ISO/IEC 27001 Control 8.3: Information access restriction


Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control.

Necessity of MidPoint

MidPoint is necessary to implement this control properly.

MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.

Implementation Overview

MidPoint is an essential tool for managing information access restriction, supporting it with numerous features.

Implementation Details

MidPoint is designed to manage access control rules and policies, restricting access to information by particular user or group. MidPoint entitlements represent permissions, restricting access to information in applications and databases. Entitlements are applied to user accounts by provisioning mechanism. Synchronization mechanism keeps entitlements consistent with access control policies. User records and assignments stored in midPoint identity repository record access rights assigned to particular users. Activation schema can be used in assignments to grant temporary permissions. Organization units (representing groups, divisions, teams, projects, etc.) and roles (representing jobs and business responsibilities) are used to group users, applying policies consistently across the organization using roles-based access control (RBAC) principles. Entitlements are derived from RBAC mechanisms, considering additional dynamic policies, applying the entitlement to user accounts using provisioning mechanisms. Fine-grained access control policies can be applied to various objects, such as file shares, data partitions and spaces and documents. Relevant data objects can be synchronized to midPoint, usually in a form of "services" with an appropriate archetype. Mechanism of parametric roles can be used to control access to such objects, using relation parameter to specify access level (e.g. read, write, administration). Information classification mechanisms can be used to set high-level access policies for class of applications, e.g. allowing public and anonymous access only to applications processing public data. This provides partial isolation of sensitive applications, ensuring that only users with appropriate clearances get access to sensitive information. Audit trail records all changes in access control permissions. This information can be used for reference, investigation or analysis.

Implementation Notes

  • MidPoint relies on access control enforcement in applications and identity resource. Applications are policy decisions points (PDP) and, more importantly, policy enforcement points (PEP). MidPoint is managing and distributing the policies, being a policy administration point (PAP).

  • This control requires "configuration mechanisms to control access", which effectively prohibits hard-coded access control rules in the application. Applications have to expose entitlements, which can be assigned to accounts. MidPoint is designed to manage such entitlement assignments using its role-based mechanisms and policies.

  • The control describes advantages of "dynamic access management" mechanism in length. However, it is not clear how is such a mechanism supposed to work. Probably the closest implementation could be a variation of digital rights management (DRM) mechanism, which is notoriously difficult to use, a mechanism with questionable reliability. We recommend not to follow the guidance for "dynamic access management", and rather rely on reliable application of proven and established access control techniques.


Management of information access restrictions is an extremely demanding task, especially when it needs to be done on scale. It requires establishing of access control policies, and consistent enforcement of the policies across many applications and identity resources. Identity administration and governance (IGA) platform such as midPoint is necessary to satisfy this control in any medium-to-large organization.


Version Title Description
Development Information Classification and Clearances Ensuring that only users with appropriate clearances get access to sensitive information
4.8 Information Classification and Clearances Ensuring that only users with appropriate clearances get access to sensitive information
Was this page helpful?
Thanks for your feedback