The difference between least access privileges and best fit access privileges can be confusing and subtle. Both control risk by limiting access associated with a specific job or role. The difference is that least privileges customize access to the individual, whereas best fit privileges typically customize access to the group or class of users.

For example, suppose you have four accounts receivable specialists. Accounts receivable teams typically collect on invoices due to a company. Of the four specialists, two work on commercial accounts and two work on individual accounts. Their access is the same, except that the commercial receivables specialists also require access to market information about the companies related to the commercial accounts. Under least privileges, you might choose to limit access to the market information to just the commercial receivables specialists. However, this decision comes at a cost. You would have to maintain two sets of access rules for basically the same job.

When you multiply these subtle differences across large populations of users and technologies, these rule differences can be quite complex and expensive to maintain. Best fit privileges would look at the risk of giving access to market data to the two specialists working with noncommercial accounts. If there is little to no risk of fraud or security exposure, then all four specialists may get the same access. Typically, this means assigning access to a receivables specialist role, and then assigning all four individuals to the role. Using this best fit risk-based approach to assigning access can lower support costs and simplify access rules.