A security administrator is reviewing access rights for a new accounts payable clerk. The clerk needs to enter invoices and run monthly payment reports but must not create new vendors or approve payments. Which access-control principle should the administrator apply when configuring the clerk's account to ensure that only the minimal permissions required for these tasks are granted, thereby reducing potential misuse or compromise?
The principle of least privilege states that each user, process, or system should be granted only the specific permissions necessary to perform its assigned duties-nothing more. By applying this principle, the clerk can post invoices and generate reports without having unnecessary rights (such as creating vendors or approving payments) that could be abused.
Separation of duties divides critical tasks among multiple people to reduce fraud. Need-to-know restricts data access to those who require specific information but does not necessarily limit functional permissions. Mandatory access control enforces centrally defined security labels and classifications rather than tailoring privileges to individual job roles.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the principle of least privilege?
Open an interactive chat with Bash
How does least privilege differ from separation of duties?
Open an interactive chat with Bash
When is the need-to-know principle used instead of least privilege?