TFN#68: 🪜Principle of Least Privilege

I should have named last week’s letter “Staff or Admin (Part 1/2)”. Because today’s is kind of Part 2/2.
Yes, kind of.
I could have shared this independently, but sequencing helps us connect the dots better. And this one is directly related to most people’s work. So…
So, we talked about four types of access control last week.
One of them was the DAC (Discretionary Access Control). The one where we decide whom to allow different levels of access.
Remember this screenshot? We will take that example forward.

We use DAC everyday

You might be sharing files on Google Drive or One Drive etc platforms with your colleagues regularly. We allow different people to access our files at our discretion. That makes it DAC type.

And if you check the different types of available access, there are three types:

  • Viewer
  • Commenter
  • Editor
  • There’s a fourth one: Owner (which you can transfer to others. I will share how to do it in future)

Now let’s say we are working on a document on Google Docs

And we need to add 10 of our colleagues to this document. For collaboration. What would we do?
Generally speaking, we would add all 10 colleagues to the document, making them “Editor”. This is also due to the Default Effect that influences our decisions. Because the “Editor” is a default choice provided by Google Docs.

But would all of our colleagues be Editing the document?
No.

Out of 10 colleagues:

  • 2 will need editing rights
  • 2 will need commenting rights
  • 6 won’t bother looking at the document because you know we are just “keeping them in loop”, otherwise they will make a ruckus later

So ideally…

This is what how the access permissions should look like:

  • 2 Editors
  • 2 Commenters
  • 6 Viewers

That’s the Principle of Least Privilege

Only granting the minimum access necessary for users to perform their jobs. Nothing less, nothing more.
Applying a culture of this principle shields organizations from suffering confidential info leaks, data breaches and reputational damage.

I have observed–as you too might have–that so many organizations suffer from too relaxed a culture of privacy. This makes it difficult to say no to people who shouldn’t be on a team, a meeting room or a shared document.
What are your experiences in this regard?
Hit Reply and share it with me.

Reads of the week:

Click to read
All of us have been witnessing different types of software integrations with AI. But in almost all use cases, we have to take action. We have to do something and the AI helps do it.
In this article, Alex Rampell, a GP at Andreessen Horowitz, argues that we will see more and more use cases where the users will not have to do anything. The AI agents will become the labour (in fact, we have already seen it in a few companies). This opens up a possibility to generate new types of work, better work for people.
I liked how simply the author has laid out his thoughts in this article.

The immediate cause of the obesity epidemic is feminism

I had never thought of this. I’ve grown to experience and understand some of the sins of feminism and their causes. But this one hit home. One more of Devon Eriksen’s connecting the dots moment. Or putting the finger on the unsaid, un-understood part of politics and culture.

You might have noticed, the louder a feminist, the uglier and unhealthier they tend to be. The American obesity epidemic has already knocked on the doors of India and other developing economies. It would be fun to see how far this pandemic progresses.

Scroll to Top