UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Oracle roles granted using the WITH ADMIN OPTION should not be granted to unauthorized accounts.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2574 DO3622-ORACLE10 SV-24569r1_rule ECLP-1 Medium
Description
The WITH ADMIN OPTION allows the grantee to grant a role to another database account. Best security practice restricts the privilege of assigning privileges to authorized personnel. Authorized personnel include DBA's, object owners, and, where designed and included in the application's functions, application administrators. Restricting privilege-granting functions to authorized accounts can help decrease mismanagement of privileges and wrongful assignments to unauthorized accounts.
STIG Date
Oracle 10 Database Instance STIG 2014-01-14

Details

Check Text ( None )
None
Fix Text (F-26546r1_fix)
Revoke assignment of roles with the WITH ADMIN OPTION from unauthorized grantees and re-grant them without the option if required.

From SQL*Plus:

revoke [role name] from [grantee];
grant [role name] to [grantee];

Restrict use of the WITH ADMIN OPTION to authorized administrators.

Document authorized role assignments with the WITH ADMIN OPTION in the System Security Plan.