Necessary privilege is Allen’s inside-out of the Principle of Least Privilege (2023). Where least privilege asks “what privileges should we deny?”, necessary privilege asks “what privileges does the user actually need to do their work?” The answer to both questions should converge on the same permission set — but the design process that gets there is different, and the difference produces different systems.
Least privilege starts with all possible permissions and removes what is unnecessary. Necessary privilege starts with nothing and adds what is required. The restrictive framing forces designers to enumerate every possible abuse — a potentially endless task. The necessary framing concentrates attention on the positive: what does this user need to accomplish, and what is the minimum privilege set that enables it?
Allen’s insight is that framing changes what designers discover. A least-privilege analysis tends to produce permission sets that are technically minimal but functionally brittle — users bump against barriers, work around restrictions, and accumulate frustration. A necessary-privilege analysis starts from work requirements, producing permission sets that enable smooth operation. If a user proactively has access to everything they need, they never bump up against barriers. This reduces human error and increases satisfaction.
Necessary privilege is not simply least privilege stated differently. The two framings lead to different design conversations. Least privilege asks: “Is this permission necessary?” — a yes/no gate applied permission by permission. Necessary privilege asks: “What does this role require?” — a constructive enumeration that may surface permissions the least-privilege analysis would never have considered, because they were not in the initial permission set being trimmed.
Necessary privilege occupies the enabling row of Allen’s 2x3 taxonomy, paired with Principle of Least Privilege in the restrictive row. Together they bracket the privilege scope — one sets the ceiling (no more than necessary), the other sets the floor (no less than necessary). A well-designed system satisfies both simultaneously.