An authorized tenant user with active and effective UMS access must be able to delegate limited UMS management capabilities to another user within the same tenant. This delegation enables administrative work without introducing privilege escalation or cross-tenant administration.
The delegation applies only to the internal UMS scope and must remain bounded by the delegator’s original permissions.
Organization, Department, System, or Team if those scopes are not explicitly enabled for this story.| Actor | Responsibility |
|---|---|
| Delegator | Grants, modifies, or revokes a limited delegation within their own UMS scope. |
| Delegatee | Executes UMS management actions within the delegated permissions and tenant boundary. |
| Authorized Approver | Approves the delegation when tenant policy requires it. |
| Authorized Superior Administrator | Can revoke or suspend delegations for control or security reasons. |
| Auditor | Verifies who delegated what, when, for how long, and with what outcome. |
If the delegator attempts to delegate a permission they do not hold, the system rejects the operation.
If the delegatee does not belong to the same tenant, is blocked, is inactive, or fails the eligibility rule, the system rejects the delegation.
If tenant policy requires approval, the delegation remains pending until a final decision is recorded. Approval may accept, limit, or reject the request.
If the delegator loses permissions, becomes inactive, changes profile, or loses active UMS access, derived delegations must be reviewed, suspended, or revoked according to tenant policy.
If the operation creates self-delegation, a delegation cycle, or unsafe chaining, the system rejects it.
| Rule | Description |
|---|---|
| BR-01 | Delegation applies only to the internal UMS scope within the tenant. |
| BR-02 | Cross-tenant delegation is not allowed. |
| BR-03 | The delegator may only delegate permissions already present in their effective UMS profile. |
| BR-04 | The delegatee must belong to the same tenant and be eligible to receive UMS permissions. |
| BR-05 | Delegation cannot grant more authority than the delegator possesses. |
| BR-06 | Every delegation must be traceable by tenant, delegator, delegatee, delegated permissions, validity, and state. |
| BR-07 | Delegation may require approval depending on policy or permission sensitivity. |
| BR-08 | Every create, modify, approve, activate, reject, revoke, suspend, or expire transition must be audited. |
| BR-09 | Delegation must be revocable by the delegator or an authorized superior administrator. |
| BR-10 | Cycles, self-delegation, and unsafe escalation must be prevented. |
| BR-11 | If the delegator loses access or permissions, derived delegations must be reviewed or suspended. |
| BR-12 | Delegation may also be time-bound. |
| # | Acceptance Criterion |
|---|---|
| 1 | The system allows delegation of UMS management only within the same tenant. |
| 2 | The system blocks cross-tenant delegation. |
| 3 | The system prevents the delegatee from receiving permissions the delegator does not hold. |
| 4 | The delegatee receives only explicitly delegated UMS capabilities. |
| 5 | Delegation can require approval when tenant policy defines it. |
| 6 | The delegator can modify the delegation without exceeding their own scope. |
| 7 | Delegation can be revoked by the delegator or an authorized superior administrator. |
| 8 | Every delegation state transition is audited. |
| 9 | The system prevents self-delegation, cycles, and unsafe escalation. |
| 10 | If the delegator loses access or permissions, derived delegations are reviewed or suspended according to policy. |
UserManagementDelegation, it must align to this minimum scope: tenant, delegator user, delegatee user, delegated UMS permissions, approval, audit, and revocation.| Type | References |
|---|---|
| Entities | UserManagementDelegation, UserAccount, Profile |
| Related UMS capabilities | User creation, user blocking/revocation, profile assignment, modification of allowed permissions |
| Domain events | Delegation create, modify, approve, activate, reject, revoke, and expire events |
| Related Stories | FS-10, FS-12, FS-21, FS-22, FS-24 |
| ADRs | ADR-0038, ADR-0044 |