Skip to content
SOLUTION

Delegated Authorization

Principled delegation Per‑action constraints Auditable access
Open Quickstart
AA compliant AA compliant
Visual representation of delegated authorization showing constrained empowerment flow

How it works

Membership models orgs, teams, roles, and delegations. PDP evaluates each request with these relationships and policy to return decisions.

ARIA: AI Agent Governance Identities, delegations, policy bindings, lifecycle, and runtime enforcement. ARIA Agent Risk & Identity Authorization ARIA: AI Agent Governance ARIA: AI Agent Governance Agent Risk & Identity Authorization First-class identities with ownership, delegation, and policy enforcement 🎯 ARIA INNOVATION Agents ARE first-class Identity objects Risk + Identity unified governance 1. IDENTITY MODEL: First-Class Graph Objects All identities (Person, AIAgent, Service) live in Neo4j with consistent governance :Person (Alice) :AIAgent (Travel Bot) :Service (AITravel SvcP) :Policy (YAML Doctrine) ✅ Benefits • Unified identity model • Consistent governance • Graph traversal = context • Discoverable ownership • Auditable lineage 2. RELATIONSHIPS: Ownership + Delegation Explicit graph edges capture control, delegation, and policy bindings A. CONTROLLED_BY (Ownership) Agent CONTROLLED_BY Owner • Discoverable: Who owns this agent? • Auditable: All controllers queryable • PUT/GET/DELETE via API B. DELEGATES_TO (Consent + Scope) Alice DELEGATES_TO status: active capabilities: [...] Travel Bot Properties: status, capabilities[], constraints, trust_level, service_id, jkt, expires_at Source of truth: "who can do what on behalf of whom" C. POLICY_REF (Static Rules) Agent POLICY_REF budget .yaml • Versioned YAML policies (static doctrine) • PDP evaluates policy + delegation constraints • Emits decisions + obligations → PEP enforces 3. LIFECYCLE: Registration → Delegation → Verification → Revocation 1 Register Create Service + Agent instance 2 Link Owner CONTROLLED_BY relationship 3 Delegate DELEGATES_TO + constraints 4 Verify Active delegation + optional jkt 5 Revoke Immediate or scheduled expiry 📡 API Surface (Already Available) POST /api/v1/agents/service-principals POST /api/v1/agents/user-bound-agents PUT /api/v1/agents/{id}/control POST /api/v1/delegations (create/verify) POST /api/v1/delegations/{id}/revoke 4. RUNTIME: ARIA Authorization Flow (OBO Token Exchange + Policy Enforcement) AGENT REQUEST Subject: AI Agent Resource: Alice Action: book_flight (OBO token) PDP EVALUATION 1. Verify DELEGATES_TO 2. Check constraints 3. Evaluate policy YAML 4. Merge + resolve conflicts DECISION ✅ PERMIT Obligations: [log_access, notify_user] PEP ENFORCEMENT Execute action Apply obligations Emit to Kafka → Flight booked! 📊 Observability • Metrics: verification latency, orphan checks • Logs: correlation IDs, decision reasons • Events: Kafka for cache invalidation • Audit: All delegations fully traceable ARIA: Agent Risk & Identity Authorization - First-class identities with explicit ownership, delegation, and unified policy enforcement Enables: Discoverable ownership • Auditable consent • Runtime verification • Immediate revocation • Full observability
Delegated authorization for people and agents — identities, relationships, consent/OBO, policy, and enforcement.
PDP deep‑dive → Explore Membership →

Standards

  • OpenID AuthZEN decisions with obligations/TTL
  • Token Exchange (RFC 8693) for on‑behalf‑of
  • SCIM for membership synchronization

Learn more

Technical docs

PDP Docs

Marketing site

AuthZEN PDPMembership

Related reading

PDP Reference