DG0121-ORACLE11 - Application users privileges should be restricted to assignment using application user roles.

Information

Granting permissions to accounts is error prone and repetitive. Using roles allows for group management of privileges assigned by function and reduces the likelihood of wrongfully assigned privileges. Assign permissions to roles and then grant the roles to accounts.

Solution

Revoke privileges assigned directly to database accounts and assign them to roles based on job functions.

Assign users who are assigned responsibility for the job function to the defined role.

From SQL*Plus:
revoke [privilege] on [object name] from [user name];
grant [privilege] on [object name] to [role name];

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3(7), CAT|II, Rule-ID|SV-24755r2_rule, STIG-ID|DG0121-ORACLE11, Vuln-ID|V-15629

Plugin: OracleDB

Control ID: 787efa19c456eb021bca82c79892def8c8d969429d8516501739e2f43fe12ae3