Federated Authorisation and Group Management in e-Science

The power of federated identity and access management is not just simplified authentication but the ability to make authorisation decisions based on a range of attributes. In an increasingly inter-federated world, how can we present and manage authorisations across different federated services in a consistent and uniform way with minimal overhead for each of the parties involved (service providers, identity providers, users)? If this would be done through a centralised service, which party would offer this service? How to assure unambiguous attribute interpretation in and across federations? How to manage groups of users that do not always fit in the same organisational mould? Does the user have a say in the release of attributes?