...
Importantly, a token does not inherit the permissions of its proxy user; it is given its own set of permissions which may be more restrictive than those held by the proxy user. This allows compartmentalisation of access, with a user potentially using multiple tokens that each have different access levels if required. Note that a token is affected by ACLs as if it was its proxy user, so if your project uses custom ACLs to grant access, all of a user’s tokens will be able to access those same locations.
Secure identity tokens can be further restricted to a specified access application. This is most often used to restrict access to the Mediaflux Unimelb Command-Line Clients.
...