Policy delegation in Agen for SaaS enables B2B SaaS providers to give their customers (tenants) the ability to define their own policies within platform-defined boundaries. This is essential for multi-tenant environments where different customers have different governance requirements.
As a platform provider, you define global policies that apply to all tenants. These set the security floor — the minimum governance requirements that every tenant must comply with.
Individual tenants can then create tenant-level policies that add additional restrictions on top of the global policies. Tenant policies can only be more restrictive than the platform defaults — they cannot override or relax global policies.
| Level | Set by | Scope | Can be overridden? |
|---|---|---|---|
| Global policies | Platform provider (you) | All tenants | No — always enforced |
| Tenant policies | Individual tenant admins | Single tenant | Can add restrictions, cannot relax global policies |
- Global policies are always evaluated first.
- If a global policy denies a request, the request is blocked regardless of tenant policies.
- Tenant policies are evaluated after global policies pass.
- Tenant policies can add deny, step-up, or approval actions for their specific context.
- If no tenant policy matches, the request proceeds (assuming global policies allow it).
To allow tenants to manage their own policies:
- Configure your global policies in the Agen for SaaS control plane.
- Enable tenant-level policy management through your Frontegg portal settings.
- Tenant admins can then create policies scoped to their tenant through the tenant admin interface.
- Set strong global defaults — Define global policies for the most critical security requirements (e.g., blocking destructive operations without approval).
- Document tenant capabilities — Clearly communicate to tenants what they can and cannot configure.
- Monitor tenant policies — Use the monitoring system to track policy creation and enforcement across tenants.
- Test inheritance — Verify that global policies cannot be bypassed by tenant-level configurations.