Every least-privilege project we have seen start with a spreadsheet of roles dies within a quarter. The intent is right and the execution makes everyone miserable, so people route around it with a shared admin role and a wink. We have done this badly enough times to know what actually sticks.
Start from what people do, not from the permission catalog
The mistake is reading the cloud provider's list of 8,000 actions and trying to assign them. Nobody can reason about that. We instead watched what a service or a person did over thirty days, using access logs, and wrote roles that fit the observed shape of the work plus a small margin. The role for our billing service ended up with eleven permissions. It had been running with full read-write on the account.
- Pull 30 days of access logs per principal before writing any policy
- Group the actions into 3-5 verbs the human can name, like read invoices or write exports
- Grant those, then add the next thing only when someone actually hits a wall
- Delete any permission unused for 60 days, automatically, with a heads-up first
The escape hatch is the feature, not the failure
People accept tight roles when getting more is fast and not humiliating. We built a self-serve elevation: you request a scoped permission for four hours, it posts in a channel, a peer approves, and it expires on its own. The point is that nobody waits a day for a ticket. When elevation takes ninety seconds, hoarding standing access stops being worth it.
Standing access is a smell. If a permission is granted forever, ask why it cannot be requested in the moment it is needed.
What we measure
We track the ratio of permissions granted to permissions used per role, and we track how long an elevation request takes to resolve. The first number tells us where roles are too loose. The second tells us whether the escape hatch is healthy. When elevation latency creeps up, people start asking for permanent grants again, and we know the system is fraying.
What we got wrong
We over-segmented early. Forty narrow roles meant a single onboarding needed eight approvals and people gave up. We merged roles back until each one mapped to a job somebody actually has. Least-privilege is not maximum-roles. It is the smallest set of grants that lets the work happen without a second login.
If you remember one thing: the win is not a tighter policy on paper. It is that six months later nobody has quietly re-created a shared admin key because yours got in the way.