Introduction:
User Access Management Process is followed whenever a new user access request or a renewal of user access request is needed.
New User Access Request
Sr. No | Activity | Description | Actor | SLA/OLA |
1 | Access Request | Employee, Contractor, or a Customer can request to access respective systems. He can do so by providing below details to EventHub team including o Email / Username o Reason for Access | Customer /Employee /Contractor | |
2 | Fill and Submit User Access Request (UAR) Form | Once the user requests for access and there is really a need the Event Hub team fills in the User-Access Request Form. Event Hub staff ensure that all information including the o Justification for Access o Duration of Access (Start Date and End Date) o Applications, DBs and System o User Roles for Applications, DB, and Systems are properly filled. Event Hub Staff sends out the User-Access Form to Event Hub’s COO or CTO for their Approval. | Event Hub Team | 1 Day |
3 | Request Approval/Rejection | Event Hub CTO/COO reviews the requests and asks for any revision in the roles and privileges if needed. Once the form is updated, the CTO or COO approves the user request. If the request is rejected, the team is notified via email or other official communication channels that the request has been rejected. | Event Hub CTO/COO | 1 Day |
4 | Update User Account Catalog | Once the request is approved, Event Hub Staff should update the User Account Catalog. | Event Hub Team | 1 Day |
5 | Provide Access and Verify Locally | After filling in the User Account Catalog, Event Hub team provides the access to the respective system and verifies the user access either by using Proxy View or by logging in by using the default credentials. | ||
6 | Ask for User Confirmation | Then User is requested to check from his side; if the user is able to access the request is considered to be fulfilled. Otherwise, the Event Hub team continues to troubleshoot until the user has access. | User/Event Hub Team | 2 Days |
Revoking Access:
Access to respective systems should be revoked after their expiry date.
If the system doesn't have an auto-revoke/auto-expire feature, the user access catalog should be checked every week to ensure that no expired account should have the system access. If any user is found to have expired access, his access is manually removed and User Account Catalog should be updated accordingly.
Renewing Access:
If the user wishes to extend the access, he should request the team to extend their request. Event Hub team should then refill the User Request Form with all the information including new expiry dates and provide it to Event Hub CTO/COO for their approval through any official communication channel with a new expiry date of the user account.
Once the Renewal Request has been approved, the User Access Catalog should be updated.
No user is allowed to have indefinite access to the system. For internal/permanent employees the maximum user-access duration is 6 Months.
APPENDIX
1.User Access Request Form
2. User Account Catalog
