The Walking Dead of Least Privilege

The Least Privilege commandments have always been simple, timeless and clear: 1. exactly what you need. 2. only what you need. 3. granted and revoked at the intended time. In SAP, they are encoded as authorization objects, roles and rules for segregation of duties. In many companies, however, these rules are now being ignored and the authority of the principle is eroding. Authorizations spread uncontrollably, long-forgotten accounts remain active, admin rights float like ghosts through all areas of the company. The principle has not disappeared, but it is all too often neglected and is undergoing a transformation as a result.

The era of paper ledgers: Least Privilege originated long before the computer age, when meticulous employees kept handwritten notes in the „ledger“ about who was assigned what and when. The pages were numbered to prevent „creative additions“. Controls were simple, physical and effective: reading under supervision, posting only with countersignature, locking the ledger at night, separation between creator and approver - a four-eyes principle long before the term „segregation of duties“ emerged.

Industrial age, rights to the production line: In the 1970/80s, general ledgers were replaced by terminals and batch jobs. SAP R/2 was created in the mainframe era, developed for companies that valued efficiency, repeatability and control. Least privilege did not determine who was allowed to open the ledger, but rather which employee was allowed to carry out which transaction on the production line. This is what least privilege access looked like in the early days of SAP: Authorizations were closely tied to transactions, batch processes and predictable roles. Access was defined exclusively via the process - a rule that was engraved in the machinery itself.

Turn of the millennium: The golden age of control begins: In the office of the early 2000s, Least Privilege is ubiquitous, for reasons of design as well as necessity. A busy assistant manages the typewriter and the flow of information. In parallel, access to R/3, ECC, CRM, SRM, BW or HR is tied to SAP's SID-based architecture. Data is available to those who know their way around, access is strictly regulated via the Abap authorization concept in the application layer.

Today you have to understand the cloud jargon (BTP, Rise, Grow), back then Least Privilege was based on predictable, task-specific systems. Looking back, it was a golden age of the now moribund principle: orderly, reliable and integrated into the rhythm of working life. Digital resurrection: In today's hybrid world, the old and new of rights allocation are also merging. The stone tablet with the three golden principles still exists, but now it shines on a digital dashboard.

Access rights are no longer granted by a human, but by a machine intelligence or a generative AI model. The focus has shifted: the restriction by „at least“ and „only“ is receding into the background, with commandments 1 and 3 becoming more important. Least privilege now focuses less on denial and more on precision, speed and relevance.
In the modern cloud-based architecture, the old SIDs are gradually disappearing and being replaced by BTP services and subscriptions. The least privilege principle is not dead in the age of AI.

It has merely been revived in digital form, but shines brighter than ever. Minimal privileges never really die out. You may bury the term, rename it or claim to have left it behind - it will always come back, like a Walking Dead.