Skip to main content

Use the principle of deny by default


The system should set minimal or no permissions for new users/roles and users/roles should not receive access to new features until it is explicitly granted.


Systems should have a set of roles with different levels of privilege to access resources. The privileges of each role must be clearly defined and the role of each user should also be clearly stated. Furthermore, permissions and access should be granted using the principle of deny by default.