> For the complete documentation index, see [llms.txt](https://docs.platform9.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.platform9.com/private-cloud-director/2026.1/identity-and-multi-tenancy/identity-and-multi-tenancy-overview.md).

# Overview

<code class="expression">space.vars.product\_name</code> Identity Service provides API client authentication, service discovery, and distributed multi-tenant authorization for your <code class="expression">space.vars.product\_name</code> environment.

## Multi-Tenancy

Multi-tenancy is a core construct in <code class="expression">space.vars.product\_name</code>. Following are the 4 key multi-tenancy constructs in <code class="expression">space.vars.product\_name</code>.

1. Domains
2. Regions
3. Tenants
4. Users & Groups

Using a combination of these, you can create a <code class="expression">space.vars.product\_name</code> deployment for:

1. Single team with multiple users
2. Multiple teams, each with multiple users
3. Multiple separate sub-organizations, each with its own set of teams and users

Muti-tenancy is enabled by the <code class="expression">space.vars.product\_name</code> Identity Service.

## Identity Service

The <code class="expression">space.vars.product\_name</code> Identity Service is organized as a group of services exposed on one or many endpoints. Many of these services are used in a combined fashion by clients such as the user interface, the `pcdctl` CLI etc, in order to authenticate a user and authorize him to execute an API request. For example, an authenticate call will validate user/tenant credentials with the Identity Service and, upon success, creates and returns an identity token. The <code class="expression">space.vars.product\_name</code> Identity Service extends the open source project, Keystone.

### Identity

The `identity` refers to the permissions that a user has on a resource. The Identity service provides authorization credential validation and data about *users* and *groups*.

By default, when you create users or groups using the Identity Service, this data about users and groups is managed directly by the Identity service, allowing it to also handle all CRUD operations associated with this data. This happens when you create a user in your <code class="expression">space.vars.product\_name</code> user interface by navigating to the 'Tenants and Users' option under the settings menu top right, then selecting 'Users' from the left side navigation bar and then creating a new user. You can also do this by using `pcdctl` CLI or the Identity Service API. These types of users and groups are called *local* users and groups.

You can also integrate the <code class="expression">space.vars.product\_name</code> Identity Service to work with your enterprise identity provider using SAML 2.0 single sign-on. In this model, your identity provider, such as Microsoft Entra ID, Okta, PingOne, or Duo, authenticates users and remains the authoritative source for user identities and group membership. The Identity Service consumes the SAML assertion to grant the authenticated user access to their assigned tenants and regions, while preserving the isolation boundaries of your domains and tenants. Single sign-on is configured at the domain level.

### **Users**

`Users` represent an individual API consumer. A user itself must be owned by a specific domain. Thus all user names are **not** globally unique, but only unique to their domain.

### **Groups**

`Groups` are a container representing a collection of users. A group itself must be owned by a specific domain, and hence all group names are **not** globally unique, but only unique to their domain.

### **Domains**

`Domains` are a high-level container for projects, users and groups. Read more here about [Domains](/private-cloud-director/2026.1/identity-and-multi-tenancy/domains.md).

### **Tenants (Projects)**

`Tenants` (also called Projects in API) represent the base unit of `ownership` in <code class="expression">space.vars.product\_name</code>. Read more here about [Tenants & Region](/private-cloud-director/2026.1/identity-and-multi-tenancy/tenant.md#tenant).

### **Roles**

`Roles` dictate the level of authorization the end user can obtain. Roles can be granted at either the domain or tenant level. A role can be assigned at the individual user or group level. Role names are unique within the owning domain.

### **Role Assignments**

Role assignment is a 3-tuple that has a `Role`, a `Resource` and an `Identity`. A `Resource` is any <code class="expression">space.vars.product\_name</code> object to which permissions can be assigned.

### Token

Tokens are used to authenticate and authorize a user's interactions with the various <code class="expression">space.vars.product\_name</code> APIs. Tokens come in many flavors, representing various authorization scopes and sources of identity. There are also several different “token providers”, each with their own user experience, performance, and deployment characteristics.

The Token service validates and manages tokens used for authenticating requests once a user’s credentials have already been verified.

### Service Catalog

The Catalog service provides an endpoint registry used for endpoint discovery.

### Related Topics <a href="#related-topics" id="related-topics"></a>

* [RBAC Roles and Permissions](https://docs.platform9.com/private-cloud-director/identity-and-multi-tenancy/rbac-roles-and-permissions) — full permissions matrix for Admin, Self-Service User, and ReadOnly roles.
* [Application Credentials](https://docs.platform9.com/private-cloud-director/identity-and-multi-tenancy/application-credentials) — scoped credentials for automation and service accounts.
* [Token Lifetime Configuration](https://docs.platform9.com/private-cloud-director/identity-and-multi-tenancy/token-lifetime) — default token lifetime and how to adjust it.
* [Tenant Lifecycle: Rename and Delete](https://docs.platform9.com/private-cloud-director/identity-and-multi-tenancy/tenant-lifecycle) — safe procedures for renaming and deleting tenants.
* [Enterprise SSO](https://docs.platform9.com/private-cloud-director/identity-and-multi-tenancy/enterprise-sso) — configure SSO with Microsoft Entra ID, Okta, PingOne, or Duo.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.platform9.com/private-cloud-director/2026.1/identity-and-multi-tenancy/identity-and-multi-tenancy-overview.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.