Dimensions satisfy a given purpose
Identify Refers to the information about users that distinguishes them as an individual
and which verifies their status within the organization. By definition, the Identity
of a user is unique to that user.
MC Maintenance Centre
Network Modernization
Quality Attributes Quality attributes are non-functional requirements used to evaluate the
performance of a process.
Risk A possible event that could cause harm or loss, or affect the ability to achieve
Objectives. A risk is measured by the probability of a threat, the vulnerability of
41
Hartono Subirto 2016
Access Management
the asset to that threat, and the impact it would have if it occurred.
Rights Rights or privileges refer to the actual settings whereby a user is provided access
to a service or group of services. Typical rights, or levels of access, include read,
write, execute, change, delete.
42
Hartono Subirto 2016
Access Management
INTRODUCTION
Below is a mention of various concepts of BPMN with the relevant definition and graphic
notation.
PROCESS START
All processes have to start somehow, general notation for a process models
commence with the START event, is a circle.
One can use simply the basic unmarked start event as above, or one of the different types of start
event, to provide more detail as described below.
If a process starts when some sort of message arrives, mail, email, text. Following Message start
notation can be used
If a process starts when another process finishes. Following notation can be used LINK Start
If there is more than one ‘trigger’ for a process to start. Following notation can be MULTIPLE Start
used
43
Hartono Subirto 2016
Access Management
INTERMEDIATE EVENTS
Following
notation can be
used to display
BASIC MESSAGE TIMER RULE LINK MULTIPLE
the intermediate
event, similar to
start and end
events.
PROCESS END
All processes have to end somehow, general notation for a process models end will be
a circle with a solid line.
One can use simply use the basic end event as above, or you can use one of the different types of
end event, to provide more detail, as described below:
If a process ends by something being sent via a message of some sort e.g., mail, email, MESSAGE
document, following notation can be used. End
If the end of this process causes the start of another, following notation can be used. LINK End
If more than one consequence of the process ending, following notation can be used. MULTIPLE
End
44
Hartono Subirto 2016
Access Management
SWIMLANES
Name
container for partitioning a set of
activities from other Pools
A Lane is a sub-partition within a
Pool and will extend the entire
Lane length of the Pool, either vertically
Name
or horizontally. Lanes are used to
organize and categorize activities.
CONNECTORS
ARTIFACTS
The ANNOTATION shape is used to add comments to a This is some text which
Annotation helps explain something
process model. It consists of text in a square left bracket about the model
45
Hartono Subirto 2016
Access Management
GATEWAYS
46
Hartono Subirto 2016
Access Management
Access control matrix is a list of permissions given to roles for accessing an object (file
/module). Access control matrix serves a good medium to identify who can access what, and
to what level and hence establishes a means of control in an environment.
Role Service group Modules Read (Y/N) Write (Y/N) Delete Remarks
Accessible
47
Hartono Subirto 2016