Simplify Delegated Access Management and Self-Service

This post is more than a year old. The contents and recommendations in this blog could be outdated.

Delegated access management lets you offer increased flexibility over the services you provide. In this self-service model, your clients can grant rights to their users independently of your interaction, benefiting them and you.

Allowing business customers to handle role management themselves lets them work faster with less of your support. They don't need you to approve individual users on their behalf.

However, granting access is complex, and delegating it needs to be done safely. There are all kinds of pitfalls to worry about if you attempt to do it yourself. Bringing in external expertise is one way to ensure you get it right. In this guide, you'll learn how to simplify delegated access management and self-service.

Why You Need Delegated Access Management and Self-Service

Delegating access management and providing self-service to your clients can help you in several situations. For example, often, you need highly granular role management, with permissions granted for specific projects and specific types of action. If you're working with staff in another organization, you can't easily manage this yourself.

If that organization has to go through your company every time it wants to change someone’s role or the data they have access to, it will take them time and slow their onboarding procedures, ultimately making working with you less attractive.

Delegating access management also helps mitigate insider threats. Farming out permissions may seem like a security risk, but you're really reducing the number of people that deal with any particular set of permissions. In addition, you're giving control to those that use them.

By reducing the amount of communication and the number of people involved, there's less chance for someone to leak information or act maliciously. And as your client base increases, so does the amount of admin involved in communication. The more you can automate or pass off to your clients, the better.

How to Simplify Delegated Access Management and Self-Service with ZITADEL

There are several things to think about, when implementing delegated access management and providing self-service capabilities to your users, including roles and permissions, delegated role management, and service consolidation.

ZITADEL allows you to do all of this and more, handling most of the heavy lifting for you. It makes delegated access management and self service simple. Its APIs integrate with your business processes letting you automate your clients services.

Let's take a more in-depth look at how it can help you:

Roles and Permissions

There are many types of permission users need. In addition to viewing files or other resources, users may be allowed to create or edit documents or delete files. Furthermore, some users are allowed to grant these permissions to others. Any of these permissions can be limited to specific resource sets.

To reduce complexity, permissions are often grouped into roles. Roles are a means of managing user access rights and usually come with a default set of permissions. Instead of figuring out exactly which permissions to give an individual, you can grant them a role instead. Your apps then associate permissions with roles, rather than individuals. Authorizations state which users have which roles and are often referred to as user grants.

Though users are typically human, they can also include machine agents, known as service users. For example, if you use a service to sync databases, the service might access databases on another domain by logging in as a service user.

ZITADEL lets you grant selected roles to an organization. The organization can then create authorizations for its users independently, and this is referred to as self-service.

Delegated Role Management

Delegating role management means you grant another group permission to assign or change roles. You don't need to grant all the permissions you have, but a limited selection allows you to create hierarchical relationships that don't require your involvement to administer.

A simple example of this role delegation would be in blogging software. Everyone has permission to view the blog. Editors get permission to make changes and grant rights to writers. Writers have permission to edit the documents they are assigned by the editors.

In this setup, there's no need to directly set people's individual permissions; you just assign them a role, and everything is taken care of by the software. Without roles, you’d have to select the specific actions available to each staff member.

However, if you're hosting blogging software for someone else, you need to provide them with permission to hand the roles to users. That could look something like the following:

Image showing the relationship between the host company and blogging team, which gets delegated rights to grant users blog access courtesy of James Konik

Here, your client is granted rights to assign user roles and can create as many users as they like without having to go through you. You can grant whatever rights you want, granting more or less control depending on your use case.

Managing Access Providers

There are many services providing authorization and authentication services. It can be hard to manage them all. With ZITADEL, you can enable and configure different services for each organization you work with.

With ZITADEL, you can implement Auth0, OmniAuth, and other kinds of access methods, such as Keycloak, Azure Active Directory (Azure AD), and Google through a single self-service platform.

You can enable single sign-on (SSO), too. SSO lets you access multiple services using a single login. ZITADEL lets you use protocols like OpenID Connect to provide this functionality.

These options make ZITADEL an ideal way to bring your own identity (BYOI) capabilities to your customers. Combining service consolidation with delegate access management like ZITADEL ensures that your users have the flexibility they need when setting up their organization access rules.

Going through ZITADEL takes away the difficulty of managing multiple services, and the consistent interface means your users don't have to figure out all the different login types.

Branding and Experience Customization

When dealing with relationships between multiple organizations, you need to decide how logins are handled. Do you use a default login screen or redirect users to one with a specific organization's branding?

With ZITADEL, you can configure these relationships on a case-by-case basis for different roles and companies. You can also easily create branding and add logos for each client. And of course, you can adjust it all without having to redevelop your site.

ZITADEL's multi-tenancy support means you can sell your services to different companies and deliver the specific features they need. These can be tailored to their needs and perhaps support different service tiers that you offer.

As well as branding, different organizations can then use different rules, such as their password policies and multi-authentication requirements. It's easy to customize these using a centralized service provider.

Benefits of Experience

Without experience in security, it's hard to keep up with the ever-changing technical and regulatory requirements. Given how risky mistakes are, it makes sense to bring in outside help.

Implementing delegated access management and self service is complex. When developing such services, it's easy to overlook this complexity. Many services implement authorization and authentication themselves, but as the scope widens to include delegated access management, this becomes an increasingly bad idea.

For nonspecialists, the chances of making a mistake are significant. The investment and maintenance requirements are also high and easy to underestimate.

By using an experienced service provider to handle these areas, you can focus on business logic and deliver a better product.

Security Dangers

Small mistakes in authentication and authorization services can have dire consequences. Access control, identification, and authentication are all prominent in the Open Web Application Security Project (OWASP) top ten security risks. Hackers are getting ever more sophisticated, and a successful attack can be catastrophic for a business on the receiving end.

To try and prevent attacks as well as develop a secure system in the first place, you have to continually update it as new threats emerge.

You also have to deal with the evolution of your wider platform. Every time you add or change a feature, you risk undermining your existing security measures and opening up a vector of attack.

Using an external service to provide authentication and authorization means you have dedicated experts continually updating their platform to deal with the latest vulnerabilities.

Plugging into a mature system via an API lets you deliver an up-to-date, secure service without the need for continual development investment.

And there are even more issues to think about, including setting up security policies, limiting the impact of DDoS attacks, and configuring the various types of encryption needed to authenticate users. None of these are easy to do.

With authentication and authorization handled for you, your developers are free to focus on your core product. You can concentrate on providing features and evolving your own platform without the added overhead of providing auth to external organizations.


Scaling can create issues, as additional users and support for new platforms put your infrastructure under pressure. ZITADEL supports unlimited users and projects, meaning it won't become a bottleneck.

Simplifying your services through delegated access management means you can use specialized tools to handle authorization and authentication, and these dedicated services can be chosen with scaling in mind.

They also prevent your codebase from getting out of hand as the range of clients, roles, and permissions you handle grows. Carefully partitioning it into a separate service keeps yours leaner and easy to work with.

Additional Features

Login policies are another way to give your clients control. These can be easily defined from ZITADEL's console. Login policies allow you to set authentication methods for your users and can be changed as your clients' needs evolve. They can do that without having to make code changes. You can also do this on an organizational level. For example, a SaaS provider can set different policies.

You can learn more about ZITADEL's feature set on its website.


Access management is a complex topic. Managing permissions and granting access to the right people are enough of a challenge, but the changing security landscape and ever-increasing feature sets make it even harder to keep up.

Fortunately, there are alternatives to doing everything yourself. With the right support, you can provide your clients with self-service capability. In return, they get a wide range of features along with cutting-edge security. They also reduce their costs, letting them focus on what they do best.

ZITADEL is an open source identity management platform that provides you with a wide range of features like OpenID Connect, SAML 2.0, OAuth 2, FIDO2, OTP, and an unlimited audit trail. With ZITADEL, you can solve all your authentication and authorization needs. Check out our repo and give us a GitHub star. We appreciate the feedback.

This article was contributed by James Konik.

Liked it? Share it!