AlignTrust
Identity & Access

Principle of Least Privilege

A security principle that grants users, applications, and systems only the minimum access rights required to perform their function — nothing more.

What Is the Principle of Least Privilege?

The principle of least privilege (PoLP) — also called least-privilege access or minimal privilege — states that any user, process, or system should only have the access permissions necessary to perform its specific function. No more, no less.

A sales rep doesn't need access to financial systems. A developer doesn't need production database credentials. A marketing tool doesn't need access to your customer payment data. Granting excess permissions "just in case" creates unnecessary risk.

Why It Matters

When attackers compromise an account or system, they inherit its permissions. A breached account with excessive access becomes a master key for lateral movement — the attacker can access far more than the initial compromise would suggest.

The 2020 SolarWinds attack is a landmark example: attackers with minimal initial access escalated to high-privilege credentials and moved laterally across thousands of organisations undetected.

Least Privilege in Practice

User accounts: Audit who has admin rights. Most staff should have standard user accounts. Admins should have a separate, dedicated admin account used only for admin tasks.

SaaS applications: Review OAuth permissions. Many apps request far more access than they need. Revoke unused integrations.

Service accounts: Applications that connect to databases or APIs should have read-only access unless write access is explicitly required.

Cloud IAM: Use roles with specific permissions scoped to what each workload needs. Avoid wildcard policies.

Temporary access: Use just-in-time (JIT) access for sensitive tasks — grant elevated permissions for a specific window, then revoke automatically.

Getting Started

  1. Inventory all accounts and their current permissions
  2. Identify and remove dormant accounts (former employees, unused service accounts)
  3. Remove admin rights from accounts that don't need them
  4. Set a quarterly access review cadence
  5. Use role-based access control (RBAC) to manage permissions at scale

Small, consistent access hygiene has an outsized impact on your overall security posture.

Related Terms

Access ControlIdentity and Access Management (IAM)Zero Trust ArchitectureMulti-Factor Authentication (MFA)

Related Articles

← Back to Security Glossary