Details
Reviewing all roles periodically and removing all users from those roles who do not need to belong to them helps minimize the privileges that each user has.
Rationale:
Although role-based access control (RBAC) has many advantages for regulating access to resources, over time some users may be assigned to roles that are no longer necessary, such as a user changing jobs within the organization. Users who have excessive privileges pose unnecessary risk to the organization.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
To remove a user from one or more roles on the current database, use the following command:
use
db.revokeRolesFromUser( “
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system MongoDB.