The Lighthouse context represents an authenticated session to access the Identity Manager repository, which is subject to authorization checking to enforce visibility and action restrictions. Creating, modifying, and deleting users and other Identity Manager objects requires authenticated access to the repository provisioner. This access is established by a context object, typically a LighthouseContext, or a WorkflowContext. Each of these context objects contains an authenticated session object that gives the caller access to the repository.
A context (or Session) is fairly intuitive when operating in the context of a logged in environment -- specifically, in a web browser. But within Identity Manager, a workflow is a separate process (actually a TaskInstance), and independent from any browser session, must still access the Identity Manager repository. This is possible because the executing workflow has an active context that is assigned to the workflow when it starts and can be persisted/restored with the workflow when it suspends/resumes.
When a user interacts with a workflow (typically through a WorkItem or ManualAction), the workflow maintains its own context. It does not assume the context of the user interacting with the WorkItem (although that user must possess a context that gives them appropriate access to the WorkItem). If the user interacting with the WorkItem causes a form to be loaded, Identity Manager processes the form with the context of the user, not the context of the workflow. To be more precise, the user interacting with the WorkItem is not interacting with the workflow at all. The user is simply interacting with the WorkItem. After the user modifies the WorkItem, the Scheduler will restart the workflow if appropriate.