layout | page_title | description |
---|---|---|
docs |
Identity and access management (IAM) |
Identity and access management in Boundary |
There are 6 key components to Boundary's identity and access management system: Scopes, Auth Methods, Accounts, Users, Groups, and Roles.
Scopes can be considered as containers for resources and permissions. Each scope also has a permissions boundary that is isolated from other scopes on the same level. There are three types of scopes:
- Global - The highest-level scope of Boundary where administrators configure and manage Boundary for the entire company.
- Org (Organization) - Org scopes are contained in the global scope and are typically used to represent business units, organizations, or departments. Org scopes can also be used to contain multiple production-level auth methods in separate scopes.
- Project - Project scopes are contained in Org scopes and be used to separate different business workflows. For example, projects can be used to represent different teams, products, or environments (test, dev, prod).
Auth Methods are resources that authenticate users to Boundary. Auth methods can only be contained by the global or Org scopes. The available auth methods are:
- Username/Password
- OIDC
- LDAP
Accounts are resources that represent an authenticated user from a trusted identity provider through a Boundary auth method. Accounts must belong to an auth method, and can be associated with a single Boundary user. Boundary accounts can belong to the global or Org Scopes.
Users are resources that represent an individual person or entity for the purposes of access control. A user can contain multiple accounts from multiple auth methods, and can belong to the global or Org Scopes.
Groups are resources that represent a collection of users, and can be contained by any scope. Managed groups are a special kind of group that syncs with the auth method's identity provider to provide up-to-date information.
Roles are resources that contain a collection of permissions which are granted to any principal (user or group) from any scope. Roles can be contained by any scope, and the permissions can be applied to the same scope or any child scope.
There are 3 steps to adding new users to Boundary using the password auth method:
- Choose the scope and the auth method that the user will use to authenticate to Boundary. If the desired auth method does not exist, you must create a new one.
- After the auth method is selected, you can create an account under the auth method.
- In the same scope, create a new user, and then attach the new account to the new user. The user is now able to authenticate to Boundary.
With the OIDC and LDAP auth methods, Boundary uses data from the identity provider to automatically generate accounts and users in the same scope as the auth method. The accounts and users are only created once the user authenticates to Boundary for the first time. The same applies to OIDC/LDAP managed groups.
When setting up access controls for a user, it is important to first consider which scope(s) the user needs access to. Roles give users permission to perform actions through grants strings. It is recommended to add the user to a group, and then add the group to the role(s), instead of adding the user directly to the role(s). This way, you can manage multiple users at the same time, and it is easier to change the permissions of the user by adding/removing them from groups. You can manage OIDC/LDAP users and managed groups the same way, directly in the provider.
Here are a few examples of access management for personas, using this sample scope structure. In this structure, there are 7 scopes overall: 1 global, 2 Orgs, and 4 Projects.
-
Each of the 7 scopes requires a role (ex. “admin”)
-
Each role needs to have the user/group added as a principal
-
Each role needs to have the grants of
ids=*;type=*;actions=*
-
Each of the 7 scopes requires a role (ex. “viewer”)
-
Each role needs to have the user/group added as a principal
-
Each role needs to have the grants of
ids=*;type=*;actions=read,list
-
The following scopes each require a role (ex. “admin”)
- Org_A
- Project_1
- Project_2
-
Each role needs to have the user/group added as a principal
-
Each role needs to have the grants of
ids=*;type=*;actions=*
-
Project_1 requires a role (ex. “admin”)
-
The role needs to have the user/group added as a principal
-
The role needs to have the grants of
ids=*;type=*;actions=*
-
Project_1 requires a role (ex. “target_access”)
-
The role needs to have the user/group added as a principal
-
The role needs to have the grants of
ids=*;type=target;actions=list,read,authorize-session
ids=*;type=session;actions=read:self,cancel:self,list