Only the roles, orgs and services that are explicitly marked as delegable can be delegated. Non-delegable roles are ignored during delegation - the deputy will not receive the privileges given by these roles. The role, org and service contains a
Workflows and Certification
Workflows (midPoint 3.x) and access certification fully support the concept of deputy. The deputies will have access to the workitems that are assigned to their delegators. The deputies can make decisions on these workitems and the decision will advance the workflow (or be recorded in access certification case) as if the delegator made the decision.
The approval schemes and workflow will work well with delegations only if the approvers are defined using the assignment mechanism (available in midPoint 3.5 and later). See Approval page for more details.
Besides providing authorizations to make decisions, deputies will receive mail notifications intended for the delegator reminding him or her that a decision is to be made.
Because the operation of finding all the deputies is currently quite time-consuming, deputy information is not generally shown in the GUI along with approver name. So, if an approval work item is assigned to a user X, it is not displayed that X has (let's say) 3 deputies eligible to approve the given work item.
Deputy delegation are in fact assignments. that have special
deputy relation in their target reference. Unlike most other assignments the target of deputy relation is not a role or org. The target of deputy relation is a user. This makes perfect sense as the delegation is a relation between two users: the delegator and the deputy.