as a group at SLAC consider cost and benefits to handle multiple identity/role principals (use of some existing Kerberos tools that are gssapi enable to permit action, or leverage Auristor's means of having multiply identity/role tokens, and even negation in cases warranted (this at base is going to lean on the pts service.)