Determining a permission of a first tenant with respect to a second tenant

What is claimed is: 1. A method comprising: storing, by a system including a processor, a first representation of privileges among a plurality of tenants of the system, the plurality of tenants having relationships according to a hierarchy that includes a plurality of hierarchical levels of the tenants, wherein at least one of the privileges specifies an access permission of a first of the tenants at a first of the hierarchical levels to a resource of a second of the tenants at one of the hierarchical levels, and wherein the first representation is independent of a representation of the relationships among the plurality of tenants; in response to a request from the first tenant for the resource of the second tenant, determining, by the system based on the first representation, whether the first tenant is permitted to access the resource of the second tenant; and dynamically modifying the first representation to change the privileges among the plurality of tenants, without changing the representation of the relationships among the plurality of tenants. 2. The method of claim 1 , wherein the at least one privilege specifies the access permission of the first tenant to the resource of the second tenant at a second, different one of the hierarchical levels. 3. The method of claim 1 , wherein the at least one privilege specifies the access permission of the first tenant to user identity data of the second tenant, the user identity data for authorizing access of a cloud service or cloud resource provided by the system. 4. The method of claim 3 , further comprising: granting, by the system, access of the first tenant to the cloud service or the cloud resource in response to the user identity data of the second tenant. 5. The method of claim 1 , wherein a second of the privileges specifies a permission of the first tenant to modify the second tenant, the method further comprising: in response to a request by the first tenant to modify the second tenant, determining, by the system based on the first representation, whether the first tenant is permitted to modify the second tenant. 6. The method of claim 5 , wherein the second privilege specifies a permission of the first tenant to modify the second tenant by adding or removing a sub-tenant of the second tenant. 7. The method of claim 1 , wherein storing the first representation comprises storing access control information in at least one access control list. 8. The method of claim 1 , wherein storing the first representation comprises using a cryptographic mechanism to control the privileges. 9. The method of claim 1 , wherein the storing and the determining are performed by an identity management system that performs authorization of access of a cloud service or cloud resource of the system. 10. The method of claim 1 , further comprising: granting, by the system, access of the resource in response to the at least one privilege represented by the first representation indicating that the first tenant is permitted to access the resource of the second tenant; and preventing, by the system, access of the resource in response to the at least one privilege represented by the first representation indicating that the first tenant is not permitted to access the resource of the second tenant. 11. The method of claim 10 , wherein the resource of the second tenant is selected from among a processing resource, a storage resource, and a communication resource. 12. A system comprising: at least one hardware processor to: receive a request from a first tenant of the system to perform a task with respect to a second tenant of the system; in response to the request, access a first representation of privileges among a plurality of tenants, the plurality of tenants having relationships according to a hierarchy that includes a plurality of hierarchical levels of the tenants, wherein the privileges specify permissions of the tenants at the respective hierarchical levels to perform tasks with respect to other tenants at the respective hierarchical levels, and wherein the first representation is independent of a representation of the relationships among the plurality of tenants; determine, based on the first representation, whether the first tenant is permitted to perform the task with respect to the second tenant; grant the first tenant permission to perform the task with respect to the second tenant in response to a first permission represented by the first representation specifying that the first tenant is permitted to perform the task with respect to the second tenant; and in response to a request by the first tenant to modify the second tenant, determine, by the system based on a second permission represented by the first representation, whether the first tenant is permitted to modify the second tenant, the second permission specifying a permission of the first tenant to modify the second tenant. 13. The system of claim 12 , wherein the determining of whether the first tenant is permitted to perform the task with respect to the second tenant comprises determining whether the first tenant is permitted to access a resource of the second tenant and wherein the granting of the first tenant permission to perform the task with respect to the second tenant comprises granting the first tenant permission to access the resource of the second tenant. 14. The system of claim 12 , wherein determining whether the first tenant is permitted to perform the task with respect to the second tenant comprises determining whether the first tenant is permitted to add or remove a sub-tenant of the second tenant. 15. The system of claim 12 , wherein the system is a cloud system, and the cloud system further comprising an identity management engine including the at least one hardware processor, the at least one hardware processor of the identity management engine to authorize access of a cloud service or cloud resource of the cloud system by a user of one of the plurality of tenants based on the task performed by the first tenant with respect to the second tenant. 16. The system of claim 15 , wherein the task performed by the first tenant with respect to the second tenant comprises the first tenant accessing user identity data of the second tenant, and wherein the at least one processor of the identity management engine is to grant access of the cloud service or the cloud resource by the user of one of the plurality of tenants based on the user identity data accessed by the first tenant. 17. The system of claim 12 , wherein the first representation includes a tenant privilege hierarchy that specifies privilege relationships among the plurality of tenants, the tenant privilege hierarchy including the plurality of hierarchical levels. 18. An article comprising at least one non-transitory machine-readable storage medium storing instructions that upon execution cause a cloud system to: receive a request from a first tenant of the cloud system to perform a task with respect to a second tenant of the cloud system, the cloud system including a cloud resource or a cloud service shareable by a plurality of tenants, and the cloud system further including an identity management system to authorize access of at least one of the cloud resource or the cloud service; in response to the request, access a first representation of privileges among the plurality of tenants, the plurality of tenants having relationships according to a hierarchy that includes a plurality of hierarchical levels of the tenants, wherein the privileges specify permissions of the tenants at the resp