[philsnow]

There's more than just security concerns, when you allow a bunch of third-party accounts to access one of your first-party accounts.

If your highest concept of identity is the account and identity managers allow you to authenticate to that account, let's say you have a tailscale account with id 123, and any human who has access to john@personal.org or john.smith@job.com can access that account.

What do you do when John leaves job.com? Can John (accessing the account through john@personal.org) still admin the job.com bits?

I think the right abstraction is having first-party (in this case tailscale) accounts belonging to one or more "teams" and authenticating with a @job.com address allows you to switch to the job.com team in the UI / allows you to generate API creds that modify job.com's team.