[mswehli]

Depends on where the permissions logic is stored, but to add information such as the example of can user a access the data of company x, then the IAM provider has to make a call back to the service where this information is stored. Its unlikely you'd want to store logic like that within the IAM provider, nor is it necessarily possible. But if you are relying on the IAM provider for user permissions, then you still have the bottleneck of a centralised permission service, its just now your IAM provider. The only scenario i can think of where its more efficent, is in role based authentication.