All user authentication is handled by Active Directory links that are configured through Directories Management. Each tenant has one or more Active Directory links that provide authentication on a user or group level.

The system administrator performs the initial configuration of single sign-on and basic tenant setup, including designating at least one Active Directory link and a tenant administrator for each tenant. Thereafter, a tenant administrator can configure additional Active Directory links and assign roles to users or groups as needed.

Tenant administrators can also create custom groups within their own tenants and add users and groups to those groups. Custom groups can be assigned roles or designated as the approvers in an approval policy.

Tenant administrators can also create business groups within their tenants. A business group is a set of users, often corresponding to a line of business, department or other organizational unit, that can be associated with a set of catalog services and infrastructure resources. Users and custom groups can be added to business groups.