ITIL defines Access Management differently from IT Security Management. IT Security Management occurs in Service Design, creates policies, and informs Service Level Management on the access configuration for each service.
Access Management sits in Service Operation, and manages access as defined by IT Security Management.
"Identity management" is very closely related to ITIL's access management. Identity management can be an especially big subject at Universities, tied to both IT Security Management and access management. Additionally identity management does not necessarily address the rights granted to individuals (authorization), which is the core of ITIL's access management process.
Access management maps rights to identities. "Identities" are the people in your organization, being able to prove they are who they say they are. "Rights" are the abilities that identities have on various systems, e.g. the right to create new data or the right to delete data.
Access management works closely with Request Fulfillment and/or Incident Management to receive access requests from the Service Desk. These requests follow a standard process:
Additionally, access management is responsible for "access monitoring and control." Access management should ensure that the access provided continues to be appropriate, for example watching out for potential conflicts of interest.
Access management should work with Human Resources to coordinate access removal and suspension as people change jobs, are put on leave, or leave the organization.
Universities may have a large, difficult-to-define population including students, faculty, staff, alumni, parents, and visitors. In this context getting consistent identity information is in itself very difficult.
Additionally, people are more likely to play multiple roles at a University than in a corporation. For example, a student may also be a teaching assistant, an alumnus, and a parent.