What does least privilege mean and how is it typically implemented in software systems?

Least privilege means giving each user or process only the permissions it needs to perform its tasks, and nothing more. In software systems this is usually done with access control mechanisms like RBAC or ABAC. With RBAC, you define roles that bundle the permissions required for specific duties and assign users to those roles, so someone can do what their role allows but nothing beyond it. ABAC goes further by using attributes—such as user, resource, action, and context—to determine access dynamically, enabling fine-grained control especially in complex environments. Enforcement happens at the authorization point, and any action not covered by the granted permissions is denied, which helps limit damage if credentials are compromised or a component is misused. Practically, you’d keep service accounts and user permissions minimal, apply just-in-time elevation for privileged tasks, regularly review and revoke unnecessary rights, and audit access to maintain accountability. The other options contradict this principle by giving everyone full access, disabling authentication, or granting admin rights by default, which would significantly increase risk.