Often, access control to a website or application is tied to a person's institutional affiliation, the organization unit they work in, or on the basis of a role like a supervisor. In SLAC's IAM infrastructure, these characteristics of each person will be centrally maintained, consistent, and available to applications to consume as required. This will avoid the need to replicate access control datasets based on these types of centrally defined characteristics and allow for their use generally as desired.

While these institutional attributes can be seen as being person-by-person, they are often thought of as groups themselves. For example, a group of all SLAC staff members will be formed for the minimum requirement for online timecard entry.

Other types of groups can exist by combining multiple group memberships for the purposes of access control or compliance. For example, only individuals who are both organizationally working a specific directorate and have satisfied required safety training will be permitted access to a specific application.