The concept of authorization provides a relationship between OpenStack users and groups to a list of roles. The roles are used to manage access to services running in OpenStack. The Keystone policy provider enforces rules based on the group and role a user belongs to.