Is the general practice to develop our applications as if the default access will be least privilege? That is, are we best to 'hide' everything by default in code that may be hidden – eg Admin buttons etc, then create a permission that 'shows' the object.

It is a best practise to develop your application with the “least privilege by default” but this practise has a cost.
It is more difficult for a developer to develop and test in this mode.
I think it is a better practise to determine what is very sensitive in your application. For highly sensitive data or actions, you will use the mode "least privilege by default" during the development and in the other cases you will use the mode "normal".



Visual Guard