A company has 5 users. Users 1, 2 and 3 need access to payroll and users 3, 4 and 5 need access to sales.
Which of the following should be implemented to give the appropriate access while enforcing least
privilege?

A.
Assign individual permissions to users 1 and 2 for payroll. Assign individual permissions to users 4 and 5
for sales. Make user 3 an administrator.

B.
Make all users administrators and then restrict users 1 and 2 from sales. Then restrict users 4 and 5
from payroll.

C.
Create two additional generic accounts, one for payroll and one for sales that users utilize.

D.
Create a sales group with users 3, 4 and 5. Create a payroll group with users 1, 2 and 3.

Explanation:
Assigning permissions to a group requires less effort than assigning permissions to individual users. When
you have groups configured with the appropriate permissions, you can grant the permissions to individual
users by adding the users to the groups. Users can be members of multiple groups and therefore have
multiple sets of permissions assigned to them. In this answer, user 3 is a member of both groups which
grants the user permission to both Sales and Payroll.
Incorrect Answers:
A: Assign individual permissions to individual users requires a lot more administrative effort than
assigning permissions to groups and adding the users to the groups. Therefore, this answer is incorrect.
B: The question states that you must enforce least privilege. Granting the users administrator access gives
them full access to everything. They could even remove the restrictions that this answer suggests using.
Therefore, this answer is incorrect.
C: Employees should not share user accounts. You should grant the appropriate permissions to the users’
user accounts (by way of group membership); not create additional accounts for multiple users to use.
Therefore, this answer is incorrect.