Term · 2. Authentication & Authorization

Least Privilege Principle LPP

The principle of least privilege (PoLP) means giving every subject — human or machine — only the minimum permissions needed for its function, for the minimum time. It shrinks the blast radius of a compromised account and is the foundation of Zero Trust. Enforced through RBAC, just-in-time access, regular recertification and removal of standing privileges.

IDM/IGA Domain

AuthN ISO/IEC NIST PCI DSS

Definition

Security principle dictating that subjects receive only the minimum privileges necessary to perform their function, for the minimum time required. Reduces attack surface — compromised account yields minimal damage. Foundational to NIST SP 800-53 AC-6, ISO 27001 A.9, PCI DSS Requirement 7, and Zero Trust Architecture.

Application: MidPoint: Principle of information security, stating that each user should have the least privilege necessary to carry out their activities.

SailPoint: Role Mining + Certification — enforce minimal entitlement bundles per role

Standards & regulations

CNSSI 4009-2015 «least privilege — A security principle that a system should restrict the access privileges of users (or processes acting on behalf of users) to the minimum necessary to accomplish assigned tasks.»
NIST SP 800-53 Rev. 5 «The principle that a security architecture is designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.»
NIST SP 800-171 Rev. 3 «The principle that a security architecture is designed so that each entity is granted the minimum system authorizations and resources needed to perform its function.»
NIST SP 800-53 Rev. 5 (AC-6) «Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.»

Sources

NIST SP 800-53 AC-6 (Least Privilege) primary source

Related terms

← Back to glossary · Open in main list

FAQ

Frequently asked questions

What is the principle of least privilege?

It is the rule that every account gets only the access it needs to do its job, and no more — ideally only for as long as it needs it. Less standing access means a smaller attack surface and less damage if an account is compromised.

How do you enforce least privilege in practice?

Through role-based access control, just-in-time elevation instead of standing admin rights, regular access recertification, and automated removal of unused entitlements. ISPM tools help by flagging excessive and dormant privileges.

Least privilege vs Zero Trust?

Least privilege is a principle; Zero Trust is an architecture that operationalizes it. You cannot do Zero Trust without least privilege — every verify decision assumes access is already minimized and continuously re-evaluated.