ACLs should not be entirely empty or contain the “Public” role.
Impact area
Security
Severity
Warning
Affected element
Access Control
Rule ID
SN-WEAK-ACL
Impact
Empty ACLs or ACLs which contain the "Public" role are one of the factors that can lead to exposing private data to unauthenticated users. An empty ACL is an ACL which specifies no conditions, no roles and performs no validations in the script field.
Remediation
Make sure that all the ACLs on tables that contain private data have at least one of the security restrictions defined (condition, roles, validations in the script field) and they do not contain the "Public" role.
Time to fix
40 min
References
This rule is linked to Common Weakness Enumeration CWE-284: Improper Access Control.