You are forgetting that with the identity approach you chose, you did not have to create an identity. Your "bind" example should be one step only and it should be:
- authorize an identity (the router in this example, but it's true for all identities) to bind the service
Consider the effort to 'unbind' that service now. If you let the system make the bind for you you simply:
- update the identity and add/remove the proper attributes desired (if the policy uses attributes) or update the service policy and add the identities by attribute or by direct mention
this one act will:
- remove the old terminator
- make a new terminator
If you use an attribute, let's say "#dev-services" and that one attribute mapped to 50 services, with the automatic approach you'd do just that one operation. With the manual approach you will have to find/remove any terminators, then put back "50" terminators. that's at least 50 operations.
It's much easier to not create terminators manually, imo 