ISO/IEC 27001 Control 5.18: Access rights


Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.

Necessity of MidPoint

MidPoint is necessary to implement this control properly.

MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.

Implementation Overview

MidPoint is an essential component to make sure access to information is provisioned, reviewed, modified and removed in accordance with policies.

Implementation Details

Access request and approval process can be used to request access, subject the request to appropriate approvals, and automatically provision the access. The process makes sure that all relevant approvals are processes before access is granted, dynamically evaluating approval schemes based on individual role definitions. Temporal activation constraints ("from" and "to" timestamps) can be used to limit validity of the identity, as well as assignment of access rights to the identity. Certification capability can be used to review access rights at regular intervals. Moreover, midPoint automatically removes on inactivates access rights of entities who have left the organization. Application owners recorded in application inventory can be used as part of the access rights management, taking part in approval and review (certification) processes. MidPoint automatically evaluates all applicable policy rules, making sure that segregation of duties (SoD) and information classification rules are maintained. MidPoint naturally maintains a central record of all assigned access rights, including assignment meta-data: when was access requested, who has approved access, etc. Access rights can be automatically assigned and unassigned according to organizational structure membership, either by using inducement, or by using role autoassignment capability. Automatic review of access rights at the moment of organizational membership change can be implemented by micro-certification feature. All access right changes are recorded in the audit trail.

Implementation Notes

  • The control asks for consideration of reason of employment termination (among other aspects) for access rights de-provisioning. MidPoint is built to de-provision access rights immediately when it learns about employment change. However, HR data sources are often integrated using reconciliation, which may have significant time delays. Therefore, it should be considered to supplement reconciliation with live synchronization for the HR system. Alternatively, manual deactivation process should be established for users where the circumstances of termination of employment suggest elevated risk.

  • The control suggests establishment of user access roles based on business requirements, also known as business roles. Role wizard, together with delegated administration capabilities, can be essential tools to delegate definition of business roles to the business users. This is yet another place in the standard that suggests use of RBAC.

  • Control description describes access rights cloning (a.k.a. "assign rights as Mr. Smiths has") as an undesirable practice, recommending use of RBAC instead.

Was this page helpful?
Thanks for your feedback