ISO/IEC 27001 Control 8.3: Information access restriction

Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control.

MidPoint is necessary to implement this control properly.

MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.

MidPoint is an essential tool for managing information access restriction, supporting it with numerous features.

MidPoint is designed to manage access control rules and policies, restricting access to information by particular user or group. MidPoint entitlements represent permissions, restricting access to information in applications and databases. Entitlements are applied to user accounts by provisioning mechanism. Synchronization mechanism keeps entitlements consistent with access control policies. User records and assignments stored in midPoint identity repository record access rights assigned to particular users. Activation schema can be used in assignments to grant temporary permissions. Organization units (representing groups, divisions, teams, projects, etc.) and roles (representing jobs and business responsibilities) are used to group users, applying policies consistently across the organization using roles-based access control (RBAC) principles. Entitlements are derived from RBAC mechanisms, considering additional dynamic policies, applying the entitlement to user accounts using provisioning mechanisms. Fine-grained access control policies can be applied to various objects, such as file shares, data partitions and spaces and documents. Relevant data objects can be synchronized to midPoint, usually in a form of "services" with an appropriate archetype. Mechanism of parametric roles can be used to control access to such objects, using relation parameter to specify access level (e.g. read, write, administration). Information classification mechanisms can be used to set high-level access policies for class of applications, e.g. allowing public and anonymous access only to applications processing public data. This provides partial isolation of sensitive applications, ensuring that only users with appropriate clearances get access to sensitive information. Audit trail records all changes in access control permissions. This information can be used for reference, investigation or analysis.

Management of information access restrictions is an extremely demanding task, especially when it needs to be done on scale. It requires establishing of access control policies, and consistent enforcement of the policies across many applications and identity resources. Identity administration and governance (IGA) platform such as midPoint is necessary to satisfy this control in any medium-to-large organization.