Least Privilege
Least privilege means granting only the minimum access necessary to perform an authorized task.
Senses
Minimize access
Least privilege reduces blast radius by limiting accounts, roles, and services to only the permissions they need, only for the time they need them. It is a key control for both humans and service identities.
- NIST CSRC GlossaryJan 05, 2026NIST CSRC Glossary — Least privilegehttps://csrc.nist.gov/glossary/term/least_privilegeNIST states most site information is public information and may be distributed or copied, except material marked as copyrighted; attribution requested. Verify per-document markings before quoting.Source: NIST CSRC Glossary (csrc.nist.gov).
(I)
The principle that a security architecture should be designed so that each system entity is granted the minimum system resources and authorizations that the entity needs to do its work. (Compare: economy of mechanism, least trust.)
Tutorial: This principle tends to limit damage that can be caused by an accident, error, or unauthorized act. This principle also tends to reduce complexity and promote modularity, which can make certification easier and more effective. This principle is similar to the principle of protocol layering, wherein each layer provides specific, limited communication services, and the functions in one layer are independent of those in other layers.
- IETF RFC 4949 (Internet Security Glossary)Jan 06, 2026RFC 4949 — Internet Security Glossary (Version 2)https://www.rfc-editor.org/rfc/rfc4949.txtRFC 4949 is published by the IETF Trust and marked as "Distribution of this memo is unlimited". Verify IETF Trust copyright/licensing terms for reuse.Source: IETF RFC 4949 (rfc-editor.org).