LCAS, the Local Centre Authorisation Service, is the authorisation decision engine that adds access controls to the "gatekeeper". The gatekeeper accepts job requests from external sources (like the enduser or the workload management system) over an authenticated channel. Today, this functionality is also available for the Classic storage element, since an LCAS and LCMAPS aware GridFTP server (based on the wu-ftpd server) is available.

The concept is that different independent authorisation modules may be plugged-in, thus creating a flexible system. The plug-in framework enables multiple independent authorisation modules to collectively grant or deny access to the resource. The decision is based on the requested resources (expressed via the Resource Specification Language RSL), the identity of the requester, and the authorisation credentials presented by the end-user in the proxy certificate. If VOMS is used this will be the VO, Group, Role, and Capability combinations the user has acquired from VOMS. A basic policy language allows selection of which authorisation plug-ins are to be invoked, and the access decision is the logical "and" of the answers of the individual plug-ins.

As part of the LCAS system, the following plug-ins are provided:

External parties can develop their own plug-ins to provide additional functionality, without the need to re-compile the LCAS framework software.