Information
Reviewing all roles periodically and removing all users from those roles who do not need to belong to them helps minimize the privileges that each user has.
Rationale:
Although role-based access control (RBAC) has many advantages for regulating access to resources, over time some users may be assigned to roles that are no longer necessary, such as a user changing jobs within the organization. Users who have excessive privileges pose unnecessary risk to the organization.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
To remove a user from one or more roles on the current database, use the following command:
use <dbName>
db.revokeRolesFromUser( "<username>", [ <roles> ])