If that system service further restricts the tape drive to operate only on behalf of users who can submit a service-granting ticket when they wish to use it, there remains only the task of distributing such tickets to the appropriately permitted users.
If the ticket consists of (or includes) a key, one can then term the mechanism which distributes it a KDC.
The KDC will use cryptographic techniques, mostly using symmetric encryption, to authenticate requesting users as themselves.
If the authenticated user meets all prescribed conditions, the KDC can issue a ticket permitting access.
(Actually, Kerberos partitions KDC functionality between two different agents: the AS (Authentication Server) and the TGS (Ticket Granting Service).)