3.5 Review User-Defined Roles

Information

Reviewing all roles periodically and removing all users from those roles who do not require them helps minimize the privileges for each user.

Important Roles which should be reviewed periodically.

createRole: Creates a role and specifies its privileges.

dropRole: Deletes the user-defined role.

grantPrivilegesToRole: Assigns privileges to a user-defined role.

grantRolesToRole: Specifies roles from which a user-defined role inherits privileges.

updateRole: Updates a user-defined role.

Rationale:

Although role-based access control (RBAC) has many advantages for regulating access to resources, over time some users may be assigned roles which are no longer necessary, e.g. a user changing jobs within the organization. Users who have excessive privileges pose an unnecessary risk to the organization.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To remove a user from one or more roles on the current database, use the following command:

>use dbName
>db.revokeRolesFromUser('<username>',[<roles>])

See Also

https://workbench.cisecurity.org/files/3560