== Recommended Secure Coding Practices

At minimum, an access control system should:

* Use a well-defined access control model like https://en.wikipedia.org/wiki/Role-based_access_control[RBAC] or https://en.wikipedia.org/wiki/Access-control_list[ACL].
* Entities' permissions should be reviewed regularly to remove permissions that are no longer needed.
* Respect https://en.wikipedia.org/wiki/Principle_of_least_privilege[the principle of least privilege] ("_an entity has access only the information and resources that are necessary for its legitimate purpose_").