Document pattern of using local group as grantee of consent

[elf-pavlik]

Looking at the familiar diagram

Luis, acting as a trusted grantee of ACME, wants to grant access to members of a local group. Local groups mean that ACME manages the group listing and ACME's authorization agent has access to it. In that case, Luis grants specific access to the ACME RnD group. ACME's authorization agent would record the Access Consent where the group would be the grantee. Then authorization agent would generate an access grant for each member of the group.

TODO

• [ ] Clarify that a local group would only be the grantee on Access/Data Consent.
• [ ] Clarify that generating of Access/Data Grants would need to be re-triggered when group membership changes.
• [ ] Vocab to express group membership
• [ ] Should group listing go as agent registration?

[TallTed]

If possible, I suggest tweaking the "token" line between "Client" and "RS" to have a horizontal segment and a vertical segment, such that it does not cross the "app grant <-> token" line between "Client" and "AS/AA".

[elf-pavlik]

Done ✅ thank you @TallTed

[TallTed]

@elf-pavlik -- I should have suggested this before... If the "ACME RnD" lozenge can move to the right of "SA ACME", then the connection from "EU Kim" to "ACME RnD" can also avoid crossing the line between "EU Luis" and "SA ACME". This will remove the last potentially confusing connector; all should be clear from start-to-finish.

[elf-pavlik]

Done ✅ I think ACME RnD should be somewhere in between Kim and ACME, I was still able to move it a little bit to the top to avoid lines crossing.