Access management, along with incident, problem, and change management, is one of the core components of ITIL processes that need to be well executed in order to maintain high productivity and keep sensitive data protected within the walls of the organization.

In short, the primary goal of access management is to safeguard data from being accessed by unauthorized users, and that is exactly what completing this checklist will enable you to do, while also keeping a full audit trail in case you need to change permissions or investigate a problem.

According to Invensis Learning, effective access management provides the following benefits to business:

  • It ensures that by controlling the access to different IT services, the confidentiality of information will be maintained.
  • It ensures that the employees have only the required level of access to complete their jobs effectively.
  • It reduces the possibility of an error being induced in the use of a crucial service by not allowing unskilled users to access them.
  • It provides a means to audit the IT services and trace any misuse of the services.
  • It ensures that access to the service of a particular user can be withdrawn when needed to comply with security requirements.

So let's get started. Before you know it, the user in question will be all set and you can rest easy knowing that they only have access to information that concerns their work.

A little info about Process Street

Process Street is superpowered checklists. By using our software to document your processes, you are instantly creating an actionable workflow in which tasks can be assigned to team members, automated, and monitored in real-time to ensure they are being executed as intended, each and every time.

The point is to minimize human error, increase accountability, and provide employees with all of the tools and information necessary to complete their tasks as effectively as possible.

Requesting access:

Enter requester details

First, enter basic details of the user who is requesting action from access management. 

Enter access manager details

Enter the details of the access manager (process owner) in the form fields below. 

Select type of request

Select the type of request that was received. 

If you select "Other" as the other options do not reflect the type of request, be sure to elaborate in the text field below for clarification. 


Verify identity of the user

Before even considering whether or not the user should be granted the access they are requesting, it's essential to verify their identity. 

This is the duty of the access manager and must not be overlooked. It goes without saying that if an error is made at this point in the process, it could lead to devastating consequences for the company. 

Depending on the organization's security policies, the use of the username and password are usually accepted as proof that the person is a legitimate user. However, for more sensitive services, further identification may be required (biometric, use of an electronic access key or encryption device, etc.).

Verify legitimacy of the request

The second and final step in the verification process is to legitimize the request.

This will require some independent verification other than the user's request. For example:

  • Notification from HR that the person is a new employee and requires both a username and access to a standard set of services.
  • Notification from HR that the user has been promoted and requires access to additional resources.
  • Authorization from an appropriate (defined in the process) manager.
  • Submission of a Service Request (with supporting evidence) through the Service Desk.
  • Submission of an RFC (with supporting evidence) through Change Management, or execution of a pre-defined standard change.
  • A policy stating that the user may have access to an optional service if they need it.

For new services, the Change Record should specify which users or groups of users will have access to the service. Access management should then check to see that all the users are still valid and automatically provide access as specified in the Request for Change (RFC).

Providing rights:

Determine if access will be authorized

After verifying the user and the legitimacy of their request, it's time to determine if they will be granted access. 

Approval: Decision to grant/deny access

Will be submitted for approval:
  • Determine if access will be authorized
    Will be submitted

Record the decision in your system

It is essential that you update your system of record throughout the process. Of course, the decision to authorize or reject access must be recorded as soon as possible to maintain data integrity and avoid confusion. 

Notify the requester of the decision

The decision has been made that the user in question will not be granted access.

The requester must be notified of this decision immediately, which you can do by sending the email template below.

Before sending, however, provide a brief explanation as to why their request was denied so this can be automatically populated in the email. 

Notify the requester that access has been granted

The decision has been made that the user in question will be granted access.

The requester must be notified of this decision immediately, which you can do by sending the email template below.

Final step:

Update your system of record

The final step in this process is to update your system of record, making sure that all information is up-to-date. The link to the record is provided below.

Link to record: {{form.Link_to_the_record}}

This is essential for periodic reviews of users' access rights and general data integrity. 


Sign up for a FREE account and
search thousands of checklists in our library.

Sign up for a FREE account and search thousands of checklists in our library.