Which practice supports least-privilege access in Phreesia?

• A. Auto-rotate passwords every 90 days.
• B. Never change permissions.
• C. Audit logs are disabled.
• D. Regularly review access and disable accounts when needed.

Answer: (D)

Least-privilege access means giving users only the permissions they need to do their job and keeping those permissions tightly aligned with their current role. Regularly reviewing who has access in Phreesia and disabling accounts when they’re no longer needed puts that into practice. It directly reduces the chance of over-permission by removing access that isn’t necessary, helps prevent dormant or orphaned accounts from being exploited, and makes it easier to adjust permissions when someone’s responsibilities change. Other options don’t address this ongoing control: rotating passwords improves credential hygiene but doesn’t constrain what actions a user can take; never changing permissions allows privileges to accumulate beyond need; turning off audit logs reduces visibility for detecting misuse.