Adhere to the Principle of Least Privilege
Grant necessary privileges only. Do not provide users or roles more privileges than are necessary. If possible, grant privileges to roles, not individual users. The principle of least privilege is that users are given only those privileges that are actually required to efficiently perform their jobs.
Restrict the following as much as possible:
The number of users granted the
adminorsecurityroles.The number of roles or users who are allowed to make changes to security objects, such as roles, users, and document permissions.
The number of roles that have capabilities to add, change or remove security-related privileges.