diff --git a/doc/admin-guide-cloud/ch_identity_mgmt.xml b/doc/admin-guide-cloud/ch_identity_mgmt.xml
index 1faa639eba..a4a66754bf 100644
--- a/doc/admin-guide-cloud/ch_identity_mgmt.xml
+++ b/doc/admin-guide-cloud/ch_identity_mgmt.xml
@@ -28,6 +28,7 @@
+
User CRUD
diff --git a/doc/admin-guide-cloud/identity/section_keystone-trusts.xml b/doc/admin-guide-cloud/identity/section_keystone-trusts.xml
new file mode 100644
index 0000000000..5da320b955
--- /dev/null
+++ b/doc/admin-guide-cloud/identity/section_keystone-trusts.xml
@@ -0,0 +1,72 @@
+
+
+
+ Use trusts
+ OpenStack Identity manages authentication and authorization. A trust is
+ an OpenStack Identity extension that enables delegation and, optionally,
+ impersonation through keystone. A trust extension defines
+ a relationship between:
+
+
+ Trustor
+ The user delegating a limited set of their own rights
+ to another user.
+
+
+ Trustee
+ The user the trust is being delegated to, for a limited
+ time.
+
+
+ The trust can eventually allow the trustee to impersonate the trustor.
+ For security reasons, some safeties are added. For example, if a trustor
+ loses a given role, any trusts the user issued with that role, and the
+ related tokens, are automatically revoked.
+ The delegation parameters are:
+
+
+ User ID
+ The user IDs for the trustor and trustee.
+
+
+ Privileges
+ The delegated privileges are a combination of a tenant
+ ID and a number of roles that must be a subset of the roles assigned to
+ the trustor.
+ If you omit all privileges, nothing is delegated. You cannot
+ delegate everything.
+
+
+ Delegation depth
+ Defines whether or not the delegation is recursive. If
+ it is recursive, defines the delegation chain length.
+ Specify one of the following values:
+
+ 0. The delegate cannot delegate
+ these permissions further.
+ 1. The delegate can delegate the
+ permissions to any set of delegates but the latter cannot delegate
+ further.
+ inf. The delegation is infinitely
+ recursive.
+
+
+
+ Endpoints
+ A list of endpoints associated with the delegation.
+ This parameter further restricts the delegation to the specified
+ endpoints only. If you omit the endpoints, the delegation is useless.
+ A special value of all_endpoints allows the trust
+ to be used by all endpoints associated with the delegated tenant.
+
+
+ Duration
+ (Optional) Comprised of the start time and end time for
+ the trust.
+
+
+
\ No newline at end of file