IT Glossary

Principle of Least Privilege

The principle of least privilege grants only the minimum access needed. Learn how least privilege works, why it matters, and how Corma enforces it.

July 3, 2026

What is the Principle of Least Privilege?

The principle of least privilege (PoLP) is a security concept stating that every user, account, or process should have only the minimum access rights needed to perform its function, and no more. By limiting permissions to what is strictly necessary, PoLP reduces the attack surface and the potential damage from a compromised account, an insider mistake, or misuse.

How least privilege works

  • Grant access based on what a role genuinely requires, not on convenience.
  • Avoid broad or default-admin permissions wherever possible.
  • Use just-in-time elevation for occasional high-privilege tasks.
  • Review access regularly to remove rights that are no longer needed.
  • Revoke access promptly when people change roles or leave.

Least privilege in practice

  • Users: a marketer gets editor rights in the CMS, not server access.
  • Service accounts: an integration account can read one API, not the whole database.
  • Temporary needs: an engineer gets time-boxed production access, then it expires.

Examples and use cases

After a phishing incident, a company audits access and finds dozens of employees with admin rights they never used. Applying least privilege, those rights are stripped back to role requirements, and elevation becomes request-based. The same breach now touches far less. Least privilege is also a recurring control in ISO 27001 and NIS2, which is why access reviews and PoLP usually move together.

Related concepts

FAQ

Why is least privilege important?

It limits how much damage a compromised account or insider can do, because each identity can only reach what it strictly needs.

How is least privilege enforced in practice?

Through role-based permissions, just-in-time elevation, and regular access reviews that strip away rights that are no longer required.

Is least privilege required for compliance?

It is a core control in frameworks such as ISO 27001, SOC 2, and NIS2, which expect access to be limited and reviewed.

Request a demo