Enforcing the principle of least privilege

Only provide the level of access needed to do a job – this is known as the principle of least privilege. Giving user accounts (or users) only the permissions they need reduces the risk of unauthorised access to sensitive or critical areas of a system. Here are some steps to consider when following this principle.

Decide which permissions users need

You first need to understand what type of access user accounts need. What permissions and system access does each person need to do their job? Look at how staff do their jobs and what tasks they need to do.

Review all system access including:

  • the front-end applications used by your staff and
  • the infrastructure that your network and system administrators access.

Be sure to include user, system, and service accounts in this review.

To understand what permissions and system access an account needs, ask the user or the system owner. Justify any administrative access with an action that they need to take and record that justification. This list could be used later to perform a review.

For example, a system account might need view permissions to do its job. Giving administrative access is easier because it would have all the permissions they need. But the access is not justified and so shouldn't be given.


When in doubt of what permissions a user needs, give less access and test it. You can grant more permissions later if they don't have access to do specific actions.

Assess system roles and their permissions

Next review the permissions assigned to each role within each of your systems. You'll need to look at how permissions or roles are configured within the system.

Make sure you understand how a role has been set up and which users are assigned that role. This will help you to review if a user has the appropriate, minimum level of permissions for their job.

Review permissions currently provided

Once you understand what access or roles your users need, review the access that is currently given. When reviewing access, you should:

  1. check the role(s) configuration. Check to make sure the role(s) only allow the permissions needed to do those tasks.
  2. check user access. Compare the roles and permissions a user has with the access they need for their job. Check to make sure they only have the roles and permissions they need to do their job.
  3. check admin access. Check that anyone with administrative permissions has separate user accounts. This is so they only use the account with administrative access when they need to use it. This reduces the risk that the user mistakenly carries out a sensitive action. It also reduces the access an attacker would have if the account was compromised.

Good password practices and enforcing multi-factor authentication (MFA) is just as important. Protect every account with a long unique password and store it in a secure location. If the account is for an internet-facing or administrative service, it should have MFA configured.

Critical control: Multi-factor authentication

Monitoring access

Assigned access needs to be reviewed and monitored over time. A regular review of accounts and roles can help you catch any irregularities. Review the permissions of administrative accounts more often, given the sensitivity of their access.

Enable logging of actions taken by accounts with administrative permissions. Send the logs to a centralised logging server for analysis and alerting. Configure rules to send notifications when unexpected actions happen, such as changes during unusual times of the day.