DelegatedPermission
Enables temporary transfer of permissions from one user to another, supporting scenarios like vacation coverage, emergency access, and task delegation. This entity manages the complex process of permission delegation where a user (delegator) temporarily grants some or all of their permissions to another user (delegate). This is essential for business continuity - when a manager goes on vacation, they can delegate approval permissions to their deputy. The delegation can be partial (only specific permissions) or complete (all permissions), time-bounded (active only during specific dates), and conditional (only for certain resources or contexts). The system tracks the delegation chain to prevent recursive delegations and maintains audit trails showing who used delegated permissions and when. Delegations can require approval from security teams or higher management, especially for sensitive permissions. The entity handles automatic activation and deactivation based on schedules, sends notifications when delegations are used, and can instantly revoke delegations if misuse is detected. This is critical for maintaining operational flexibility while preserving security and accountability, as all actions taken with delegated permissions are traceable back to both the delegate and the original permission holder.
Properties
| Property | Type | Mode | Description | Required |
|---|---|---|---|---|
| delegationId | uuid | stored | Unique identifier for this delegation | Required |
| delegator | User | stored | User who is delegating their permissions | Required |
| delegate | User | stored | User receiving the delegated permissions | Required |
| permissions | string | stored | JSON array of permission IDs being delegated Example: | Required |
| delegationType | string | enum | Type of delegation Values: Example: | Required |
| reason | string | stored | Explanation for why delegation is needed Example: | Required |
| createdAt | DateTime | stored | When the delegation was created | Required |
| startsAt | DateTime | stored | When delegation becomes active | Required |
| endsAt | DateTime | stored | When delegation expires | Optional |
| scope | string | stored | Specific context or resources the delegation applies to Example: | Optional |
| constraints | string | stored | JSON constraints limiting the delegated permissions Example: | Optional |
| requiresNotification | boolean | stored | Whether to notify delegator when permissions are used | Optional |
| requiresApproval | boolean | stored | Whether delegation needed approval | Optional |
| approvedBy | User | stored | Who approved this delegation | Optional |
| approvedAt | DateTime | stored | When delegation was approved | Optional |
| approvalNotes | string | stored | Comments from approval process | Optional |
| canSubdelegate | boolean | stored | Whether delegate can further delegate these permissions | Optional |
| status | string | enum | Current status of the delegation Values: | Required |
| activatedAt | DateTime | stored | When delegation was actually activated | Optional |
| usageCount | integer | stored | Number of times delegated permissions were used | Optional |
| lastUsedAt | DateTime | stored | Last time delegated permissions were exercised | Optional |
| usageLog | string | stored | JSON array of usage records with timestamps and actions | Optional |
| maxUsage | integer | stored | Maximum times delegation can be used | Optional |
| emergencyAccess | boolean | stored | Whether this is emergency delegation (bypasses some checks) | Optional |
| revokedAt | DateTime | stored | When delegation was revoked early | Optional |
| revokedBy | User | stored | Who revoked the delegation | Optional |
| revokedReason | string | stored | Why delegation was revoked | Optional |
| metadata | object | stored | Additional delegation configuration | Optional |
Examples
Example 1
{
"@type": "DelegatedPermission",
"delegationId": "del_vacation_123",
"delegationType": "partial",
"reason": "Two-week vacation coverage for team management duties",
"permissions": "[\"approve_timesheets\",\"approve_expenses_under_1000\",\"manage_team_calendar\",\"conduct_one_on_ones\"]",
"createdAt": "2024-02-25T10:00:00Z",
"startsAt": "2024-03-01T00:00:00Z",
"endsAt": "2024-03-15T23:59:59Z",
"scope": "team:backend_engineering",
"constraints": "{\"expense_limit\":1000,\"cannot_approve\":[\"salary_changes\",\"promotions\",\"terminations\"]}",
"requiresNotification": true,
"requiresApproval": true,
"approvedBy": "director_engineering",
"approvedAt": "2024-02-26T14:00:00Z",
"approvalNotes": "Approved for standard vacation coverage",
"canSubdelegate": false,
"status": "active",
"activatedAt": "2024-03-01T00:00:00Z",
"usageCount": 8,
"lastUsedAt": "2024-03-08T11:30:00Z",
"metadata": {
"vacation_request_id": "VAC-2024-089",
"original_return_date": "2024-03-15"
}
}Example 2
{
"@type": "DelegatedPermission",
"delegationId": "del_emergency_456",
"delegationType": "emergency",
"reason": "Emergency access for critical production incident while primary admin unreachable",
"permissions": "[\"production_deploy\",\"database_write\",\"configuration_change\",\"service_restart\"]",
"createdAt": "2024-03-15T02:00:00Z",
"startsAt": "2024-03-15T02:00:00Z",
"endsAt": "2024-03-15T06:00:00Z",
"constraints": "{\"services\":[\"api\",\"database\"],\"actions_require_dual_approval\":true}",
"requiresNotification": true,
"requiresApproval": false,
"canSubdelegate": false,
"emergencyAccess": true,
"status": "active",
"activatedAt": "2024-03-15T02:01:00Z",
"usageCount": 3,
"lastUsedAt": "2024-03-15T02:45:00Z",
"usageLog": "[{\"timestamp\":\"2024-03-15T02:15:00Z\",\"action\":\"restart_api_service\"},{\"timestamp\":\"2024-03-15T02:30:00Z\",\"action\":\"update_config\"},{\"timestamp\":\"2024-03-15T02:45:00Z\",\"action\":\"deploy_hotfix\"}]",
"maxUsage": 10,
"metadata": {
"incident_id": "INC-2024-0315",
"escalation_level": "critical",
"on_call_override": true
}
}