Skip to main content

Authority to act for another Entity

This guidance describes how authorities to act are represented as relationships and how these can be verified.

Help us create the best guidance possible

If you would like anything added to or clarified in this guidance, email the Identification Management team at identity@dia.govt.nz.

Introduction

There are many times when 1 Entity needs to act on behalf of another Entity.

It is most common when interacting with non-human Entities such as organisations and animals. It is also needed between people — such as when caring for children or those who are unable to do things for themselves.

This guidance describes how authorities to act are based on relationships between Entities and the powers that those relationships might grant.

Find definitions for key terms used in this guidance — Identification terminology.

This guidance will evolve and expand over time to meet the needs of readers and is part of the wider Identification Standards.

Relationships between Entities

The authority to act for another is based on a relationship made up between 2 Entities that are linked by a role.

The relationship also has a direction. If the direction was reversed, the nature of the relationship and the role would change.

Diagram 1: The relationship between 2 Entities

Detailed description of diagram 1

This diagram shows the relationship between 2 Entities, the role that indicates the nature of the relationship and the direction of the relationship. Entity 1 has the authority to act for Entity 2.

Agent is an alternative term for those in the position of Entity 1. Subject is the alternative term for those in the Entity 2 position.

Examples of Entity relationships and their roles

  • Mrs Smith (Entity 1) is a Parent (role) of Jimmy (Entity 2)
  • Apec Trading Company (Entity 1) is an Employer (role) of Joe (Entity 2)

If the Entities were reversed the roles would need to change too. Parent would become Child and Employer would become Employee.

Organisations need to determine how to record the relationships between Entities, in the organisation’s context.

A role can have the same title in multiple contexts, but the definitions and rules related to the role in each of those contexts, can be different.

Types of authority to act

There are 2 types of authority to act:

  • role-based authority
  • delegated authority.

These 2 types indicate the basis by which roles and the relationship between 2 Entities might be established.

Role-based authority

Role-based authority describes situations where the ability to act on behalf of an Entity is granted through holding a particular role in relation to that Entity. The authority is generally the same for all Entities that hold the role, in a context.

These roles and the powers they grant are usually stated in legislation or policy and will also be context specific. For example — parent will have a different meaning and powers in the contexts of birth registration, health and finance.

Examples of role-based authorities

  • Mrs Smith is a Guardian of Jimmy
  • John is a Treasurer of Acme Sports Club
  • Mr Jones is a Director of Apex Trading Company
  • Joe is an Employee of Apex Trading Company
  • Sammy is an Owner of Fido the Dog
  • John is a Trustee of The Acme Property Trust
  • Mr Jones is an Attorney of Jane
  • Sammy is an Owner of 1 Smith St

Delegated authority

Delegated authority describes situations where Entity 2 grants powers to Entity 1 — to carry out activities that are within the limit of powers held by Entity 2. Entity 2 cannot grant any more powers than they hold themselves.

Delegated authority is most common in a work context where a manager delegates some or all of their powers to another staff member. This can also occur in other contexts.

The context and system capability will impact the ability for an organisation to facilitate users (such as customers), to delegate their powers to another in this way.

Examples of delegated authorities

  • John is a Delegate of Sally, his sister
  • Mary is a Delegate of Mr Jones, the Director of the Apex Trading Company

Verifying an authority to act

The 2 types of authority to act have completely different approaches to the verification process.

Verifying role-based authorities

There are formal and informal role-based authorities and the evidence for these can take many forms. The evidence for verifying each relationship needs to cover the 2 Entities, the role and the direction. This is regardless of the form the evidence takes.

If evidence is available, it is most likely to only provide information assurance. Other processes will be needed to bind the information to the correct Entities.

The following are some common aspects of evidence and verification.

Internal employee policy

Internal organisation roles are set by each organisation through their policies and business rules. It’s best when these rules are well defined and documented for the context.

The roles someone holds in an organisation, will be:

  • determined through the hiring process
  • governed by the human resources function in partnership with the employee’s line management.

The internal policy will determine how roles and relationships are verified and who does this.

Legislation

Many role-based authorities are defined in legislation but the legislation itself:

  • is not evidence of a relationship
  • only defines the roles and powers of the relationship.

The challenge this brings include:

  • evidence for verification is not always available
  • role titles and their powers are not unique or consistent across contexts and legislation.

Care needs to be taken when accepting evidence of a relationship, as this will be based on the definition or understanding of a role in the context of the source of that evidence. Refer to Legal Instruments below, for more information about this.

Examples of roles and evidence
  • Parent in a birth certificate, some passports
  • Child in a birth certificate, birth register
  • Director in a certificate of incorporation, companies register
  • Owner in a certificate of title, land information register
  • Shareholder in a share certificate
  • Trustee in a trust deed
  • Treasurer in the minutes of an annual general meeting
  • Attorney in a power of attorney
  • Executor in a will

Legal instruments

Legal instruments (like trust deeds, powers of attorney, wills and probate) are a useful form of evidence for establishing relationships because they:

  • are often designed for this purpose
  • contain the role and direction of the relationship and often the powers too.

Statutory declarations can also be used when there is no other formal way to establish a relationship between 2 Entities. For example — whāngai and other cultural adoptions.

To assess the level of assurance for both the accuracy and quality of evidence, apply the Information Assurance Standard.

Information Assurance Standard

Some translation can be required to put the powers of the authority into operation within the organisation’s systems.

Statements by third parties

A corroborating statement from a trusted third party may be the only evidence for many relationships — especially informal ones.

When using trusted third parties for evidence of relationships, the statement is more complex than for a single attribute.

The trusted third party needs to make it clear which aspects of the relationship they are making the statement about.

It could take more than 1 trusted third party to establish the relationship to the level of assurance that the organisation is willing to accept.

Information on accepting statements by trusted third parties as evidence and the levels of assurance this provides is covered in the guidance on Implementing the Information Assurance Standard.

Implementing the Information Assurance Standard

Verifying delegated authorities

In a delegated authority the Entity that owns the powers provides authority.

The authentication process is used to access the function to set up the delegation. The successful passing of the authentication process is the basis for verifying that the Subject is authorised to delegate these powers to another Entity.

The authority is only able to be given within the capacity of the organisation’s systems.

To make the delegation of authority process more robust, there should also be a step for the delegated Entity to acknowledge and accept the authority and powers they’ve been given.

Other considerations

There are other things to consider when implementing authorities to act.

  • Does the Entity in the real world connect to the Entity in the relationship — especially if the names used are not the same?
  • Is the authority still current or has it been superseded or cancelled?
  • Are the delegated authorities still relevant or wanted? Check with the Subject.
  • When an Entity is no longer current, make sure authorities to act that are held or given have been deactivated or removed. For example, the Entity is deceased, decommissioned or no longer a party to the organisation.

Authorities to Act and access management

Relationships need to be recorded appropriately. This information can be a core component of an access management system.

Being able to utilise the roles and relationships and then apply the authority as business rules can automate the access to resources.

Diagram 2 shows a conceptual view of how roles and relationships can inform other systems within a context.

Diagram 2: Relationships and access management

Detailed description of diagram 2

This diagram has 2 physical Entities which sit outside of the context. The relationship between the 2 Entities exists both in the real world and inside the context.

The Entities:

  • are represented by information records that are stored in databases
  • use an authenticator to access the context
  • are connected by a directional relationship and role.

The mechanism that runs the access management system uses the stored information about the Entities, their roles and relationships to determine the Entities’ access rights and authorisation to the various services and transactions.

In the case of an authority to act, this access can include the ability to do transactions or access services on behalf of another Entity with whom they have a relationship.

Both Entities need to have an Entity Information record, even if the Entity with the authority to act is not interacting with the organisation as a Subject.

Related advice

The following resources are also related to this topic.

Contact

Department of Internal Affairs Te Tari Taiwhenua

Email: identity@dia.govt.nz

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated