ACLs should not be entirely empty or contain the “Public” role.

Rule ID

 SN-WEAK-ACL

Impact

Empty ACLs or ACLs which contain the "Public" role are one of the factors that can lead to exposing private data to unauthenticated users. An empty ACL is an ACL which specifies no conditions, no roles and performs no validations in the script field.

Remediation

Make sure that all the ACLs on tables that contain private data have at least one of the security restrictions defined (condition, roles, validations in the script field) and they do not contain the "Public" role.

Time to fix

40 min

References

This rule is linked to Common Weakness Enumeration CWE-284: Improper Access Control.