ISO/IEC 27001 Control 5.15: Access control

Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements.

MidPoint is necessary to implement this control properly.

MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.

The policy-driven role-based access control mechanism of midPoint can be used as a solid framework for a topic-specific policy on access control, especially the Policy-driven RBAC mechanism.

Policy-driven role-based access control mechanism (PD-RBAC) implemented by midPoint is an essential mechanism for establishing a comprehensive, dynamic and practical access control framework. Roles can be assigned to users automatically (based on rules), manually, or by using an access request process. There may be several types (archetypes) of roles, such as application roles, business roles and technical roles. They can be composed into an RBAC hierarchy, including (inducing) privileges of lower-level roles in higher-level roles. Roles determine entitlements, used to enforce access control rules on a fine level. Entitlement concept can be used to model system-specific privileges, groups or other access control means, which can be automatically controlled by midPoint. Role wizard can be used by owners of information to set up appropriate roles for controlling access to the information. The concept of application can be used to specify application-specific access control rules and policies. Roles, entitlements, applications and resources are key concepts of access control model, which together form very powerful and flexible access control structures. Organizational structures can be directly used for access control as well, including (inducing) access required by an organizational unit directly in the organizational unit definition. Policy rules can be used to set up additional access control policies, as well as constraints on access control model (such as exclusion or requirement constraints). Information classification mechanism can also contribute to access control, setting additional rules and parameters. For special cases requiring complex and flexible configurations, parametric roles and meta-roles can be used. Segregation of duties (SoD) mechanism as well as other policy rules can be an integral part of access control policy, observing applicable legislation and contractual obligations. SoD mechanisms provide "segregation of access control functions", as required by the control. Access request process with appropriate approvals can be used to allow access in a controlled manner, certification mechanism can be used to review the access. Generic synchronization can be used to automatically create application roles from resource entitlements (e.g. Active Directory groups). Alternatively, resource entitlements (e.g. groups) can be automatically created for application roles. Changes in access control policy are recorded in the audit trail.

The main functionality of midPoint is focusing on the access control. This is a crucial problem domain that midPoint is addressing. Without using midPoint or equivalent platform, it may be nearly impossible for organizations to be compliant with this control at scale. MidPoint can be the "one tool" needed to correctly manage access control policy from one place and it can provide proof regarding access control policy and the implemented reality.