There is a box representing IAM. In the middle is a box representing Data Flow. At the top is Data Flow Service, and an arrow flows from it to IAM. Below is a Spark Cluster containing two virtual machines. An arrow labelled User Token flows from IAM to it. Below is a figure representing an end-user. An arrow labelled On-behalf-of End User flows from the Spark Cluster, passed the user to Object Store and below it IAM compatible Services. To the right of Data Flow are a number of end users. An arrow labelled Run flows from them to Data Flow.