HashiCorp Developer AI Private beta now available Sign up today
Boundary
Boundary Home

Identity and access management (IAM)

IAM components

There are 6 key components to Boundary's identity and access management system: Scopes, Auth Methods, Accounts, Users, Groups, and Roles.

Scopes

Scopes can be considered as containers for resources and permissions. Each scope also has a permissions boundary that is isolated from other scopes on the same level. There are three types of scopes:

  • Global - The highest-level scope of Boundary where administrators configure and manage Boundary for the entire company.
  • Org (Organization) - Org scopes are contained in the global scope and are typically used to represent business units, organizations, or departments. Org scopes can also be used to contain multiple production-level auth methods in separate scopes.
  • Project - Project scopes are contained in Org scopes and be used to separate different business workflows. For example, projects can be used to represent different teams, products, or environments (test, dev, prod).

Auth methods

Auth Methods are resources that authenticate users to Boundary. Auth methods can only be contained by the global or Org scopes. The available auth methods are:

  • Username/Password
  • OIDC
  • LDAP

Accounts

Accounts are resources that represent an authenticated user from a trusted identity provider through a Boundary auth method. Accounts must belong to an auth method, and can be associated with a single Boundary user. Boundary accounts can belong to the global or Org Scopes.

Users

Users are resources that represent an individual person or entity for the purposes of access control. A user can contain multiple accounts from multiple auth methods, and can belong to the global or Org Scopes.

Groups

Groups are resources that represent a collection of users, and can be contained by any scope. Managed groups are a special kind of group that syncs with the auth method's identity provider to provide up-to-date information.

Roles

Roles are resources that contain a collection of permissions which are granted to any principal (user or group) from any scope. Roles can be contained by any scope, and the permissions can be applied to the same scope or any child scope.

Access management

Configure users - username/password

There are 3 steps to adding new users to Boundary using the password auth method:

  1. Choose the scope and the auth method that the user will use to authenticate to Boundary. If the desired auth method does not exist, you must create a new one.
  2. After the auth method is selected, you can create an account under the auth method.
  3. In the same scope, create a new user, and then attach the new account to the new user. The user is now able to authenticate to Boundary.

Configure users - OIDC/LDAP

With the OIDC and LDAP auth methods, Boundary uses data from the identity provider to automatically generate accounts and users in the same scope as the auth method. The accounts and users are only created once the user authenticates to Boundary for the first time. The same applies to OIDC/LDAP managed groups.

Note

You can configure the max_age in the OIDC attributes to indicate to the OIDC provider how much time is allowed to pass until a user is challenged to authenticate again. However, the user will not be prompted to authenticate until the controller's auth_token_time_to_live parameter has expired. The default value is 7 days. At this time, HCP Boundary users cannot configure the auth_token_time_to_live for a controller, so that value always equals the default of 7 days.

Grant permissions

When setting up access controls for a user, it is important to first consider which scope(s) the user needs access to. Roles give users permission to perform actions through grants strings. It is recommended to add the user to a group, and then add the group to the role(s), instead of adding the user directly to the role(s). This way, you can manage multiple users at the same time, and it is easier to change the permissions of the user by adding/removing them from groups. You can manage OIDC/LDAP users and managed groups the same way, directly in the provider.

Examples

Here are a few examples of access management for personas, using this sample scope structure. In this structure, there are 7 scopes overall: 1 global, 2 Orgs, and 4 Projects.

IAM Example Structure

Boundary admin

  1. Each of the 7 scopes requires a role (ex. “admin”)

  2. Each role needs to have the user/group added as a principal

  3. Each role needs to have the grants of

Boundary viewer

  1. Each of the 7 scopes requires a role (ex. “viewer”)

  2. Each role needs to have the user/group added as a principal

  3. Each role needs to have the grants of

Org_A admin

  1. The following scopes each require a role (ex. “admin”)

    • Org_A
    • Project_1
    • Project_2

  2. Each role needs to have the user/group added as a principal

  3. Each role needs to have the grants of

Project_1 admin

  1. Project_1 requires a role (ex. “admin”)

  2. The role needs to have the user/group added as a principal

  3. The role needs to have the grants of

Project_1 target access

  1. Project_1 requires a role (ex. “target_access”)

  2. The role needs to have the user/group added as a principal

  3. The role needs to have the grants of

Tip

You can use the same roles across “Boundary Admin”, “Org_A Admin”, and “Project_1 Admin” since the scopes and grants are the same. The only difference is the users/groups that are added to each role.
Edit this page on GitHub