3.4 Ensure that each role for each MongoDB database is needed and grants only the necessary privileges

Information

Reviewing all roles periodically and eliminating unneeded roles as well as unneeded privileges from necessary roles helps minimize the privileges that each user has.

Rationale:

Although role-based access control (RBAC) has many advantages for regulating access to resources, over time some roles may no longer be needed, and some roles may grant privileges that are no longer needed.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To revoke specified privileges from the user-defined role on the database where the command is run. The revokePrivilegesFromRole command has the following syntax:

{

revokePrivilegesFromRole: "<role>",

privileges:

[
{ resource: { <resource> }, actions: [ "<action>", ... ]},
...
],
}

See Also

https://workbench.cisecurity.org/files/1725

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(5), CSCv6|14.4

Plugin: MongoDB

Control ID: 6cd1f09c7abf921de06cd68fc4726ca3b86d2b675b3ad985e4ed9d369ed5a331