ISO/IEC 27001 Control 8.18: Use of privileged utility programs

Control

The use of utility programs that can be capable of overriding system and application controls should be restricted and tightly controlled.

Necessity of MidPoint

MidPoint is optional for implementation of this control.

Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.

Implementation Overview

MidPoint provides capabilities for management of rules and policies for accessing privileged utility programs.

Implementation Details

Role-based access control (RBAC) capabilities can be used to manage privileged access, including access to privileged utility programs. This can be combined with organizational structure, policy rules and information classification, e.g. allowing privileged access only to selected organizational units. Segregation of duties (SoD) mechanism can be used to avoid accumulation of super-critical access privileges to a single user. Activation mechanism can be used to provide privileged access only for limited time period.

Implementation Notes

  • MidPoint contains internal mechanisms that are similar to privileged utility programs, namely runPrivileged and runAs mechanisms for expressions.

Rationale

While actual enforcement of access control to privileged utility programs is in scope of operating systems and privileged access management (PAM) systems, midPoint can manage the access control rules and policies.

Was this page helpful?
YES NO
Thanks for your feedback