Invalid delegations are not silently changed or removed. Instead, Aptly preserves the record (and the pathway chain) and clearly flags what is broken so administrators can decide whether to update, reissue, revoke, or realign downstream delegations.

What does “Invalid” mean in Aptly?

A delegation is considered invalid when one or more critical components required to support it are no longer valid. Aptly flags invalidity at the component level using one or more Alerts:

• Invalid Recipient
• Invalid Issuer
• Invalid Pathway
• Invalid Authority
• Invalid Groups

Each alert includes an explanation of what caused the invalid state and what actions can resolve it.

Why Aptly uses invalid alerts (instead of silently changing delegations)

In large enterprises, authority data changes frequently (job changes, reorganizations, policy updates, reporting line changes, directory sync updates). Silently rewriting downstream delegations can create governance and audit risk. Aptly instead:

1. Preserves the delegation record and chain
2. Flags what is no longer valid
3. Guides remediation (update, replace, align, reissue)
4. Applies guardrails to prevent the chain from becoming more inconsistent

Delegation pathways and why they matter

Delegation pathways define recipient eligibility rules. Pathways are set at the Decision level and may be restricted by parent delegations. Aptly supports:

• Matrix: authority can be redelegated broadly (no pathway restriction).
• Functional: redelegation is restricted based on department alignment.
• Direct Line: redelegation is restricted by a reporting line (manager hierarchy).
• Down-line: a fourth pathway type supported by Aptly to enforce additional downstream eligibility constraints in applicable scenarios (tenant configuration determines exact enforcement behavior).

If multiple pathways are selected, the effective eligibility can be more permissive (for example, Matrix allows broad eligibility even if other pathways are also enabled).

What triggers delegations to become invalid?

Invalid alerts are triggered when a delegation no longer aligns with its Decision, its parent/source delegation, tenant settings, or underlying user/position/group data. Below are the most common triggers by alert type.

Invalid Recipient triggers

• Personnel-in-Position mismatch: the recipient was issued authority as “Personnel in Position” but no longer holds the required position.
• Functional pathway mismatch: a department change/removal causes a recipient to no longer qualify under Functional restrictions.
• Direct Line / Down-line mismatch: manager/reporting-line changes cause a recipient to no longer qualify under Direct Line or Down-line restrictions.

Invalid Issuer triggers

• Issuer authority is no longer valid: issuer was removed from the source delegation or the source delegation was revoked.
• Issuer position mismatch: issuer’s supporting authority depended on a position relationship that no longer exists.
• Downstream cascade: when a recipient becomes invalid and that recipient issued redelegations, Aptly may flag the issuer on those child redelegations as invalid.

Invalid Pathway triggers

• A pathway option (Functional, Direct Line, Down-line) was removed from the source Decision or parent/source Delegation.
• A user edited and saved a delegation where a pathway option was already invalid, resulting in the invalid option being removed.

Invalid Authority triggers

• An Authority Type was removed from the source Decision or parent delegation but remains configured on a child delegation.
• An authority value no longer fits within allowed parameters due to upstream changes.
• Redelegation constraints changed upstream and the child delegation now conflicts with allowed values.

Invalid Groups triggers

• A group is removed from a source Decision or parent delegation but remains on a child delegation.
• A group type is disabled and associations are removed (or underlying group data changes), causing the child delegation to retain a group value that is no longer valid.

Downstream cascade behavior for pathway restrictions

Aptly performs downstream integrity checks when upstream changes could invalidate child delegations. The following scenarios are especially important:

Case 1: Removal of a pathway option upstream

If a pathway option is removed from a source Decision or parent delegation, Aptly evaluates child delegations and flags recipients invalid where they no longer qualify. If any of those recipients issued redelegations, Aptly may also flag issuers invalid on those redelegations.

Case 2: Functional pathway operations (department alignment)

• If a user or position’s department changes or is removed, Aptly evaluates impacted delegations and flags recipients invalid where they no longer qualify.
• If a group type is disabled with Keep Associations, historical associations remain and typically do not invalidate recipients.
• If a group type is disabled with Remove Associations, Aptly re-evaluates impacted delegations and flags invalid recipients where applicable.

Case 3: Direct Line / Down-line operations (manager/reporting line)

• If a user’s manager is changed or removed, Aptly re-evaluates delegations and flags recipients invalid where applicable.
• If a manager is deleted (for example, via SCIM) or deactivated, Aptly re-evaluates delegations and flags recipients invalid where applicable.

How to find invalid delegations

1) Use Alerts filtering in the Delegations list

1. Go to Delegations.
2. Open Filters.
3. Use the Alerts filter to select one or more alert types (Invalid Recipient, Invalid Issuer, Invalid Pathway, Invalid Authority, Invalid Groups).

IMAGE TO INSERT: Delegations list showing Filters → Alerts with the alert type checkboxes.

2) Narrow results to your scope

You can combine Alerts with group filters (Organizations, Locations, Departments, and custom group types) to focus on delegations within the areas you manage.

IMAGE TO INSERT: Delegations filters showing both Alerts and a Group filter applied (e.g., Organization = ProxyComm North America).

3) Open a delegation and review the inline indicators

Within the delegation detail view, Aptly shows exactly which component is invalid (Issuer, Recipient, Pathway, Authority, Groups). Hover tooltips provide the cause and recommended remediation.

How to resolve each invalid alert type

Resolve: Invalid Recipient

A common cause is a position mismatch (Personnel-in-Position delegations) where the user no longer holds the required position.

1. Open the invalid delegation and click Edit.
2. Go to Recipient and update the invalid recipient:
   • Replace with a valid user (often the new person holding the intended position), or
   • Change the recipient selection (if permitted by tenant settings), or
   • Remove the invalid recipient, or
   • Revoke the delegation if it should no longer exist.
3. Click Issue Delegation to save and reissue.

What to expect: when you open edit mode, Aptly may auto-clear invalid recipients from the selectable pool. If you click Cancel, the delegation remains unchanged and still shows invalid until you reissue with a valid recipient.

IMAGE TO INSERT: Delegation edit screen where the recipient field auto-clears an invalid user (and the user selects a replacement recipient).

Resolve: Invalid Issuer

Invalid issuer commonly occurs when the issuer no longer has valid authority to support the delegation (e.g., removed from source delegation or source revoked).

1. Open the invalid delegation and click Edit.
2. Update the Issuer to a valid issuer who holds authority to issue that delegation.
3. Click Issue Delegation to save and reissue.

IMAGE TO INSERT: Invalid issuer tooltip showing the reason (removed from source delegation / source revoked), plus the edit issuer flow.

Resolve: Invalid Pathway

Invalid pathway occurs when a delegation has a pathway option that is no longer allowed based on the source Decision or parent delegation.

1. Open the delegation and click Edit.
2. Go to Delegation Pathway.
3. Select only pathway options that are currently valid under the source Decision/parent delegation.
4. Click Issue Delegation to reissue.

Tip: If the pathway should still be allowed, first update the source Decision or parent delegation to include the pathway again, then return to the child delegation and reissue.

Resolve: Invalid Authority

Invalid authority occurs when an authority type on a child delegation is no longer valid under the source Decision or parent delegation (for example, Approval removed upstream but remains on a child).

1. Open the delegation and click Edit.
2. In Authorities, replace or adjust the invalid authority:
   • Select a valid authority type, and/or
   • Adjust the value to a valid limit.
3. Click Issue Delegation to reissue.

What to expect: Aptly will prevent saving until the invalid authority is replaced with a valid authority configuration.

Resolve: Invalid Groups

Invalid groups occur when a delegation references groups that are no longer valid or no longer permitted under the source Decision or parent delegation.

1. Open the delegation and click Edit.
2. Update the Groups field to remove invalid groups and keep only valid selections.
3. Click Issue Delegation to reissue.

What to expect: Aptly may auto-remove invalid group selections when you enter edit mode. If you cancel, the invalid groups remain until you reissue with valid group selections.

Guardrails: Authority limit reductions

To preserve hierarchy integrity, Aptly restricts updates that would cause a parent authority limit to be lower than an existing child delegation limit for the same authority type.

• If you attempt to reduce an authority limit on a Decision or Delegation below what any child delegation currently holds for that authority type, the update is blocked and a message is displayed.
• Exception: this restriction is ignored if a child delegation authority value was set by a user with the relevant override permission.

IMAGE TO INSERT: The notification/error message displayed when attempting to reduce a parent limit below an existing child limit.

Operational notes

• Invalid alerts are review indicators. They preserve auditability and chain traceability.
• Invalid alerts typically do not change the delegation’s status automatically (for example, they are not revoked solely because they are invalid).
• Depending on tenant settings and role permissions, Aptly may restrict downstream actions such as redelegation while invalid issues exist.
• Upstream changes may present a confirmation warning indicating how many child delegations will be flagged invalid for review.