Hi Jon,
You'd have to develop a specific plugin for that. You likely have some specific authorization app in mind; but on a more general level, "on behalf" authorization sounds like OAuth2/JWT. In other words: token based authorization, with the actual ACL as part of the claims in the token.
In VerneMQ, all the hooks are there (auth_on_register, auth_on_publish, auth_on_subscribe), but there's no official (ie generic) OAuth2 plugin.
Hope this helps,
André