← Home

Deep-Dive · Companion to the Zero Trust Field Guide

The Access
Decision

One decision, made well, every time: is this access needed — and if so, how far should it be restricted? This is the deep version of the Zero Trust guide's central question, from the request to the revoke.

Gate 1 necessity Gate 2 authorization Then review & revoke

Every access request runs two gates. The first asks whether the access should exist at all — a question of necessity. The second asks whether this requester, on this device, in this context, has cleared the bar the resource's sensitivity demands — a question of authorization. Between them you size the grant to the minimum that does the job. After them, the work isn't done: access that never expires or gets reviewed is the most common source of risk.

01

The Decision in One View

Default-deny throughout: access is what you deliberately grant, not what you forgot to block.

Access request Needed?(justified) GATE 1necessity DENY (default) Size to least privilegenarrowest point on the five axes · §3 Rate sensitivity → set the barclassification · §4–5 Conditionsmeet the bar? GATE 2authorization identity · device · context · risk Step up or denyMFA · JIT · approval GRANTscoped · time-bound · recorded no yes no yes
Two gates, a sizing step between them, and a grant that is never permanent — it enters the lifecycle (§7) for review and revocation.
02

Gate 1 · Is It Needed?

The necessity gate is where most over-provisioning is stopped — or waved through. A legitimate need is tied to a specific role or task and can be stated in a sentence. Anything vaguer is a no until it's sharpened.

Counts as a need

Does not count

Necessity worksheet — copy & fill
Requester / principal: ______________________________ Resource requested: ______________________________ Task or duty it serves: _____________________________ Why existing access is insufficient: ________________ Scope it actually requires: _________________________ End date / trigger: ______________________________ Decision: ☐ need established ☐ deny ☐ send back to sharpen
03

Sizing to Least Privilege

Once a need is established, grant the narrowest access that satisfies it. Minimize independently on five axes — a grant that's tight on four axes and wide on one is still wide.

Push the knob toward LEAST on every axis Principal one identity a broad group Resource just what's needed the whole store Actions read-only full control Duration time-boxed permanent Conditions verified context anywhere, anyhow
Five independent dials. Prefer read over write, one record over the table, an hour over forever, this person over the group. The widest axis sets your real exposure.
04

Rating Sensitivity

How high the authorization bar should sit is a function of what's behind it. Rate the resource by the impact if its confidentiality, integrity, or availability were lost — then let that drive the controls.

TierExamplesImpact if compromised
Crown jewelscustomer PII, secrets/keys, domain admin, production data storesSevere — regulatory, financial, existential.
Sensitivesource code, financial systems, internal PIISignificant — material harm, contained.
Internalgeneral business apps, intranetLimited — operational friction.
Public / lowpublished content, open reference dataMinimal — but integrity still matters.

If a resource isn't classified, you can't size its bar — so classification (the Data pillar) is usually the prerequisite work, not the network plumbing. Unclassified defaults to "treat as sensitive until rated," not "treat as open."

05

Gate 2 · Setting the Bar

Sensitivity maps to the assurance required before access is allowed. When a request falls short, step up (raise the assurance) rather than defaulting to a flat deny — and only hard-deny when step-up can't close the gap.

TierIdentityDeviceApproval / elevationDurationLogging
Crown jewelsphishing-resistant MFAmanaged + compliantexplicit approval + JITminutes–hoursfull, alerted
SensitiveMFAposture-checkedrole-based, JIT for elevationsession–daysfull
InternalSSO + MFAknown devicerole-basedrole lifetimestandard
Public / lowauthenticatedanyself-servicestanding OKbasic
Step-up, not slam-shut

A contractor on an unmanaged laptop hasn't failed forever — route them through managed VDI, add approval, or provision a scoped replica. Step-up keeps people productive without lowering the bar, which is what prevents the workarounds (shadow IT) that a flat deny breeds.

06

The Grant Record

A grant you can't describe later is a grant you can't review, audit, or safely revoke. Record enough that a stranger could re-evaluate it in a year.

Grant record — template
Principal: ______________ (human / service / machine) Resource + scope: ______________ (which data/systems, how narrow) Actions: ______________ (read / write / admin) Justification: ______________ (the need, from Gate 1) Sensitivity tier: ______________ → bar applied: ____________ Conditions: ______________ (MFA, device, context) Granted by: ______________ Date: __________ Expires: ______________ (date or trigger — required) Review / recert: ______________ (when, by whom)

The two fields people skip are expiry and review owner. A grant without them becomes standing privilege the moment the task ends.

07

Lifecycle · Review & Revoke

The decision doesn't end at "grant." Access has a life, and the riskiest part is the end nobody tends to.

Request Approve Provisionleast-priv Useverified Reviewrecertify Revoke/ expire still needed? re-request — never auto-renew
Expire by default. Renewal should require re-justifying the need, not a silent extension. Review is the step that's skipped — and where standing privilege accumulates.

Revoke triggers — act without waiting for the review cycle

The standing-privilege sweep

Periodically list grants that haven't been used in the review window. Unused access is pure risk with no offsetting benefit — revoke first, ask questions after.

08

Mechanisms

How the decision gets implemented. Pick the model that matches how your access actually varies.

ModelDecides byBest whenWatch out for
RBACrole → permission setsstable, well-defined job functionsrole explosion; creep as people accumulate roles
ABACattributes of user, resource, contextfine-grained, dynamic, context-dependent accesspolicy sprawl; needs clean attribute data
PBACcentral policies (often ABAC + a policy engine)consistent governance at scaleonly as good as the attributes and policies feeding it

Supporting controls

09

Hard Calls

10

Anti-Patterns

11

Worked Examples

Illustrative · contractor → customer DB

Need: one-week reporting task — legitimate, bounded. Size: read-only, two tables, seven days, one identity. Sensitivity: customer PII = crown jewels. Bar: phishing-resistant MFA + managed device + approval. Contractor is on an unmanaged laptop → step up to managed VDI + manager approval. Grant: read-only, two tables, 7 days, auto-expiring, fully logged. Residual: in-scope exfiltration still possible → add egress/volume monitoring.

Illustrative · engineer → production

Need: debug a live incident — real, urgent. Size: the affected service only, time-boxed to the incident. Sensitivity: prod data store = crown jewels. Bar + step-up: JIT elevation through PAM, session recorded, auto-expiry on incident close. Grant: scoped, JIT, recorded. Lifecycle: access self-revokes; no standing prod admin remains.

Illustrative · service account → internal API

Need: a nightly job calls one API. Size: that one API method, that one dataset, no interactive login. Sensitivity: sensitive. Bar: short-lived credential, network-scoped. Lifecycle: owner assigned, quarterly review, alert if it authenticates from anywhere unexpected. The non-human identity gets the same two gates a person would.

12

Quick-Reference Card

The access decision in one screen

Two gates

Gate 1 — needed? tied to a task, stated in a sentence, default-deny. Gate 2 — authorized? conditions clear the bar the sensitivity demands; if not, step up rather than slam shut.


Size on five axes

Principal · Resource · Actions · Duration · Conditions — narrowest point on each. The widest axis is your real exposure.


Sensitivity sets the bar

Classify first (you can't size a bar for an unrated resource). Crown jewels → strong identity + managed device + approval + JIT + short-lived + alerted.


Record & expire

Capture principal, scope, actions, justification, approver, and — always — expiry and review owner. No expiry = standing privilege.


Lifecycle

Request → approve → provision → use → review → revoke. Expire by default; re-request, never auto-renew. Revoke on role change, offboarding, risk signal. Sweep unused grants.

The deep version of the Zero Trust Field Guide's "Is it needed? Should it be restricted?" decision. Concepts are standard access-control practice — principle of least privilege, need-to-know/need-to-use, RBAC/ABAC/PBAC, just-in-time / just-enough-access, separation of duties, privileged access management, break-glass, and access recertification. Map them to the access-control requirements of your own control framework before formal use; classification tiers, the assurance matrix, and worked examples are illustrative, not a control baseline. Least privilege reduces blast radius — it does not make a system "secure." Companion to the Zero Trust, Critical Thinking, Troubleshooting, and Root Cause Analysis guides.