diff --git a/doc/common/section_keystone-concepts.xml b/doc/common/section_keystone-concepts.xml
index 6f149fc39f..3fe0f330dd 100644
--- a/doc/common/section_keystone-concepts.xml
+++ b/doc/common/section_keystone-concepts.xml
@@ -370,4 +370,52 @@
The commands for creating services and endpoints are
described in a later section.
+
+
+ Groups
+
+A group is a collection of users.
+Administrators can create groups and add users to them.
+Then, rather than assign a role to each user individually,
+assign a role to the group.
+
+
+Every group is in a domain. Groups were introduced with version 3 of the
+Identity API (the Grizzly release of Keystone).
+
+
+Identity API V3 provides the following group-related operations:
+
+
+ Create a group
+ Delete a group
+ Update a group (change its name or description)
+ Add a user to a group
+ Remove a user from a group
+ List group members
+ List groups for a user
+ Assign a role on a tenant to a group
+ Assign a role on a domain to a group
+ Query role assignments to groups
+
+
+
+Not all of these operations may be allowed by the Identity server.
+For example, if using the Keystone server with the LDAP Identity backend and
+group updates are disabled, then a request to create, delete, or update a group
+will fail.
+
+
+
+Here's a couple examples:
+
+Group A is granted Role A on Tenant A. If User A is a member of Group A,
+then when User A gets a token scoped to Tenant A then the token will also
+include Role A.
+
+Group B is granted Role B on Domain B. If User B is a member of Domain B,
+then if User B gets a token scoped to Domain B then the token will also
+include Role B.
+
+