Authorization after identity switching
After switching to another (target) identity, the authorizations of the target identity apply. The authorizations of the original (source) identity do no longer apply. The target identity cannot switch back to the original identity. If desired, this must be explicitly configured in the whitelist of the target identity.
Example
The API identity of the invoker is linked to role API_SVC_ROLE. The API identity of machine 1 is linked to role API_MACH_ROLE.
After the invoker has switched its identity to the API identity of machine 1, the authorizations of role API_MACH_ROLE apply. The authorizations of role API_SVC_ROLE do no longer apply.