Documenting a third approach to authorisation

[paulmillar]

The document contains a section Authorization (page 11) that describes how there are two different approaches to authorisation: capability-based and group-based.

There is (potentially) a third approach: VO-based authorisation.

It is currently an open question, whether or not it is reasonable to deduce VO membership from the iss claim alone (see #29). If this is deemed reasonable, then a service may identify the agents VO-membership directly from the iss claim. This is significant as the iss claim MUST NOT be suppressed: all tokens contain this information.

If VO-membership is known from the iss claim, would it be reasonable to base authorisation decisions on this information?

Currently the document makes no statement on this possibility, which leads to potential ambiguity on what is correct behaviour.

Assuming #29 is resolved so that it is reasonable to deduce VO membership then the document's Authorization section should be updated to indicate whether VO-membership may be used and how it interacts with the other two authorisation approaches.