When creating a delegated permission, which approach aligns with best practice?

Grouping users for delegated permissions mirrors how access is managed by role. By assigning permissions to an existing group such as Sales, HR, or Marketing, you ensure all current and future members in that role receive the same access automatically. This makes administration scalable, because onboarding, changes, or offboarding affect everyone in the role without touching individual users. It also supports auditability and consistency, since the group defines the access boundary and you can adjust permissions in one place rather than updating many individuals. Using a specific individual’s name binds access to a person, which doesn’t scale and creates maintenance work whenever that person changes roles or leaves. Naming a type of permission describes what level of access you grant, not who receives it, so it doesn’t address who should have it. Combining a group with individual users inside that group introduces exceptions and complexity, undermining consistency and increasing the risk of over- or under-permissioning. So, assigning delegated permissions to an existing group is the best practice because it promotes consistent, scalable, role-based access management.