Currently Keystone lacks the ability to scope users and their resources to an uber collection. Keystone is in need of a higher order entity (aka domain) to allow for the grouping of users, groups, roles, and tenants. A domain can represent an individual, company, or operator owned space. The intent of domain is to define the administrative boundaries for management of Keystone entities. By defining the domain collection an authorization system, whether external or internal to Keystone, can be used to enforce policies related to admin operations for that domain. With domains in place, administrative roles within each domain can then be defined to control CRUD operations on entities scoped to the domain. Additionally, domains afford the ability to setup cross domain trust relationships which can then be used to controlling the ability to give users of one domain access to resources of another.