6.2.6 Review Role Grantees with WITH ADMIN OPTION

Information

Using the WITH ADMIN OPTION clause of the GRANT (Role) SQL statement, the security administrator can delegate the management and control of membership in a role to someone else.

Rationale:

The WITH ADMIN OPTION clause gives another user the authority to grant membership in the role to other users, to revoke membership in the role from other members of the role, and to comment on a role, but not to drop the role.

Solution

Connect to Db2 database:

db2 => connect to <dbname>

Perform the following query:

db2 => revoke admin option for role <role name> from user <user name>

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: IBM_DB2DB

Control ID: 0b78be02a9d8023a7cd4d5bd761aee9adea670f3a6e6d7460480400e66b40911