Boundary
Identity and access management (IAM)
IAM components
There are 6 key components to Boundary's identity and access management system: Scopes, Auth Methods, Accounts, Users, Groups, and Roles.
Scopes
Scopes can be considered as containers for resources and permissions. Each scope also has a permissions boundary that is isolated from other scopes on the same level. There are three types of scopes:
- Global - The highest-level scope of Boundary where administrators configure and manage Boundary for the entire company.
- Org (Organization) - Org scopes are contained in the global scope and are typically used to represent business units, organizations, or departments. Org scopes can also be used to contain multiple production-level auth methods in separate scopes.
- Project - Project scopes are contained in Org scopes and be used to separate different business workflows. For example, projects can be used to represent different teams, products, or environments (test, dev, prod).
Auth methods
Auth Methods are resources that authenticate users to Boundary. Auth methods can only be contained by the global or Org scopes. The available auth methods are:
- Username/Password
- OIDC
- LDAP
Accounts
Accounts are resources that represent an authenticated user from a trusted identity provider through a Boundary auth method. Accounts must belong to an auth method, and can be associated with a single Boundary user. Boundary accounts can belong to the global or Org Scopes.
Users
Users are resources that represent an individual person or entity for the purposes of access control. A user can contain multiple accounts from multiple auth methods, and can belong to the global or Org Scopes.
Groups
Groups are resources that represent a collection of users, and can be contained by any scope. Managed groups are a special kind of group that syncs with the auth method's identity provider to provide up-to-date information.
Roles
Roles are resources that contain a collection of permissions which are granted to any principal (user or group) from any scope. Roles can be contained by any scope, and the permissions can be applied to the same scope or any child scope.
Access management
Configure users - username/password
There are 3 steps to adding new users to Boundary using the password auth method:
- Choose the scope and the auth method that the user will use to authenticate to Boundary. If the desired auth method does not exist, you must create a new one.
- After the auth method is selected, you can create an account under the auth method.
- In the same scope, create a new user, and then attach the new account to the new user. The user is now able to authenticate to Boundary.
Configure users - OIDC/LDAP
With the OIDC and LDAP auth methods, Boundary uses data from the identity provider to automatically generate accounts and users in the same scope as the auth method. The accounts and users are only created once the user authenticates to Boundary for the first time. The same applies to OIDC/LDAP managed groups.
Note
You can configure the max_age
in the OIDC attributes to indicate to the OIDC provider how much time is allowed to pass until a user is challenged to authenticate again.
However, the user will not be prompted to authenticate until the controller's auth_token_time_to_live
parameter has expired.
The default value is 7 days.
At this time, HCP Boundary users cannot configure the auth_token_time_to_live
for a controller, so that value always equals the default of 7 days.
Grant permissions
When setting up access controls for a user, it is important to first consider which scope(s) the user needs access to. Roles give users permission to perform actions through grants strings. It is recommended to add the user to a group, and then add the group to the role(s), instead of adding the user directly to the role(s). This way, you can manage multiple users at the same time, and it is easier to change the permissions of the user by adding/removing them from groups. You can manage OIDC/LDAP users and managed groups the same way, directly in the provider.
Examples
Here are a few examples of access management for personas, using this sample scope structure. In this structure, there are 7 scopes overall: 1 global, 2 Orgs, and 4 Projects.
Boundary admin
Each of the 7 scopes requires a role (ex. “admin”)
Each role needs to have the user/group added as a principal
Each role needs to have the grants of
Boundary viewer
Each of the 7 scopes requires a role (ex. “viewer”)
Each role needs to have the user/group added as a principal
Each role needs to have the grants of
Org_A admin
The following scopes each require a role (ex. “admin”)
- Org_A
- Project_1
- Project_2
Each role needs to have the user/group added as a principal
Each role needs to have the grants of
Project_1 admin
Project_1 requires a role (ex. “admin”)
The role needs to have the user/group added as a principal
The role needs to have the grants of
Project_1 target access
Project_1 requires a role (ex. “target_access”)
The role needs to have the user/group added as a principal
The role needs to have the grants of
Tip
You can use the same roles across “Boundary Admin”, “Org_A Admin”, and “Project_1 Admin” since the scopes and grants are the same. The only difference is the users/groups that are added to each role.