diff --git a/puppet-manifests/src/hieradata/controller.yaml b/puppet-manifests/src/hieradata/controller.yaml
index e12e2eed1e..ae0469db09 100644
--- a/puppet-manifests/src/hieradata/controller.yaml
+++ b/puppet-manifests/src/hieradata/controller.yaml
@@ -176,6 +176,7 @@ keystone::log_file: /dev/null
 keystone::endpoint::default_domain: 'Default'
 keystone::endpoint::version: 'v3'
 keystone::endpoint::region: 'RegionOne'
+keystone::endpoint::system_controller_region: 'SystemController'
 keystone::endpoint::admin_url: 'http://127.0.0.1:5000'
 
 keystone::ldap::identity_driver: 'sql'
diff --git a/puppet-manifests/src/modules/openstack/manifests/keystone.pp b/puppet-manifests/src/modules/openstack/manifests/keystone.pp
index 9ee6c8291f..512f911f78 100644
--- a/puppet-manifests/src/modules/openstack/manifests/keystone.pp
+++ b/puppet-manifests/src/modules/openstack/manifests/keystone.pp
@@ -6,6 +6,7 @@ class openstack::keystone::params(
   $auth_uri,
   $host_url,
   $region_name = undef,
+  $system_controller_region = undef,
   $service_name = 'openstack-keystone',
   $token_expiration = 3600,
   $service_create = false,
@@ -157,6 +158,7 @@ class openstack::keystone::api
   if ($::openstack::keystone::params::service_create and
       $::platform::params::init_keystone) {
     include ::keystone::endpoint
+    include ::openstack::keystone::endpointgroup
 
     # Cleanup the endpoints created at bootstrap if they are not in
     # the subcloud region.
@@ -251,6 +253,60 @@ class openstack::keystone::reload {
 }
 
 
+class openstack::keystone::endpointgroup
+  inherits ::openstack::keystone::params {
+  include ::platform::params
+  include ::openstack::client
+
+  # $::platform::params::init_keystone should be checked by the caller.
+  # as this class should be only invoked when initializing keystone.
+  # i.e. is_initial_config_primary is true is expected.
+
+  if ($::platform::params::distributed_cloud_role =='systemcontroller') {
+    $reference_region = $::openstack::keystone::params::region_name
+    $system_controller_region = $::openstack::keystone::params::system_controller_region
+    $os_username = $::openstack::client::params::admin_username
+    $identity_region = $::openstack::client::params::identity_region
+    $keystone_region = $::openstack::client::params::keystone_identity_region
+    $keyring_file = $::openstack::client::credentials::params::keyring_file
+    $auth_url = $::openstack::client::params::identity_auth_url
+    $os_project_name = $::openstack::client::params::admin_project_name
+    $api_version = 3
+
+    file { "/etc/keystone/keystone-${reference_region}-filter.conf":
+      ensure  => present,
+      owner   => 'root',
+      group   => 'keystone',
+      mode    => '0640',
+      content => template('openstack/keystone-defaultregion-filter.erb'),
+    } ->
+    file { "/etc/keystone/keystone-${system_controller_region}-filter.conf":
+      ensure  => present,
+      owner   => 'root',
+      group   => 'keystone',
+      mode    => '0640',
+      content => template('openstack/keystone-systemcontroller-filter.erb'),
+    } ->
+    exec { 'endpointgroup-${reference_region}-command':
+      cwd => '/etc/keystone',
+      logoutput => true,
+      provider => shell,
+      require => [ Class['openstack::keystone::api'], Class['::keystone::endpoint'] ],
+      command => template('openstack/keystone-defaultregion.erb'),
+      path =>  ['/usr/bin/', '/bin/', '/sbin/', '/usr/sbin/'],
+    }  ->
+    exec { 'endpointgroup-${system_controller_region}-command':
+      cwd => '/etc/keystone',
+      logoutput => true,
+      provider => shell,
+      require => [ Class['openstack::keystone::api'], Class['::keystone::endpoint'] ],
+      command => template('openstack/keystone-systemcontroller.erb'),
+      path =>  ['/usr/bin/', '/bin/', '/sbin/', '/usr/sbin/'],
+    }
+  }
+}
+
+
 class openstack::keystone::server::runtime {
   include ::openstack::client
   include ::openstack::keystone
@@ -383,9 +439,8 @@ class openstack::keystone::upgrade (
       sync_db             => false,
       default_domain      => undef,
       default_transport_url   => $::platform::amqp::params::transport_url,
-    } 
+    }
 
-    
     # Add service account and endpoints for any new R6 services...
     # include ::<new service>::keystone::auth
     # No new services yet...
diff --git a/puppet-manifests/src/modules/openstack/templates/keystone-defaultregion-filter.erb b/puppet-manifests/src/modules/openstack/templates/keystone-defaultregion-filter.erb
new file mode 100644
index 0000000000..17bc66b3e7
--- /dev/null
+++ b/puppet-manifests/src/modules/openstack/templates/keystone-defaultregion-filter.erb
@@ -0,0 +1,3 @@
+{
+  "region_id": "<%=@reference_region %>"
+}
diff --git a/puppet-manifests/src/modules/openstack/templates/keystone-defaultregion.erb b/puppet-manifests/src/modules/openstack/templates/keystone-defaultregion.erb
new file mode 100644
index 0000000000..350ce05c23
--- /dev/null
+++ b/puppet-manifests/src/modules/openstack/templates/keystone-defaultregion.erb
@@ -0,0 +1,19 @@
+PASSWORD=$(TERM=linux <%= @keyring_file %> 2>/dev/null)
+ENDPOINTGROUP_ID=$(openstack endpoint group create \
+distributed_cloud_<%=@reference_region %> \
+keystone-<%=@reference_region %>-filter.conf \
+  --os-username <%=@os_username %> \
+  --os-password $PASSWORD \
+  --os-region-name <%=@identity_region %> \
+  --os-keystone-region-name <%=@keystone_region %> \
+  --os-auth-url <%=@auth_url %> \
+  --os-identity-api-version <%=@api_version %> \
+  --os-project-name <%=@os_project_name %> | awk '/id\ \ / { print $4 }' )
+openstack endpoint group add project $ENDPOINTGROUP_ID services \
+  --os-username <%=@os_username %> \
+  --os-password $PASSWORD \
+  --os-region-name <%=@identity_region %> \
+  --os-keystone-region-name <%=@keystone_region %> \
+  --os-auth-url <%=@auth_url %> \
+  --os-identity-api-version <%=@api_version %> \
+  --os-project-name <%=@os_project_name %>
diff --git a/puppet-manifests/src/modules/openstack/templates/keystone-systemcontroller-filter.erb b/puppet-manifests/src/modules/openstack/templates/keystone-systemcontroller-filter.erb
new file mode 100644
index 0000000000..61d381b18e
--- /dev/null
+++ b/puppet-manifests/src/modules/openstack/templates/keystone-systemcontroller-filter.erb
@@ -0,0 +1,3 @@
+{
+  "region_id": "<%=@system_controller_region %>"
+}
diff --git a/puppet-manifests/src/modules/openstack/templates/keystone-systemcontroller.erb b/puppet-manifests/src/modules/openstack/templates/keystone-systemcontroller.erb
new file mode 100644
index 0000000000..3474d44729
--- /dev/null
+++ b/puppet-manifests/src/modules/openstack/templates/keystone-systemcontroller.erb
@@ -0,0 +1,19 @@
+PASSWORD=$(TERM=linux <%= @keyring_file %> 2>/dev/null)
+ENDPOINTGROUP_ID=$(openstack endpoint group create \
+distributed_cloud_<%=@system_controller_region %> \
+keystone-<%=@system_controller_region %>-filter.conf \
+  --os-username <%=@os_username %> \
+  --os-password $PASSWORD \
+  --os-region-name <%=@identity_region %> \
+  --os-keystone-region-name <%=@keystone_region %> \
+  --os-auth-url <%=@auth_url %> \
+  --os-identity-api-version <%=@api_version %> \
+  --os-project-name <%=@os_project_name %> | awk '/id\ \ / { print $4 }' )
+openstack endpoint group add project $ENDPOINTGROUP_ID services \
+  --os-username <%=@os_username %> \
+  --os-password $PASSWORD \
+  --os-region-name <%=@identity_region %> \
+  --os-keystone-region-name <%=@keystone_region %> \
+  --os-auth-url <%=@auth_url %> \
+  --os-identity-api-version <%=@api_version %> \
+  --os-project-name <%=@os_project_name %>
diff --git a/puppet-modules-wrs/puppet-dcmanager/src/dcmanager/manifests/keystone/auth.pp b/puppet-modules-wrs/puppet-dcmanager/src/dcmanager/manifests/keystone/auth.pp
index 98f4b315d3..78ef4150bd 100644
--- a/puppet-modules-wrs/puppet-dcmanager/src/dcmanager/manifests/keystone/auth.pp
+++ b/puppet-modules-wrs/puppet-dcmanager/src/dcmanager/manifests/keystone/auth.pp
@@ -17,7 +17,7 @@ class dcmanager::keystone::auth (
   $auth_name            = 'dcmanager',
   $auth_domain,
   $email                = 'dcmanager@localhost',
-  $tenant               = 'services',
+  $tenant               = 'admin',
   $region               = 'SystemController',
   $service_description  = 'DCManagerService',
   $service_name         = undef,
diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/keystone.py b/sysinv/sysinv/sysinv/sysinv/puppet/keystone.py
index 1561b892f3..53f4a49afd 100644
--- a/sysinv/sysinv/sysinv/sysinv/puppet/keystone.py
+++ b/sysinv/sysinv/sysinv/sysinv/puppet/keystone.py
@@ -117,6 +117,8 @@ class KeystonePuppet(openstack.OpenstackBasePuppet):
             # system resides
             'openstack::keystone::params::region_name':
                 self._identity_specific_region_name(),
+            'openstack::keystone::params::system_controller_region':
+                constants.SYSTEM_CONTROLLER_REGION,
             'openstack::keystone::params::service_create':
                 self._to_create_services(),