Skip to main content

Introduction to Delegation of Authority

· 3 min read
Christina Kelley
Christina Kelley
Bean Master

Organizations distribute responsibility through the delegation of authority. Delegation stems from a fundamental limitation: no single person or system can do everything. To scale effectively, organizations distribute decision-making through delegation. But how authority is assigned matters: too little, and tasks remain incomplete; too much, and you expose vulnerabilities.

For example, giving an employee a key to an office containing confidential documents bears similar risks to granting users access to sensitive databases. Delegation requires trust, but trust introduces risk.

At its core, delegation involves three key elements:

  1. Authentication - Assigning Authority Choosing who receives decision-making power.
  2. Authorisation - Defining Scope Setting limits on what they can and cannot do.
  3. Accounting - Implementing Oversight Ensuring accountability and preventing misuse.

Hierarchy of Authority Delegation

Here are 2 simple examples:

  • A front desk worker can operate a Point of Sale register but cannot issue refunds above a set limit.
  • A soccer referee can eject a player for a foul but cannot ban them from the league.

The same principle applies in digital systems, unnecessary access increases vulnerabilities, while restricting access too much slows productivity.

Delegation always involves a trade-off between trust and control:

  • Too little authority - Tasks remain incomplete.
  • Too much authority - You introduce risks of potential compromise either due to maliciousness or accidents.

Here are some examples of when there's too little authority:

  • A receptionist must ask a manager for every patient update.
  • A developer can't deploy code, delaying releases.

Here are some examples of when there's too much authority:

  • A junior employee is mistakenly given admin access to a database.
  • A cashier can issue refunds without oversight, leading to fraud.

The Principle of Least Privilege (POLP)

To minimize risk, organizations follow POLP: "Give people only the minimum necessary authority to complete their tasks—no more, no less."

Most systems that enable delegation ends up granting more power than necessary, leading to ambient authority. These are the extra permissions that aren't strictly needed.

Ambient Authority versus Intended Authority

In the above diagram, we show that ambient authority is the extra authority someone has but doesn't need. Whereas the intended authority is the exact amount of power necessary for a task. Therefore reducing ambient authority reduces risk. This is the foundation of Zero Trust and this is something we will explore in subsequent blog posts.

Delegation is essential, but it requires careful management to avoid inefficiencies and risks. The key is to balance trust and control, ensuring authority is assigned wisely and responsibly.