Groups A group is a collection of users. Administrators can create groups and add users to them. Then, rather than assign a role to each user individually, assign a role to the group. Every group is in a domain. Groups were introduced with version 3 of the Identity API (the Grizzly release of Identity Service). Identity API V3 provides the following group-related operations: Create a group Delete a group Update a group (change its name or description) Add a user to a group Remove a user from a group List group members List groups for a user Assign a role on a tenant to a group Assign a role on a domain to a group Query role assignments to groups The Identity service server might not allow all operations. For example, if using the Identity server with the LDAP Identity back end and group updates are disabled, then a request to create, delete, or update a group fails. Here are a couple examples: Group A is granted Role A on Tenant A. If User A is a member of Group A, when User A gets a token scoped to Tenant A, the token also includes Role A. Group B is granted Role B on Domain B. If User B is a member of Domain B, if User B gets a token scoped to Domain B, the token also includes Role B.