3.6 Review Superuser/Admin Roles - userAdminAnyDatabase

Information

Roles provide several advantages that make it easier to manage privileges in a database system. Security administrators can control access to their databases in a way that mirrors the structure of their organizations (they can create roles in the database that map directly to the job functions in their organizations). The assignment of privileges is simplified. Instead of granting the same set of privileges to each individual user in a particular job function, the administrator can grant this set of privileges to a role representing that job function and then grant that role to each user in that job function.

Rationale:

Reviewing the Superuser/Admin roles within a database helps minimize the possibility of privileged unwanted access.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To remove a user from one or more roles on the current database.

use <dbName>

db.revokeRolesFromUser( '<username>', [ <roles> ])

See Also

https://workbench.cisecurity.org/files/168

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(5)

Plugin: MongoDB

Control ID: 1d62f7066a019cf32bc5fa0464e9b750ae22322314e9133c710320336ccf2156