Overview[1]#

The original formulation is from Jerome Saltzer:
Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.
— Jerome Saltzer, Communications of the ACM

In information security, computer science, and other fields, the principle of least privilege (also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment so that every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.

Principle of least privilege is closely related to other efforts such as:

• Law of Minimal Disclosure For A Constrained Use
• Need to know
• Privacy by Design
• ISO/IEC 29100

Principle of least privilege should be considered as a Law when designing any system.

More Information#

There might be more information for this subject on one of the following:

• Incremental authorization
• Need to know
• Negative Permission
• OAuth 2.0 Incremental Authorization
• Secure by design
• Trust Tier
• Web Blog_blogentry_280717_1
• Web Blog_blogentry_290915_1
• Zero Trust

---

• [#1] - Principle of least privilege - based on data observed:2015-09-29