Documentation - V-220341

Title

MarkLogic Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Description

<VulnDiscussion>Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access the DBMS. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems, including databases, must be properly configured to implement access control policies. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedure...

Fix Text (Documentation Requirement)

Configure MarkLogic settings and access controls to permit user access only to objects and data the user is authorized to view or interact with, and to prevent access to all other objects and data. Perform the fix from the MarkLogic Server Admin Interface with a user that holds administrative-level privileges. 1. Click the Security Icon. 2. Click the Users Icon. 3. Select one of the added Users with a misconfigured set of Security Roles. 4. Either add or remove Security Role(s) as required per organization/user requirements and system documentation. 5. Click OK. 6. Repeat actions above for all misconfigured Users.