Delegation of control is when an organizational unit (OU) — an object or group in a computer directory — is given a certain amount of control over functions. The control is usually minimal compared to the task, so the user can only perform the specified task and nothing else. Administrators and people in high positions, such as managers and owners, are given the highest delegation of control, with few restrictions on actions. The control is usually split into departments, giving managers control of a single OU that allows the manager to add or delete users.
An OU is a directory of users and serves several purposes. It allows redundant data, such as two people with the same name but in different departments. This also gives users a way to organize employees and other users in terms of department, employee level and overall delegation of control.
Assigning a delegation of control gives a user a certain amount of administrative power, but this power is the minimal amount needed for the user to complete a task. For example, if a user is assigned to write records, he or she would be given write access to add records. The user would not be given the ability to add new users to the OU or delete users, because these functions are beyond the user’s line of work. Giving extra control can create security problems, which is why only minimal control is granted.
People in higher positions, such as an administrator or manager, are granted a higher delegation of control. The manager is typically granted full control, but only for a group in the OU. This allows the manager to do whatever he or she feels is appropriate for that department, but the manager cannot interfere with other OU groups. Administrators typically have access to all OU groups because, if a technical error occurs or if the manager does not know how perform a function, the administrator can act in the manager’s place.
The OU is typically split into several departments. This keeps managers and departments separate, so they cannot interfere with one another, but it also grants additional uses. The delegation of control is split into group and user access. This means the entire group will get a certain access level, but the separate users can be granted additional access if deemed necessary. Higher access is typically only granted if the user is promoted or has to perform a task that requires additional access to data.