ISO/IEC 27001 Control 5.15: Access control


Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements.

Necessity of MidPoint

MidPoint is necessary to implement this control properly.

MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.

Implementation Overview

Policy-driven role-based access control mechanism of midPoint can be used as a solid framework for a topic-specific policy on access control, especially the Policy-driven RBAC mechanism.

Implementation Details

MidPoint roles can determine entitlements used to enforce access control rules on a fine level. Access control rules can be applied both to human users, and non-human identities. Role wizard can be used by owners of information to set up appropriate roles for controlling access to the information. Concept of application can be used to specify application-specific access control rules and policies. For special cases requiring complex and flexible configurations, parametric roles and meta-roles can be used. Segregation of duties (SoD) mechanism as well as other policy rules can be an integral part of access control policy, observing applicable legislation and contractual obligations. Access request process with appropriate approvals can be used to allow access in a controlled manner, certification mechanism can be used to review the access. Changes in access control policy are recorded in audit trail.

Implementation Notes

  • This is an "umbrella" control, setting a general access control requirements, referencing numerous other controls to fill in the details. Implementation details are provided in the description of referenced controls. See the list of related controls for more information.

  • Control description mentions "roles" and RBAC as a suggestion for access control mechanism. It also mentions elements of dynamic access control, which is represented in midPoint by the policy-driven RBAC concept.

  • Control description asks for consistency between access rights and classification (controls 5.12, 5.13), which is given in midPoint by employing policy rules in classifications.

  • Role wizard, together with delegated administration capabilities, can be essential tools to delegate definition of role-based policies to the business users. MidPoint's ability to pre-define policies (a.k.a. "applicable policies") can be used to pre-package policy elements for business people to attach to roles they prepare.

  • Simulation capability is a powerful tool to predict changes in access control policy, avoiding costly and dangerous disasters.


The main functionality of midPoint is focusing on the access control. This is a very important domain for midPoint and without using midPoint it may be hard for organizations to be compliant with this control. MidPoint can be the “one tool” needed to correctly manage access control policy from one place and it can provide proof regarding access control policy and the implemented reality.


Version Title Description
Development Policy-Driven Role-Based Access Control Policy-driven RBAC as an access control mechanism that is based on roles and it includes dynamic policy elements
4.8 Policy-Driven Role-Based Access Control Policy-driven RBAC as an access control mechanism that is based on roles and it includes dynamic policy elements
Was this page helpful?
Thanks for your feedback