What is Least privilege?

Understanding Least privilege

The practice of only granting a user the minimal permissions necessary to perform their explicit job function. The principle of least privilege requires that users systems and processes be granted only the minimum access rights needed to perform their authorized tasks reducing the attack surface and limiting potential damage from compromised accounts or systems. This fundamental security principle is required by frameworks like ISO 27001 NIST SP 800-53 CIS Controls and regulations like PCI DSS. Organizations implement least privilege through role-based access control privilege management systems just-in-time access and regular access reviews. For example a healthcare organization might implement least privilege by assigning specific role-based permissions to nurses that allow access only to records of patients under their care with administrative functions strictly limited to authorized administrators and all privileged access subject to approval workflows and time limitations. Related terms Need-to-know Principle of least authority POLA Role-based access control Privilege management Authorization Zero trust Defense in depth.