A common scenario in the research community is a professor (perhaps with a grant or two) who wants to provide members of her research project team with access to a set of resources. The standard way to do this today is for the professor or a system administrator supporting the professor to create accounts, credentials and permissions on each of the computational resources associated with the project team. In addition, she might create an email list or alias that team members can use to communicate with one another, she might also provision a blog or wiki to support the research group.
The time spent administering all this is time lost to research work. Our collaboration support infrastructure should enable the professor or her support staff to create a group identity for the research project team, add and remove individuals to/from the team, and perhaps add new people to those known to the University's identity management system. If support for federated identity and access management is in place and aligned with the US higher education identity federation, InCommon, then individuals from other universities belonging to InCommon can be added to the virtual research organization.
Once the group has a digital identity, it becomes possible to control access to any number of resources by having the policy enforcement point for each resource check whether the individual seeking access is a member of the relevant group. Alternatively, all the individuals in the group could be given accounts or file space or wiki privileges via a provisioning mode in which an automated process performs the necessary system administration tasks given a list of digital identities for the individuals in a group.