MD3X-00-000020 - MongoDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Details

MongoDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.




Solution

Use createRole(), updateRole(), dropRole(), grantRole() statements to add and remove permissions on server-level securables, bringing them into line with the documented requirements.

MongoDB commands for role management can be found here:
https://docs.mongodb.com/v3.4/reference/method/js-role-management/


Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system MongoDB.


References


Source