Which concept is about restricting access to the minimum level required for each user?

Restricting access to the minimum level required for each user is about least privilege. The idea is to give each person only the permissions they need to perform their job and nothing more. This limits the potential damage from mistakes, misconfigurations, or compromised accounts by preventing unnecessary access to sensitive data or critical systems. In practice, organizations define roles with specific, limited permissions (often via RBAC or ABAC), apply need-to-know access, and enforce regular reviews or just-in-time access so privileges can be elevated only when truly needed and for a limited time. For example, a receptionist wouldn’t have admin rights, and a developer wouldn’t automatically get access to payroll data. The other concepts—mandatory vacation, which is an audit tactic to surface fraud; job rotation, which enhances process resilience by shifting duties; and an Interconnection Security Agreement, which governs external security requirements between organizations—do not describe limiting user privileges within a system.