diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml
index 9f59d69..e69b042 100644
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@@ -10,6 +10,12 @@ configs:
 
     user: heat
     password: password
+    domain:
+      password: password
+      # it is strongly recommended don't change this value
+      name: heat
+      # it is strongly recommended don't change this value
+      user: heat_domain_admin
 
     debug: false
 
diff --git a/service/files/heat.conf.j2 b/service/files/heat.conf.j2
index c704b36..5a5f07c 100644
--- a/service/files/heat.conf.j2
+++ b/service/files/heat.conf.j2
@@ -5,6 +5,9 @@ use_stderr = True
 use_forwarded_for = True
 region_name_for_services = RegionOne
 rpc_backend = rabbit
+stack_domain_admin = {{ heat.domain.user }}
+stack_domain_admin_password = {{ heat.domain.password }}
+stack_user_domain_name = {{ heat.domain.name }}
 
 [clients]
 endpoint_type = internalURL
diff --git a/service/heat-api.yaml b/service/heat-api.yaml
index 702e217..bd9af24 100644
--- a/service/heat-api.yaml
+++ b/service/heat-api.yaml
@@ -33,7 +33,7 @@ service:
           type: single
           command:
             openstack user create --domain default --password {{ heat.password }} {{ heat.user }}
-        - name: heat-role-add
+        - name: heat-admin-role-add
           dependencies:
             - heat-user-create
           type: single
@@ -63,6 +63,38 @@ service:
           type: single
           command:
             openstack endpoint create --region RegionOne orchestration admin {{ address('heat-api', heat.api_port, with_scheme=True) }}/v1/%\(tenant_id\)s
+        # Orchestration requires additional information in the Identity service to manage stacks.
+        # For detailed explanation see: http://docs.openstack.org/project-install-guide/orchestration/newton/install-ubuntu.html
+        - name: keystone-create-heat-domain
+          type: single
+          command:
+            openstack domain create --description "Owns users and projects created by heat" {{ heat.domain.name }}
+        - name: heat-domain-admin-user-create
+          type: single
+          command:
+            openstack user create --domain {{ heat.domain.name }} --password {{ heat.domain.password }}  {{ heat.domain.user }}
+          dependencies:
+            - keystone-create-heat-domain
+        - name: grant-doman-user-admin-privileges
+          type: single
+          command:
+            openstack role add --domain {{ heat.domain.name }} --user-domain {{ heat.domain.name }} --user {{ heat.domain.user }} admin
+          dependencies:
+            - heat-domain-admin-user-create
+        # You must add the heat_stack_owner role to each user that manages stacks after addinf new users.
+        - name: heat-stack-owner-role-create
+          type: single
+          command:
+            openstack role create heat_stack_owner
+          dependencies:
+            - grant-doman-user-admin-privileges
+        # The Orchestration service automatically assigns the heat_stack_user role to users that it creates during stack deployment.
+        - name: heat-stack-user-role-create
+          type: single
+          command:
+            openstack role create heat_stack_user
+          dependencies:
+            - grant-doman-user-admin-privileges
       daemon:
         dependencies:
           - rabbitmq