← Back to principles

Data

Minimum access, minimum data

Statement

Users and systems should have only the access they need and receive only the data they use

What this means in practice

Access to data is granted on a least-privilege basis. Users and systems receive the minimum permissions required to perform their function and are exposed only to the data they actually need. Broad, default-open access is replaced with deliberate, scoped grants that are reviewed and revoked as roles and requirements change. This applies equally to human users, service accounts, API consumers, and automated processes.

Data returned by queries, APIs, and interfaces is filtered to what the consumer requires. Over-fetching entire records or exposing fields beyond the scope of the request is avoided by design.

Why this matters

Excessive access increases the blast radius of security incidents, raises compliance risk, and makes it harder to audit who can see or change what. Limiting access reduces the attack surface, simplifies compliance with regulations such as GDPR, and ensures that data exposure is proportionate to the task at hand. It also builds trust with clients and end users by demonstrating that their data is handled with discipline.

Practices that meet this principle

  • Apply role-based or attribute-based access control with permissions scoped to specific functions

  • Default to deny; grant access explicitly rather than revoking it retroactively

  • Return only the fields and records a consumer requires through API design and query scoping

  • Review and recertify access grants on a regular schedule

  • Log and monitor access patterns to detect anomalies or over-permissioned accounts

  • Include access control design as a mandatory element of architecture and security reviews

Validation

A project meets this principle when:

  • Access control is implemented with least-privilege permissions for all users and systems

  • APIs and data interfaces return only the data required by the consumer

  • OR:

  • No user or system account has broader access than its function requires