Abstract: A method and system for generating permissions policies and permission boundary policies are described. The system receives a first request from a central administrator to create a delegated administrator, the first request specifying with one or more access permissions. The system generates a permission boundary policy that specifies the one or more access permissions and a first permissions policy that grants permissions to the delegated administrator to at least one of create an IAM principal with the permission boundary policy or attach a second permissions policy to the IAM principal. An effective permission given to the IAM principal is an intersection of access permissions specified in the first permissions policy and the one or more access permissions in the permission boundary policy. The system attaches the first permissions policy and the permission boundary policy to the delegated administrator.