Authorisation

TL;DR

Solution will be dependent on the chosen Identity Provider (IdP)

OpCo Domains should have a 1 way trust with Aspire as there should be no users within Aspire, only groups

User authorisation to systems and data should be provided centrally by groups within Aspire

Authorisation should be done via groups with roles within systems associated to those groups

Users from different companies should have access to the same groups, and not different groups for different companies

Groups and user access to groups will need to be managed within Aspire

All users should be able to use their native domain credentials to access systems and data within Aspire