SID-ACCESS-01 — Multi-Tenant Isolation
| Property | Value |
|---|---|
| Owner | platform |
| Category | technical |
| CSF Function | protect |
| Group | Access Control |
Description
Tenant context extracted from JWT claims (authoritative source). Middleware validates tenant existence and user membership before request processing. Prevents cross-tenant resource access.
The platform enforces runtime tenant isolation. The operator is responsible for the access rights management process around it:
(1) User provisioning: document the process for granting and revoking user accounts, admin roles, and service credentials. Changes MUST be made by a designated identity owner, not self-service. (2) Access reviews: conduct formal access reviews at least quarterly for privileged accounts (platform admin, tenant admin, CI/CD service accounts, HSM admin). Remove accounts that are no longer needed within 24 hours of role change or departure. (3) Least-privilege principle: each service account and operator role MUST be granted only the permissions required for its function. Over-privileged accounts MUST be remediated on discovery. (4) Admin credential lifecycle: document issuance, rotation (≤90 days for privileged credentials), and revocation procedures. Retain an audit trail of privilege changes. (5) Joiners/movers/leavers process: defined and tested procedure for access change events (new staff, role change, departure).
Review criteria: access register, most recent quarterly review record, JML procedure documentation, privileged account inventory.
Components
Source References
Framework Requirements
FitCEM Wallet Instance: FIT-DS-09
ISO 27001 Annex A: A.5.3, A.5.15, A.5.18, A.8.3, A.8.27