From 0b03ae0cc84aedf2b3f81031599a568d0e5ca342 Mon Sep 17 00:00:00 2001
From: Abhishek Gupta <abhishek@google.com>
Date: Wed, 7 Aug 2019 21:19:17 -0700
Subject: [PATCH] Update to include limitations and integrations (#1047)

---
 .../docs/other-guides/multi-user-overview.md  | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/content/docs/other-guides/multi-user-overview.md b/content/docs/other-guides/multi-user-overview.md
index f950915eca..da8c47d22a 100644
--- a/content/docs/other-guides/multi-user-overview.md
+++ b/content/docs/other-guides/multi-user-overview.md
@@ -196,6 +196,28 @@ with another user in the system.
 
 -->
 
+## Current Integration and Limitations
+
+The Jupyter notebooks service is the first application to be fully integrated with
+multi-user isolation. Access to the notebooks and the creation of notebooks is 
+controlled by the profile access policies set by the Administrator or the owners
+of the profiles. Resources created by the notebooks (eg. Training jobs and
+deployments) will also inherit the same access.
+
+Metadata and Pipelines or any other applications currently don't have full
+fledged integration with isolation, though they will have access to the user
+identity through the headers of the incoming requests. It's upto the individual
+applications to leverage the available identity and create isolation stories
+that make sense for them.
+
+On GCP, the authentication and identify token is generated by GCP IAM and carried
+through the requests as a JWT Token in header. Other cloud providers can have a
+similar header to provide identity information.
+
+For on-premise deployments, Kubeflow leverages Dex as a federated OpenID connection
+provider and can be integrated with LDAP or Active Directory to provide authentication
+and identity services.
+