Classification Improvements
Information classification feature
This page describes Information classification midPoint feature.
Please see the feature page for more details.
|
Planned feature
This feature is planned feature.
This feature is roughly designed and it was evaluated as feasible.
However, there is currently no specific plan when it will be implemented, because there is no funding for this development yet.
In case that you are interested in supporting development of this feature,
please consider purchasing midPoint Platform subscription.
|
Introduction
Classification and clearance management is part of midPoint since 4.8.3. Current implementation is based solely on pre-existing concepts of meta-roles and policy rules. The basic functionality works, however it is not very convenient. Perhaps the most obvious problem is a lack of visibility and user-friendliness.
Improvements
We need to improve:
-
There is no visibility, the classifications (labels) are not easy to see, even when they are assigned directly. We need to do:
-
Find a prominent place to display the classifications (labels), e.g. in object details header.
-
Display classifications in object details panels, perhaps as top-level item in the panel submenu.
-
Better visibility of pre-define "Privileged Access" classification - even if assigned indirectly. We want to highlight roles that include privileged access.
-
Compute classifications for roles, using inducements. See Compliance Design Notes for discussion.
-
-
Error messages and overall presentation of policy rule violations. Current error message looks like:
No assignment exists for role 09360ff0-d506-4751-b13f-4e01422693ac (after operation)
Overall, the presentation of policy rule violations should be re-thought and significantly improved.
-
Improve policy rule structure and operation. Currently, we are using
hasNoAssignment
policy constraint. It works, but the notation is not very intuitive. It should be changed to be more likeexclusion
, with similar behavior. PerhapshasNoAssignment
should be changed torequirement
, or even better, new flexiblerequirement
constraint should be added in addition to existinghasNoAssignment
. CurrenthasNoAssignment
constraint triggers too aggressively. E.g. even in case where both classified role and clearance are removed.the policy rule prohibits the operation even though it is legal.
Compliance
This feature is related to the following compliance frameworks:
-
ISO/IEC 27001 5.8: Information security in project management
-
ISO/IEC 27001 5.19: Information security in supplier relationships
-
ISO/IEC 27001 5.20: Addressing information security within supplier agreements
-
ISO/IEC 27001 5.21: Managing information security in the ICT supply chain
-
ISO/IEC 27001 5.22: Monitoring, review and change management of supplier services
-
ISO/IEC 27001 5.23: Information security for use of cloud services
-
ISO/IEC 27001 5.25: Assessment and decision on information security events
-
ISO/IEC 27001 5.31: Legal, statutory, regulatory and contractual requirements
-
ISO/IEC 27001 6.3: Information security awareness, education and training