What is the best practice when creating a delegated permission?

Delegated permissions are best managed at the group level because it keeps access scalable, consistent, and easy to maintain. By assigning a delegated permission to an existing group such as Sales, HR, or Marketing, you ensure that all current and future members of that group inherit the same access rights without touching each user individually. When people join or leave the group, their access automatically updates through group membership, which reduces admin overhead and helps keep security consistent across the organization. Choosing a specific individual ties access to one person and becomes a maintenance burden as roles change or staff turnover occurs. Defining a type of permission without assigning it to a group or users doesn’t actually grant access to anyone, only describes a capability. Mixing a group with specific individuals adds complexity and can lead to inconsistent permission persistence. Using existing groups provides a clean, scalable way to delegate permissions across teams.