## Policy delegation

Policy delegation in Agen for SaaS enables B2B SaaS providers to give their customers (tenants) the ability to define their own policies within platform-defined boundaries. This is essential for multi-tenant environments where different customers have different governance requirements.

### How delegation works

As a platform provider, you define **global policies** that apply to all tenants. These set the security floor — the minimum governance requirements that every tenant must comply with.

Individual tenants can then create **tenant-level policies** that add additional restrictions on top of the global policies. Tenant policies can only be more restrictive than the platform defaults — they cannot override or relax global policies.

### Policy hierarchy

| Level | Set by | Scope | Can be overridden? |
|  --- | --- | --- | --- |
| **Global policies** | Platform provider (you) | All tenants | No — always enforced |
| **Tenant policies** | Individual tenant admins | Single tenant | Can add restrictions, cannot relax global policies |


### Inheritance rules

- Global policies are always evaluated first.
- If a global policy denies a request, the request is blocked regardless of tenant policies.
- Tenant policies are evaluated after global policies pass.
- Tenant policies can add deny, step-up, or approval actions for their specific context.
- If no tenant policy matches, the request proceeds (assuming global policies allow it).


### Enabling policy delegation

To allow tenants to manage their own policies:

1. Configure your global policies in the Agen for SaaS control plane.
2. Enable tenant-level policy management through your Frontegg portal settings.
3. Tenant admins can then create policies scoped to their tenant through the tenant admin interface.


### Best practices

- **Set strong global defaults** — Define global policies for the most critical security requirements (e.g., blocking destructive operations without approval).
- **Document tenant capabilities** — Clearly communicate to tenants what they can and cannot configure.
- **Monitor tenant policies** — Use the monitoring system to track policy creation and enforcement across tenants.
- **Test inheritance** — Verify that global policies cannot be bypassed by tenant-level configurations.


### Related topics

- [Policies overview](/agen-for-saas/policies/overview)
- [Creating policies](/agen-for-saas/policies/creating-policies)
- [Access control](/agen-for-saas/access-control/overview)