ISO/IEC 27001 Control 8.6: Capacity management


The use of resources should be monitored and adjusted in line with current and expected capacity requirements.

Necessity of MidPoint

MidPoint's contribution to implementation of this control is marginal.

Implementation of the control is mostly outside the scope of identity governance and administration (IGA), therefore midPoint cannot provide significant advantage. However, midPoint can still provide minor supporting information and functionality.

Implementation Overview

MidPoint provides supporting information and tools for capacity management.

Implementation Details

Reporting capabilities of midPoint can be used to provide data for capacity planning, such as number of users per application or location. Especially helpful are data derived from application inventory, such as number of users and their roles (e.g. ordinary users versus powerusers). Role-based access control (RBAC) information can be used for projections of future capacity for new applications, or applications that are being rolled-out. Number of member in current roles can provide estimates of number of new users in applications. RBAC can also be instrumental in reducing demand, removing unnecessary privileges from roles using role certification. Similarly, access certification campaigns may reduce demand by removing unnecessary access assigned directly to users. Additionally, reporting mechanisms can be used to look for accounts that were not used for long time. Policy rules may assist in human resource capacity management, making sure that all positions in essential processes are properly staffed. When coupled with reporting, midPoint can provide a list of positions that are not staffed, or are in danger of staff shortage.


While most of capacity planning is way outside of scope of midPoint, there are valuable contributions that midPoint can make to the process.

    Was this page helpful?
    YES NO
    Thanks for your feedback