DB-004 critical general

Database users documented (including read-only user)

All database users documented with purpose and permissions. Must include a read-only user for safe debugging/reporting.

Question to ask

"How many DB users exist, and do you know what each one can do?"

Verification guide

Severity: Critical

This is a guided manual check.

Prompt user:

Please provide evidence of your database users and their permissions.

For PostgreSQL, run: \du or SELECT usename, usesuper, usecreatedb FROM pg_user;

For MySQL, run: SELECT user, host FROM mysql.user; and SHOW GRANTS FOR 'username'@'host';

Provide:

  1. List of all database users
  2. Purpose of each user (app, migrations, admin, read-only, etc.)
  3. Permission level for each user

Verify:

  • All users are documented with purpose
  • A read-only user exists for safe debugging/reporting
  • Permissions match stated purpose

Pass criteria:

  • Complete list of DB users provided
  • Each user has documented purpose
  • Read-only user exists
  • Permissions are appropriate for each role

Fail criteria:

  • Users not documented
  • No read-only user available
  • Permissions don't match stated purpose

Evidence to capture:

  • List of users with purposes
  • Confirmation of read-only user
  • Permission grants for each user

Section

05. Database & Connections

Database & Data

← Previous

DB-003

AI-assisted migration review with human override

 Next →

DB-005

App user cannot DROP DATABASE