Question 189 of 1,152
General Security ConceptsmediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is least privilege. This security principle dictates that a help desk analyst should only have the minimum permissions necessary to perform their job, such as resetting passwords in the ticketing portal, while all unrelated HR functions like viewing payroll or editing profiles are explicitly denied. By restricting access to only what is required for the task, the organization reduces the attack surface and limits potential damage from compromised credentials or insider misuse. On the Security+ SY0-701 exam, this concept frequently appears in scenario-based questions where you must identify the principle behind role-based access restrictions; a common trap is confusing least privilege with need-to-know, which focuses on data confidentiality rather than system permissions. Remember the mnemonic “Just Enough, Not Everything” to recall that least privilege is about granting the bare minimum access for a role to function.

SY0-701 General Security Concepts Practice Question

This SY0-701 practice question tests your understanding of general security concepts. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A help desk analyst can reset passwords in the ticketing portal but cannot view payroll records, edit user profiles, or access other HR functions. Which security principle is the organization applying?

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Least privilege

The help desk analyst is granted only the permissions necessary to perform their job function—resetting passwords—while all other HR functions are explicitly denied. This is the core definition of least privilege: each user or system component receives the minimum set of access rights needed to complete their tasks. By restricting the analyst’s account to password reset operations only, the organization reduces the attack surface and limits potential damage from compromised credentials or insider misuse.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Least privilege

    Why this is correct

    The analyst is given only the permissions needed to perform password resets and nothing beyond that task.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Defense in depth

    Why it's wrong here

    Defense in depth uses multiple layers of protection, not a narrowly scoped user permission model.

  • Separation of duties

    Why it's wrong here

    Separation of duties splits critical tasks among people to prevent fraud or abuse, which is different here.

  • Zero trust

    Why it's wrong here

    Zero trust continuously verifies access, but the question focuses on limiting assigned permissions.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse 'least privilege' with 'separation of duties' because both involve restricting access, but separation of duties specifically requires dividing a single sensitive process among multiple people, whereas least privilege simply limits the scope of permissions for any one person or process.

Detailed technical explanation

How to think about this question

Under the hood, least privilege is implemented via Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC) in directory services like Active Directory or cloud IAM systems. For example, the analyst’s account would be a member of a 'Help Desk' role that has an ACL entry granting write access to the password attribute on user objects but explicitly denies read access to the payroll OU. In a real-world scenario, a misconfigured RBAC role that accidentally includes 'Domain Admins' membership would violate least privilege and could allow a help desk analyst to escalate privileges to full domain control.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A security analyst at a medium-sized enterprise encounters this scenario during an investigation or architecture review. The correct answer reflects best practice for the specific threat or control described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Security exam questions test whether you can match controls to threats in context — not just recall definitions.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SY0-701 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SY0-701 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SY0-701 question test?

General Security Concepts — This question tests General Security Concepts — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Least privilege — The help desk analyst is granted only the permissions necessary to perform their job function—resetting passwords—while all other HR functions are explicitly denied. This is the core definition of least privilege: each user or system component receives the minimum set of access rights needed to complete their tasks. By restricting the analyst’s account to password reset operations only, the organization reduces the attack surface and limits potential damage from compromised credentials or insider misuse.

What should I do if I get this SY0-701 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on SY0-701

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A security analyst at a hospital is reviewing user permissions in the electronic health record (EHR) system. The analyst discovers that all nursing staff accounts are members of the 'Administrators' group, which grants full read and write access to all patient records, as well as the ability to modify system configuration settings. The nursing staff's job responsibilities only require viewing and updating records for patients currently assigned to them. Which security principle is most directly violated by this configuration?

medium
  • A.Defense in depth
  • B.Least privilege
  • C.Non-repudiation
  • D.Availability

Why B: The principle of least privilege dictates that users should be granted only the minimum permissions necessary to perform their job functions. In this case, nursing staff only need read and write access to records of currently assigned patients, but membership in the 'Administrators' group grants full read/write access to all patient records and the ability to modify system configuration settings, which far exceeds their job requirements. This directly violates least privilege by providing excessive, unnecessary privileges that increase the risk of unauthorized access or accidental misconfiguration.

Keep practising

More SY0-701 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SY0-701 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SY0-701 exam.