# Identity & Multi-tenancy Overview

<code class="expression">space.vars.product\_name</code> Identity Service provides API client authentication, service discovery, and distributed multi-tenant authorization for your <code class="expression">space.vars.product\_name</code> environment.

## Multi-Tenancy

Multi-tenancy is a core construct in <code class="expression">space.vars.product\_name</code>. Following are the 4 key multi-tenancy constructs in <code class="expression">space.vars.product\_name</code>.

1. Domains
2. Regions
3. Tenants
4. Users & Groups

Using a combination of these, you can create a <code class="expression">space.vars.product\_name</code> deployment for:

1. Single team with multiple users
2. Multiple teams, each with multiple users
3. Multiple separate sub-organizations, each with its own set of teams and users

Muti-tenancy is enabled by the <code class="expression">space.vars.product\_name</code> Identity Service.

## Identity Service

The <code class="expression">space.vars.product\_name</code> Identity Service is organized as a group of services exposed on one or many endpoints. Many of these services are used in a combined fashion by clients such as the user interface, the `pcdctl` CLI etc, in order to authenticate a user and authorize him to execute an API request. For example, an authenticate call will validate user/tenant credentials with the Identity service and, upon success, create and return a token with the Token service. The <code class="expression">space.vars.product\_name</code> Identity Service is built using open source project Keystone behind the scenes.

### Identity

The `identity` refers to the permissions that a user has on a resource. The Identity service provides authorization credential validation and data about *users* and *groups*.

By default, when you create users or groups using the Identity Service, this data about users and groups is managed directly by the Identity service, allowing it to also handle all CRUD operations associated with this data. This happens for example when you create a user in your <code class="expression">space.vars.product\_name</code> setup by navigating to Tenants and Users option under the settings menu in the UI, then select 'Users' from the left side nav bar and then create a new user. You can also do this by using `pcdctl` CLI or identity service API. These types of users and groups are called *local* users and groups.

You can also integrate the <code class="expression">space.vars.product\_name</code> Identity Service to work with your enterprise identity provider. In this case, the information about users and groups is managed by your authoritative backend service. An example of this would be when the Identity service acts as a frontend for LDAP. In that case the LDAP server is the source of truth and the role of the Identity service is to relay that information accurately.

### **Users**

`Users` represent an individual API consumer. A user itself must be owned by a specific domain. Thus all user names are **not** globally unique, but only unique to their domain.

### **Groups**

`Groups` are a container representing a collection of users. A group itself must be owned by a specific domain, and hence all group names are **not** globally unique, but only unique to their domain.

### **Domains**

`Domains` are a high-level container for projects, users and groups. Read more here about [domains](https://docs.platform9.com/private-cloud-director/identity-and-multi-tenancy/domains "mention").

### **Tenants (Projects)**

`Tenants` (also called Projects in API) represent the base unit of `ownership` in <code class="expression">space.vars.product\_name</code>. Read more here about [#tenant](https://docs.platform9.com/private-cloud-director/tenant#tenant "mention").

### **Roles**

`Roles` dictate the level of authorization the end user can obtain. Roles can be granted at either the domain or tenant level. A role can be assigned at the individual user or group level. Role names are unique within the owning domain.

### **Role Assignments**

Role assignment is a 3-tuple that has a `Role`, a `Resource` and an `Identity`. A `Resource` is any <code class="expression">space.vars.product\_name</code> object to which permissions can be assigned.

### Token

Tokens are used to authenticate and authorize a user's interactions with the various <code class="expression">space.vars.product\_name</code> APIs. Tokens come in many flavors, representing various authorization scopes and sources of identity. There are also several different “token providers”, each with their own user experience, performance, and deployment characteristics.

<br>

The Token service validates and manages tokens used for authenticating requests once a user’s credentials have already been verified.

### Service Catalog

The Catalog service provides an endpoint registry used for endpoint discovery.

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.platform9.com/private-cloud-director/identity-and-multi-tenancy/identity-and-multi-tenancy-overview.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.