Fluid Attacks logo
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us

R186. Use the principle of least privilege

This document contains the details of the security requirements related to the definition and management of systems in the organization. This requirement establishes the importance of applying the principle of least privilege when accessing systems and assigning permissions.


The principle of least privilege must be applied when creating new objects and roles, setting access permissions and accessing other systems.


Systems should usually have a set of roles with different levels of privilege for accessing resources. Users and applications should always have a role with the minimum level of privilege required to execute their functions. A violation of this may become a new vulnerability or leverage for causing a greater impact when exploiting other vulnerabilities.


  1. CWE-250: Execution with Unnecessary Privileges The software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

  2. CWE-269: Improper Privilege Management The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

  3. CWE-272: Least Privilege Violation The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.

  4. NIST 800-53 AC-6 The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

  5. OWASP-ASVS v4.0.1 V1.2 Authentication Architectural Requirements.(1.2.1) Verify the use of unique or special low-privilege operating system accounts for all application components, services, and servers.

  6. OWASP-ASVS v4.0.1 V1.4 Access Control Architectural Requirements.(1.4.3) Verify enforcement of the principle of least privilege in functions, data files, URLs, controllers, services, and other resources. This implies protection against spoofing and elevation of privilege.

Service status - Terms of Use