Delegation Chains
Delegation chains track how permissions flow from users to agents in AI workflows.
What is Delegation?
When a user asks an AI agent to perform a task, they're delegating authority to that agent. The agent might further delegate to sub-agents or tools, creating a chain of trust.
User "Alice" delegates to → Agent "Coordinator"
delegates to → Agent "Research Bot"
delegates to → Tool "Web Search"
Why Delegation Matters
1. Permission Boundaries
Agents can only perform actions within their delegated scope:
Alice can: read finance documents, write reports
Alice delegates to Research Agent
Research Agent can: read finance documents, write reports (inherited)
Research Agent cannot: delete documents (not delegated)
2. Audit Trail
Delegation chains provide accountability:
Who authorized the web search?
→ Tool was called by Research Agent
→ Research Agent was delegated by Coordinator
→ Coordinator was started by Alice
Answer: Alice authorized this action
3. Scope Control
Prevent permission escalation:
Alice (finance, read-only) delegates to Agent
Agent cannot gain write permissions
Agent cannot access non-finance resources
Delegation Chain Structure
{
"delegation_chain": [
{
"from": "User::\"alice\"",
"to": "Agent::\"coordinator\"",
"scope": ["read", "write"],
"resources": ["Document::*"],
"timestamp": "2024-01-15T10:00:00Z"
},
{
"from": "Agent::\"coordinator\"",
"to": "Agent::\"research-bot\"",
"scope": ["read"],
"resources": ["Document::finance-*"],
"timestamp": "2024-01-15T10:00:05Z"
}
]
}
Delegation Policies
Allow Delegation
permit(
principal is User,
action == Action::"delegate",
resource is Agent
) when {
// Users can delegate to agents they own
resource in principal.owned_agents
};
Restrict Delegation Depth
forbid(
principal is Agent,
action == Action::"delegate",
resource is Agent
) when {
// No more than 3 levels of delegation
context.delegation_chain.length >= 3
};
Scope Reduction
permit(
principal is Agent,
action == Action::"delegate",
resource is Agent
) when {
// Agent can only delegate permissions it has
context.requested_scope.isSubsetOf(principal.permissions) &&
// Cannot delegate more than it received
context.requested_scope.isSubsetOf(context.delegation_chain[-1].scope)
};
Validating Delegation Chains
WL-APDP validates delegation chains during authorization:
1. Chain Integrity
Each link in the chain is verified:
For each delegation link:
- Did "from" have permission to delegate?
- Was "to" an authorized delegate?
- Is the scope within the delegator's permissions?
2. Scope Verification
Permissions cannot escalate through delegation:
Alice's permissions: [read, write] on Documents
Coordinator's delegated scope: [read] on Documents
Research Bot's delegated scope: [read] on finance-Documents only
Research Bot request: write to Document
→ DENIED: write not in delegated scope
3. Temporal Validation
Delegation must be valid at the time of the request:
Delegation created: 2024-01-15T10:00:00Z
Delegation expires: 2024-01-15T12:00:00Z
Request time: 2024-01-15T14:00:00Z
→ DENIED: Delegation expired
Authorization Request with Delegation
{
"principal": "Agent::\"research-bot\"",
"action": "Action::\"read\"",
"resource": "Document::\"finance-report-q4\"",
"context": {
"intent": "summarize financial data",
"goal": "quarterly report preparation",
"delegation_chain": [
{
"from": "User::\"alice\"",
"to": "Agent::\"coordinator\"",
"scope": ["read", "write"],
"resources": ["Document::finance-*"]
},
{
"from": "Agent::\"coordinator\"",
"to": "Agent::\"research-bot\"",
"scope": ["read"],
"resources": ["Document::finance-*"]
}
]
}
}
Response with Delegation Info
{
"decision": "allow",
"reasons": [
{
"policy_id": "delegated-agent-access",
"description": "Agent has valid delegation from authorized user"
}
],
"delegation_validation": {
"chain_valid": true,
"chain_length": 2,
"root_principal": "User::\"alice\"",
"effective_scope": ["read"],
"effective_resources": ["Document::finance-*"]
}
}
Best Practices
1. Minimize Delegation Depth
// Warn on deep chains
permit(...) when {
context.delegation_chain.length <= 3
};
2. Time-Limit Delegations
{
"delegation": {
"from": "User::\"alice\"",
"to": "Agent::\"assistant\"",
"expires_at": "2024-01-15T18:00:00Z"
}
}
3. Scope Minimization
Delegate only necessary permissions:
{
"delegation": {
"scope": ["read"], // Not ["read", "write", "delete"]
"resources": ["Document::project-x-*"] // Not all documents
}
}
4. Audit Delegation Events
Log all delegation creations and uses:
{
"event": "delegation_created",
"from": "User::\"alice\"",
"to": "Agent::\"assistant\"",
"scope": ["read"],
"timestamp": "2024-01-15T10:00:00Z"
}
5. Require Human-in-Chain for Sensitive Operations
forbid(
principal is Agent,
action == Action::"delete",
resource is SensitiveData
) when {
// Must have direct human delegation (depth 1)
context.delegation_chain.length > 1
};
SDK Support
Python SDK
from wl_apdp import WatchlightClient, DelegationChain
client = WatchlightClient("http://localhost:8081")
# Create delegation
delegation = client.create_delegation(
from_principal="User::\"alice\"",
to_principal="Agent::\"assistant\"",
scope=["read", "write"],
resources=["Document::project-*"],
expires_in_hours=8
)
# Authorize with delegation chain
result = client.authorize(
principal="Agent::\"assistant\"",
action="read",
resource="Document::project-readme",
delegation_chain=[delegation]
)
CrewAI Integration
from crewai import Agent, Task
from wl_apdp.crewai import AuthorizedAgent
# Agent automatically includes delegation chain
agent = AuthorizedAgent(
name="Research Agent",
delegated_by="User::\"alice\"",
delegated_scope=["read", "execute"]
)
Troubleshooting
"Invalid delegation chain"
Check that:
- Each link has valid
fromandtoprincipals - The scope at each level is a subset of the previous
- No link is expired
- The chain doesn't exceed maximum depth
"Scope exceeded"
The requested action exceeds the delegated scope:
Delegated: [read]
Requested: write
→ DENIED: write not in delegated scope
"Chain broken"
A delegation link is missing or invalid:
Link 1: Alice → Coordinator ✓
Link 2: ??? → Research Bot ✗
Ensure complete chain from root user to acting agent.