User permission in a multi-tenant environment

What is claimed is: 1 . A computer-implemented method comprising: receiving, at a cross-tenant authentication application provided on a server: a user token from a client device that is registered with a first tenant of a service application provided on the server, the user token implying permission to access one or more first services of the first tenant, and a request from the client device to access a second service of a second tenant of the service application, the second service of the second tenant of the service application being separate from the one or more first services of the first tenant of the service application, the second service being only accessible to devices registered with the second tenant of the service application; and by the cross-tenant authentication application: authenticating the request by validating the user token from the client device; in response to validating the user token, determining a cross-tenant policy of the second tenant of the service application based on the user token by accessing a cross-tenant permission map and identifying, from the cross-tenant permission map, cross-tenant API metadata associated with the second tenant, the cross-tenant API metadata indicating cross-tenant access rights for the second tenant; forming an identity object based on the cross-tenant policy, the identity object comprising: a user identifier associated with the user token, an identifier of the first tenant, an identifier of the second tenant, and an access right to the second service of the second tenant; and providing the identity object to the service application to cause the service application to provide access to the second service associated with the second tenant to the client device. 2 . The computer-implemented method of claim 1 , wherein providing access to the second service associated with the second tenant to the client device comprises: determining that a permission value of a permission attribute in the access right of the identity object indicates enabling the access to a particular feature of the second service of the second tenant of the service application to the client device; and allowing the client device to access the particular feature of the second service of the second tenant of the service application in response to determining that the permission value of the permission attribute indicates enabling the access to the second service of the second tenant of the service application to the client device. 3 . The computer-implemented method of claim 1 , further comprising: accessing a cross-tenant library that maps access rights to features of the second service of the second tenant to users of the first tenant, wherein the cross-tenant policy is determined based on an access right to the features of the second service of the second tenant mapped to the first tenant. 4 . The computer-implemented method of claim 1 , further comprising: accessing a cross-tenant library that maps access rights to features of the second service of the second tenant to the user identified in the user token, wherein the cross-tenant policy is determined based on an access right to the features of the second service of the second tenant mapped to the user associated with the user token. 5 . The computer-implemented method of claim 1 , wherein the user token has been provided to the client device by a directory service application configured to manage security rights for users of the service application, wherein the first tenant indicates a first group of users of a first organization, wherein the second tenant indicates a second group of users of a second organization. 6 . The computer-implemented method of claim 1 , wherein the service application comprises a communication application, wherein the second service of the second tenant of the service application comprises a second communication channel of the communication application, wherein the request indicates accessing the second communication channel of the communication application. 7 . The computer-implemented method of claim 1 , wherein the service application comprises a file sharing application, wherein the second service of the second tenant of the service application comprises a file storage of the file sharing application, wherein the request indicates accessing a file of the file storage. 8 . The computer-implemented method of claim 1 , further comprising: receiving a permission value of a permission attribute indicating a permission level of the second service of the second tenant of the service application for users outside the second tenant; updating a cross-tenant library that maps an access right of the second service of the second tenant of the service application to users of the first tenant of the service application; and updating the identity object based on the updated cross-tenant library. 9 . A computing apparatus of a server, the apparatus comprising: a processor; and a memory storing a cross-tenant authentication application comprising instructions that, when executed by the processor, configure the apparatus to: receive a user token from a client device that is registered with a first tenant of a service application provided on the server, the user token implying permission to access one or more first services of the first tenant, and a request from the client device to access a second service of a second tenant of the service application, the second service of the second tenant of the service application being separate from the one or more first services of the first tenant of the service application, the second service being only accessible to devices registered with the second tenant of the service application; authenticate the request by validating the user token from the client device; in response to validating the user token, determine a cross-tenant policy of the second tenant of the service application based on the user token by accessing a cross-tenant permission map and identify, from the cross-tenant permission map, cross-tenant API metadata associated with the second tenant, the cross-tenant API metadata indicating cross-tenant access rights for the second tenant; form an identity object based on the cross-tenant policy, the identity object comprising: a user identifier associated with the user token, an identifier of the first tenant, an identifier of the second tenant, and an access right to the second service of the second tenant; and provide the identity object to the service application to cause the service application to provide access to the second service associated with the second tenant to the client device. 10 . The computing apparatus of claim 9 , wherein the memory further stores the service application, the service application comprising instructions that further configure the apparatus to: determine that a permission value of a permission attribute in the access right of the identity object indicates enabling the access to a particular feature of the second service of the second tenant of the service application to the client device; and allow the client device to access the particular feature of the second service of the second tenant of the service application in response to determining that the permission value of the permission attribute indicates enabling the access to the second service of the second tenant of the service application to the client device. 11 . The computing apparatus of claim 9 , wherein the instructions further configure the apparatus to: access a cross-tenant library that maps access rights to features of the second service of the second tenant to users of the first tenant, wherein the cross-te