The principle of least privilege requires which of the following?

The principle of least privilege means giving users only the access they need to perform their job, and no more. When people have only the minimum permissions required, the risk of accidental or intentional misuse is reduced, exposure if a credential is compromised is limited, and it becomes easier to enforce separation of duties and track actions. So granting users only the access necessary for their role is the best fit for this principle. Providing administrative rights to everyone ignores the need-to-know and greatly increases risk. Restricting access only during business hours is a time-based control, not the core idea of least privilege. Disabling all access by default is too restrictive for normal operations, even though some systems adopt a default-deny mindset; least privilege focuses on granting only what’s necessary, not prohibiting everything unless explicitly allowed.