The university employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with university missions and business functions.


  • The information resource owner, or designee, is responsible for ensuring that the measures described in this Control are implemented. The intended audience for this Control includes, but is not limited to, all information resources owners and custodians.


  • 1

    Accounts shall be created with least privilege for routine tasks.

  • 2

    Privileges shall be escalated only as needed, and consider separation of duties (see Security Control AC-5).