7.17 Secure the ACCESSCTRL authority

Information

The ACCESSCTRL authority is the authority required to grant and revoke privileges on objects within a specific database. Some of these privileges include BINDADD, CONNECT, CREATETAB, CREATE\_EXTERNAL\_ROUTINE, LOAD, and QUIESCE\_CONNECT. It has no inherent privilege to access data stored in tables, except the catalog tables and views.

The ACCESSCTRL authority gives the grantee access control to a specified database. With this authority, the grantee can grant/revoke privileges to other users. ACCESSCTRL can be granted to users, groups, or roles, but not PUBLIC. ACCESSCTRL authority can only be granted by the SECADM authority.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Revoke ACCESSCTRL authority from any unauthorized users.
REVOKE ACCESSCTRL ON DATABASE FROM USER <username>

See Also

https://workbench.cisecurity.org/files/1654