One of the most useful aspects to SLAC’s future IAM infrastructure services will be the ability to consistently and securely apply access control policies across the entire lab. Access control can be derived from many criteria. Some examples are from a person’s affiliation, role, organization, or simply being a member of a project. The goal for a SLAC access management service is to support delegated administrators across the lab with the ability to manage their own group definitions, including staff and facility users.
Additionally, group logic can be applied such that memberships may be combined logically. This infrastructure will also support the lifecycle of group memberships. For example, a person’s membership in an access control group will periodically have to be revalidated by the group's administrator.
Since access control isn’t just about people, some other types of identities can also be access managed; examples include endpoints and service identities.