Delegated Administration

Delegated administration allows an organization to assign limited administrative rights to people outside the core operations team. A common scenario is a B2B platform where each business customer has its own administrator who can create, modify, and deactivate user accounts within their organization but cannot see or affect users belonging to other customers.

The scope of delegation is defined by boundaries such as tenant, organizational unit, or role. A delegated administrator might manage user provisioning, reset passwords, assign roles, and configure policies, all within their assigned boundary. They cannot escalate their own privileges or access resources outside their scope.

Implementing delegated administration requires a clear authorization model. Role-based access control is often the starting point, with additional constraints to limit the blast radius of any single administrator’s actions.

For CIAM, delegated administration is a core requirement for B2B and marketplace platforms, enabling customer organizations to self-manage their own users without burdening the platform operator.