Operational Authority
The system responsibility for deciding whether a proposed state transition is valid, permitted and safe to execute now.
Owning a table is not the same as owning a decision. A database may hold the record of an issue, an invoice or an account while the real rules about what may happen to it sit in a web screen, a batch job or someone else’s integration. In that arrangement the system stores the outcome, but it does not reliably express the authority behind it.
Operational authority is the responsibility to validate and execute a state transition. It belongs to the capability that can see current truth and is accountable for the resulting change.
What the authority must decide
Before accepting a proposed action, an operational authority may need to check the current state, the requester’s permissions, delegated authority, relevant policy, business invariants, required evidence and the possibility that another request has changed the state since the proposal was formed. These are not all validation rules in the narrow sense. Together they answer a more important question: may this action happen now?
That is why the authority must re-read state at execution time. A consumer may have been working from a perfectly reasonable view of the world that is now stale. Treating its view as decisive turns a read model into an accidental write authority.
A capability, not a channel
The authority need not be implemented in one technology. It may be expressed through database logic, a domain package, a workflow engine or a policy component. The architectural constraint is not where a particular line of code runs. It is that the decision is centralised within the responsible capability rather than reconstructed by every consumer.
For a resolution request, the authority might confirm that the issue exists, is in a resolvable state, has the required evidence, is not subject to a hold and has been requested by someone entitled to do so. If any condition fails, it returns a defined outcome. If they pass, it makes the state change and records the decision.
This is the difference between an API that accepts an update and one that represents what the organisation can safely do. The governed action is the public expression of that authority.