IDSO-015: User access rights are granted according to the principle of least privilege

Description: Grant a user only sufficient rights and access to perform their duties, while following a least privilege model. Considerations beyond standard rights that should be granted and monitored for applications, devices and systems-

  • Governance and segregation of duties
  • Policy-based access and entitlements
  • Administrative access and entitlements

For access and actions beyond their normal duties, monitoring and traceability should be enforced for applications, devices and systems.

Benefit: Prevents users from having elevated privileges beyond their job role and responsibilities. Reduces the threat landscape by limiting the use of over-privileged access or invalid/obsolete accounts for the purposes of access. Detecting and automatically resolving policy-violating account access to maintain continuous compliance.

Watch the deep dive webinar to learn more about this security outcome.

Implementation Approaches

Security Frameworks

NIST Cybersecurity Framework 1.1

  • PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties

NIST SP 800-207; Zero Trust Architecture

  • 2.1.3: Access should also be granted with the least privileges needed to complete the task.
  • 2.1.4: Least privilege principles are applied to restrict both visibility and accessibility.
TitleDefine Policies and Controls to Enforce Appropriate Access
Technology ComponentsAccess Management (AM)
Identity Management (IM)
Identity Governance and Administration (IGA)
DescriptionImplement application-based access controls using Role Based Access Control (RBAC), Policy Based Access Control (PBAC), and/or Application Based Access Control (ABAC), or hybrid models supported by policies and enforced by governance and compliance.
Pre-requisitesDefine business requirements for applications and access
Target systems must have integration and connectivity
Role and entitlement catalog has been built and populated
Approval process is defined for each role and entitlement
Attributes and policies are defined providing conditions and constraints for access
Member CompaniesForgeRockOktaOmadaPing IdentityRemediantSailPointSaviyntSecZettaThales


Let's work together to help everyone become more secure.