Privileged Access
|
Information classification feature
This page describes Information classification midPoint feature.
Please see the feature page for more details.
|
Introduction
Privileged access allows users to perform activities that a typical user cannot. Privileged access usually refers to highly-elevated access rights, often referring to administrative or superuser access. Quite naturally, privileged access poses a significant risk for organizations, therefore special means are in place to track privileged access.
Implementation
MidPoint features allows tracking of privileged access, tracking (application) roles that provide privileged access, as well as users that have these roles.
Privileged access tracking is built as a combination of several midPoint features.
It starts with Privileged access classification.
The Privileged access classification is a pre-configured object (initial objects), provided in default midPoint configuration in a ready-to-use form.
The Privileged access classification is meant to be assigned to application roles that provide privileged access to applications.
Application roles corresponding to administrative and superuser entitlements are obvious candidates for Privileged access classification.
In XML form:
Privileged access classification assigned to application role
<role>
<name>CRM: Customer database admin</name>
...
<assignment>
<targetRef oid="00000000-0000-0000-0000-000000000332" type="PolicyType"/>
</assignment>
...
</role>
<policy oid="00000000-0000-0000-0000-000000000332">
<name>Privileged access</name>
...
</policy>Privileged access classification is a policy object, meant to apply policies and rules to the objects to which it is assigned.
Pre-configured Privileged access classification applies policy rules to affected objects, marking them with Privileged access mark.
The Privileged access mark is designed to mark objects that provide or have privileged access.
Privileged access mark
<mark oid="c58394cd-c883-4e41-927c-f90a7c7a0c97"
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
<name>Privileged access</name>
...
</mark>The Privileged access mark can be used in searches, dashboards and reports.
Objects marked with the Privileged access mark can be found by querying the effective mark reference:
Unowned mark query
effectiveMarkRef matches ( oid = "c58394cd-c883-4e41-927c-f90a7c7a0c97" )
Default midPoint configuration includes Privileged roles and Privileged users object collections which can be used to locate roles and users with privileged access.
|
This mechanism is used by the default compliance dashboard to show widgets displaying privileged roles and users.
|
Classification and mark duality
There is As a rule of thumb, the |
Limitations
-
Privileged accessmark is applied to users that have privileged access. However, it is not applied to (business) roles that transitively provide privileged access by including (inducing) application roles classified as privileged access. This is a limitation of midPoint computation mechanism (clockwork). -
Currently, there is no concept of privileged entitlement. Application roles are not classified as
Privileged accessautomatically. Current implementation of privileged access tracking assumes manual classification of application roles.
See Also
Compliance
This feature is related to the following compliance frameworks:
-
ISO/IEC 27001 5.2: Information security roles and responsibilities
-
ISO/IEC 27001 5.8: Information security in project management
-
ISO/IEC 27001 5.9: Inventory of information and other associated assets
-
ISO/IEC 27001 5.10: Acceptable use of information and other associated assets
-
ISO/IEC 27001 5.19: Information security in supplier relationships
-
ISO/IEC 27001 5.20: Addressing information security within supplier agreements
-
ISO/IEC 27001 5.21: Managing information security in the ICT supply chain
-
ISO/IEC 27001 5.22: Monitoring, review and change management of supplier services
-
ISO/IEC 27001 5.23: Information security for use of cloud services
-
ISO/IEC 27001 5.25: Assessment and decision on information security events
-
ISO/IEC 27001 5.31: Legal, statutory, regulatory and contractual requirements
-
ISO/IEC 27001 6.3: Information security awareness, education and training
-
ISO/IEC 27001 6.5: Responsibilities after termination or change of employment
-
ISO/IEC 27001 6.6: Confidentiality or non-disclosure agreements
-
ISO/IEC 27001 8.19: Installation of software on operational systems
Was this page helpful?
YES
NO
Thanks for your feedback