Skip to main content
Informationssicherheit / NIS2

Least privilege

The principle of least privilege states that users, services and systems are granted only the exact access rights they genuinely need to perform their specific tasks - and nothing more.

The principle of least privilege (minimal rights assignment) is a core tenet of information security. It requires that every actor in a system - whether a human user, a technical service, an application or a process - is granted only the permissions strictly necessary to carry out the task at hand. Rights that exceed the concrete need are not granted in the first place, or are revoked promptly. This reduces the attack surface: if an account or service is compromised, the potential damage is confined to the narrowly scoped permissions of that actor.

The principle is closely interlinked with the need-to-know rule and role-based access control (RBAC): permissions are assigned by task and role rather than individually and permanently, and are reviewed regularly. Privileged accounts (administrators, service accounts) deserve particular attention; they should be protected through privileged access management, granted on a temporary just-in-time basis and fully logged. Consistent implementation also involves segregation of duties, periodic recertification of entitlements and the orderly removal of rights when people change roles or leave (joiner-mover-leaver processes).

Least privilege is firmly embedded in law and standards. The BSI IT-Grundschutz addresses minimal rights assignment in particular in its module on identity and access management (ORP.4), and ISO/IEC 27001 requires needs-based control of access rights in Annex A. Within the scope of the NIS2 Directive and its national transposition, appropriate access control is one of the required technical and organisational risk-management measures. From a data-protection perspective the principle also supports the appropriate technical and organisational measures for security of processing demanded by Article 32 GDPR.

Legal Basis

BSI IT-Grundschutz ORP.4 (Identity and access management); ISO/IEC 27001 Annex A (Access Control); Art. 21 NIS2 Directive (EU) 2022/2555; Art. 32 GDPR

Practical Example

An accounting employee moves to the procurement department. During a semi-annual recertification, the information security officer notices that her account still holds write access to the accounting system in addition to new approvals in the procurement tool - an inadmissible accumulation of rights. Following the principle of least privilege, IT revokes the no-longer-needed accounting rights and restricts the account to the new role. The temporary administrator access required for a system migration is granted to a colleague only for a limited time and fully logged via privileged access management.

FAQ

Need-to-know concerns access to information: you only learn the data you require for your task. Least privilege is broader and covers all permissions, including write, execute and administrative rights on systems and applications. In practice the two principles complement each other.
Permissions are assigned by task through role-based access control and recertified regularly. Privileged accounts are protected via privileged access management and, where possible, enabled only temporarily (just-in-time). When people change roles or leave, rights they no longer need are revoked promptly.
No statute uses that exact wording, but the principle is state of the art and effectively required. ISO/IEC 27001 and the BSI IT-Grundschutz demand needs-based access control, NIS2 requires appropriate risk-management measures, and Art. 32 GDPR calls for suitable technical measures.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Need to know Role-based access control Privileged access management Identity and access management Access control
Back to Glossary