O121-C2-002700 - The DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy.

Information

Strong access controls are critical to securing application data. Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) must be employed by applications, when applicable, to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the information system.

Consideration should be given to the implementation of an audited, explicit override of automated mechanisms in the event of emergencies or other serious events.

If the DBMS does not follow applicable policy when approving access it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and may be in conflict with applicable policy.

Solution

If Oracle Database Vault is in use, use it to configure the correct access privileges for each type of user.

If Oracle Database Vault is not in use, configure the correct access privileges for each type of user using Roles and Profiles.

Do not assign privileges directly to users, except for those that Oracle does not permit to be assigned via roles.

For more information on the configuration of Database Vault, refer to the Database Vault Administrator's Guide:
https://docs.oracle.com/database/121/DVADM/toc.htm

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_12c_V2R9_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CAT|I, CCI|CCI-000213, Rule-ID|SV-220266r917644_rule, STIG-ID|O121-C2-002700, STIG-Legacy|SV-76065, STIG-Legacy|V-61575, Vuln-ID|V-220266

Plugin: OracleDB

Control ID: 5d960276d7435e499cc1211d5c79c0d736cf9389ef58f4dc63d9fa98447cc0fb