Information
Having roles that have been granted specific privileges, then assigning users to the roles, is usually considered the best way to grant application access. Because granting privileges to individual users can be more difficult to track and maintain against unauthorized access, users should be assigned to organization-defined database roles according to the needs of the business. As users leave the organization or change responsibilities within the organization, the appropriate roles for them change as well, so role membership needs to be reviewed and verified periodically.
Rationale:
Users who have excessive privileges not needed to do their jobs pose an unnecessary risk to the organization as an insider threat.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
To remove a role member from a particular role:
Connect to Db2 database:
db2 => connect to <dbname>
Run the following:
db2 => revoke role <role name> from <role member>