3.5 Review User-Defined Roles

Information

Reviewing all roles periodically and removing all users from those roles who do not need to belong to them helps minimize the privileges that each user has.

Rationale:

Although role-based access control (RBAC) has many advantages for regulating access to resources, over time some users may be assigned to roles that are no longer necessary, such as a user changing jobs within the organization. Users who have excessive privileges pose unnecessary risk to the organization.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To remove a user from one or more roles on the current database, use the following command:

use <dbName>

db.revokeRolesFromUser( '<username>', [ <roles> ])

See Also

https://workbench.cisecurity.org/files/168

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(5)

Plugin: MongoDB

Control ID: 0fa328688a9323764d5282266c22de8f80debd7706f6500736e1455d761ce8ca