Implement Least Privilege

Systematically reduce permissions to the minimum needed, improving security posture.


Least Privilege Implementation

Step 1: Document Current State

# Get all users and their permissions GET /admin/api/users/list # For each user: GET /authz/api/v1/users/permissions?userId=XXX

Step 2: Interview Teams

Questions:

  • What do you actually do day-to-day?

  • What access do you use regularly?

  • What could you lose without impact?

  • What access have you never used?


Step 3: Create Minimal Roles

# Instead of "admin" role, create specific roles: POST /authz/api/v1/roles { "name": "pipeline-operator", "permissions": ["pipeline.view", "pipeline.execute"] // Not edit, not delete }

Step 4: Migrate Users

# Remove broad roles PUT /admin/api/remove-assigned-client-roles { "userId": "user-123", "roles": ["admin"] } # Add specific roles PUT /admin/api/assign-client-roles { "userId": "user-123", "roles": ["pipeline-operator", "dashboard-viewer"] }

Step 5: Monitor & Adjust

After 1 week, check if users need any access restored.


APIs Used

  1. GET /authz/api/v1/users/permissions - Current permissions

  2. POST /authz/api/v1/roles - Create minimal roles

  3. PUT /admin/api/remove-assigned-client-roles - Remove excess

  4. PUT /admin/api/assign-client-roles - Add minimal access

  5. GET /authz/api/v1/users/:userId/roles - Verify changes