Answer C is incorrect because separation of duties is focused on ensuring that action and validation practices are performed separately. Answer A is incorrect because the default assignment of an implicit denial is overridden by explicit grants of access aids in protecting resources against accidental access and is not directly violated by this action because Lynn's account now has full administrator rights assigned. By making Lynn a member of the Administrators group, Bob not only bypassed the application's access control protocols but may also have granted Lynn access to additional application features or administrative-only tools that often lack the same safeguards as user-level APIs. Least privilege is a principle of assigning only those rights necessary to perform assigned tasks.
