5.2.8 Ensure 'EXEMPT ACCESS POLICY' Is Revoked from Unauthorized 'GRANTEE'

Information

The Oracle database EXEMPT ACCESS POLICY keyword provides the user the capability to access all the table rows regardless of row-level security lockouts. Unauthorized grantees should not have that keyword assigned to them.

Rationale:

The EXEMPT ACCESS POLICY privilege can allow an unauthorized user to potentially access and change data.

Solution

To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.

REVOKE EXEMPT ACCESS POLICY FROM <grantee>;

See Also

https://workbench.cisecurity.org/benchmarks/13413