ABSTRACT
The core set of services in Enterprise Level Security (ELS) that provides for access and privilege is designed for simplicity in common use cases, but in a large enterprise there are many exceptions that require local adjustments to access rules. This chapter discusses delegation, which is the controlled sharing of one individual’s discretionary access and privilege with another entity. Mandatory access requirements must be met by the delegate. Delegation enables authorized individuals and groups within the enterprise to locally enact access rules that are not addressed by the core enterprise services. This provides two benefits. First, local complications, uncommon scenarios, and unforeseen situations need not be escalated to enterprise-wide changes when they are confined to a single application or service. Delegation keeps small changes local. Second, the visibility that delegation provides enables identification of enterprise-wide patterns that may be better addressed by permanent solutions, such as provision by the enterprise of additional information needed by applications and services. Instead of an accumulation of hidden backdoor access methods, delegation keeps the access modifications visible and accountable. Delegation is provided as an enterprise service, with individual delegation policies set by the data owners, and it preserves standard ELS authentication, authorization, and auditing protections.
