All user authentication is handled by Active Directory links that are configured through Directories Management. Each tenant has one or more Active Directory links that provide authentication on a user or group level.

The root system administrator performs the initial configuration of single sign-on and basic tenant creation and setup, including designating at least one tenant administrator for each tenant. Thereafter, a tenant administrator can configure Active Directory links and assign roles to users or groups as needed from within their designated tenant.

Tenant administrators can also create custom groups within their own tenants and add users and groups to those groups. Custom groups can be assigned roles or designated as the approvers in an approval policy.

Tenant administrators can also create business groups within their tenants. A business group is a set of users, often corresponding to a line of business, department or other organizational unit, that can be associated with a set of catalog services and infrastructure resources. Users and custom groups can be added to business groups.