IDSO-016: Privileged access rights are granted according to the principle of least privilege

Description: Privileged accounts are accounts that have special access rights (e.g. admin rights) or are regular user accounts that are more sensitive because of their high impact in case of breach (e.g. CEO account). All these privileged accounts, and the access they offer must be protected through various means to minimize the likelihood of abuse. This protection has to happen during one (or more) of three stages:

  1. On first login to an account that is considered privileged
  2. After login, when accessing a resource (e.g. VM, server, etc.) that is considered of high value and therefore has to be protected.
  3. During a previously authenticated session, when issuing a command that is considered to have an elevated level of privilege.

For example, an admin command to install software or launch a VM, or add/remove a user. In all these cases, the identity of the user has to be determined using a strong level of assurance, and access rights have to be granted through principal of least privilege. Least privilege helps regulate security by limiting an individual’s capabilities to only those that are specifically needed to perform the intended activity.

Benefit: Allow risk mitigation, by limiting damage from access control or privilege escalation attacks. Protect company assets from breach and unwanted disclosure and also help fulfil regulatory and audit compliance.

Watch the deep dive webinar to learn more about this security outcome.

Implementation Approaches

Security Frameworks

NIST Cybersecurity Framework 1.1

  • PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties

NIST SP 800-207; Zero Trust Architecture

  • 2.1.3: Access should also be granted with the least privileges needed to complete the task.
  • 2.1.4: Least privilege principles are applied to restrict both visibility and accessibility.
TitleEnforce through Discretionary Access Control
Technology ComponentsPrivileged Access Management (PAM)
Identity Governance and Administration (IGA)
DescriptionIn this approach, privileged access is granted using discretionary access control model and can be done by the data or resource owner without involving an administrator. Access to objects and resource is restricted based on the identity of the subject and/or group to which they belong. These controls are discretionary in the sense that subject with certain rights can pass these (directly or indirectly) to other subjects. Also a resource owner can make changes to who get what permission. As such the system places a certain level of trust in the resource owner since permission changes are at the discretion of the resource owner.
Pre-requisitesAbility of resource owner to use proper discretion when assigning access control
Access to privileged objects/resources can be defined in system such as directory, IGA, PAM or at the resource itself
Privileged accounts/entitlements must be clearly flagged in the respective systems defining access.
Member CompaniesBeyondTrustCentrifyCyberArkOmadaRemediantSailPointSaviyntSecZettaThalesVMware WorkspaceONE
TitleEnforce through Role-based Access Control
Technology ComponentsPrivileged Access Management (PAM)
Identity Governance and Administration (IGA)
DescriptionIn this approach, privileged access is granted using a role-based access control model which takes into account the role assigned to the subject before allowing or denying access. This is managed by an administrator. For example, an administrator can create groups that represent different roles. Groups are assigned permissions and users are assigned to groups. All users in a given group automatically gain all access rights assigned to that group. To remove a user’s access rights, the admin simply removes the user from the group. This helps simplify the administrative load of managing permissions. This is particularly useful when users are given short-term assignments that require an elevated level of permission or privilege.
Pre-requisitesRoles are created to manage user access in systems such as directory or IGA
Privilege accounts and entitlements are granted based on these roles
Role membership is managed to govern access – eg. by IGA, through Access Request by resource owner or requester, etc.
System managing roles is integrated with PAM or privileged resources to grant/remove access accordingly.
Member CompaniesBeyondTrustCentrifyCyberArkOmadaRemediantSailPointSaviyntSecZettaThalesVMware WorkspaceONE


Let's work together to help everyone become more secure.