Principle of minimum required rights

1) Purpose and definition

Purpose: to allow the user/service only to those resources that are strictly necessary for the performance of a specific task, for the minimum sufficient period and in the minimum volume.

Definition: "minimum in latitude (resources), depth (operations), time (TTL), context (geo/device/shift), sensitivity (PII/finance)."

2) Basic principles of implementation

1. Need-to-Know: each right is associated with a specific purpose (basis).
2. Time-Bound: elevated rights granted with TTL (JIT); permanent rights - read/masked only.
3. Scope-Bound: access is limited by lease/region/brand/project (tenant/region scoping).
4. Data-Minimization: PII is masked by default; de-mask - only on explicit ground.
5. Traceability: any access → + 'purpose '/' ticket _ id' log.
6. Revocability: quick feedback (offboarding ≤ 15 minutes, JIT - automatic feedback).

3) Communication with other controls

RBAC: sets who in principle can (basic role).
ABAC: specifies under what conditions (geo, device/MDM, time, KYC level, risk).
SoD: prohibits dangerous role combinations, requires 4-eyes for sensitive actions.
Segmentation: network/logical perimeters (payment, KYC, DWH, secrets).
PAM/JIT/break-glass: secure issuance of temporary privileges and their recording.

4) Resource and operations classification

Operations: 'READ', 'MASKED _ READ' (default for PII), 'WRITE' (scoped), 'APPROVE _' (4-eyes), 'EXPORT' (through storefronts only, signature/journal).

5) Task-to-access rights engineering

1. User Story → Purpose: "The analyst needs to build an EU conversion report without PII."

2. List of resources: showcase 'agg _ conversions _ eu'.
3. Operations: 'READ' (without PII), 'EXPORT _ RAW' prohibition.
4. ABAC context: business hours, corp VPN/MDM, region = EU.
5. TTL: constant masked-read; JIT for one-time unmasking (if required).
6. Logs: 'READ '/' EXPORT' with 'purpose' and 'fields _ scope'.

6) Masking and selective unmasking

Masking e-mail/phone/IBAN/PAN by default;

Unmasked access ('pii _ unmask') - only JIT + 'purpose' + confirmation of domain owner/Compliance;

In reports - aggregates/k-anonymity, prohibition of "small samples" (privacy thresholds).

7) Temporary privileges: JIT and break-glass

JIT: 15-120 minutes, ticket, auto, full audit.
Break-glass: emergency access (MFA + second confirmation, session recording, Security + DPO post-review).
PAM: secret safe, session proxy, privilege rotation.

8) Processes (SOP)

8. 1 Access Grant (IDM/ITSM)

1. Claim with 'purpose', resources, TTL/persistence.
2. SoD/jurisdiction/data class/context auto-verification.
3. Domain owner approval; для Restricted+ — Security/Compliance.
4. Issuing a minimum scope (often masked-read).
5. Entry in the register of rights: revision date, SLA recall.

8. 2 Re-certification (quarterly)

The domain owner confirms each role/group; unused rights (> 30/60 days) - automatic.

8. 3 Data export

Only through approved storefronts; format whitelists; signature/hash; Download log PII - depersonalized by default.

9) Vendor/sub-processor control

Minimal API scopes, individual keys per integration, allow-list IP, time windows.
DPA/SLA: roles, access logs, retention, geography, incidents, sub-processors.
Offboarding: key recall, confirmation of deletion, closing act.

10) Audit and monitoring

Журналы: `ROLE_ASSIGN/REVOKE`, `JIT_GRANT`, `READ_PII`, `EXPORT_DATA`, `PAYMENT_APPROVE`, `BREAK_GLASS`.
SIEM/SOAR: access alerts without 'purpose', abnormal volumes, time-out/geo, SoD violation.
WORM: unmodified copy of logs + hash chain/signature.

11) Maturity Metrics (KPI/KRI)

Coverage:% of critical systems for RBAC/ABAC ≥ 95%.
Masked Reads Ratio: ≥ 95% of calls to PII are masked.
JIT Rate: ≥ 80% of elevations are JIT.
Offboarding TTR: revocation of rights ≤ 15 min.
Exports Signed: 100% of exports are signed and logged.
SoD Violations: = 0; attempts - auto-block/ticket.
Dormant Access Cleanup: ≥ 98% of hanging rights are deleted within 24 hours.

12) Typical scenarios

A) One-time KYC view for VIP client

Basic: masked-read at the VIP manager.
Action: JIT access' pii _ unmask'for 30 minutes on the ticket, field recording/screen log, post-review.

B) Engineer needs access to prod-DB

Only after PAM + JIT ≤ 60 min, recorded session, ban 'SELECT' by PII, post-review and CAPA for violations.

C) BI Report by Country

Access to units without PII; ABAC filter: 'region in [EEA]', corp VPN/MDM, time 08: 00-21: 00.

13) Anti-patterns and how to avoid them

"Super roles "/inheritance without boundaries → split into domain roles, include ABAC.
Permanent privileges "just in case" → JIT + auto.
Copying prod data to dev/stage → aliasing/synthetics.
Export PII outside storefronts → whitelisting, signature, journal, masking.
Absence of 'purpose' → hard block and auto-ticket.

14) RACI (enlarged)

15) Checklists

15. 1 Before granting access

• Specified'purpose' and TTL
• SoD/Jurisdictions Verified
• Default masking, minimum scope
• ABAC Conditions Network/Device/Time/Region
• Logging and revision date configured

15. 2 Quarterly

• Revision of roles/groups, automatic "hanging" rights
• Check for abnormal exports and break-glass
• Confirmed Privacy/Security Training

16) Implementation Roadmap

Weeks 1-2: data/system inventory, classification, basic role matrix, enabling default masking.

Weeks 3-4: ABAC (Wednesday/geo/MDM/time), JIT and PAM, export whitelists, 'purpose' logs

Month 2: offboarding automation, SOAR alerts (without 'purpose '/anomalies), quarterly re-certification.
Month 3 +: extension of attributes (CUS level/device risk), privacy thresholds, regular tabletop exercises.

TL; DR

Least Privilege = minimal scope + PII masking + ABAC context + JIT/PAM + hard audit and quick recall. Makes access manageable, reduces the risk of leaks/fraud, and speeds up audits.