Manage roles and permissions
Roles in Boundary manage the permissions given to principals (users and groups). Roles can be defined at the global, org, or project scopes.
This tutorial demonstrates the creation of a role in Boundary. You will assign grants and principals to the role.
All resource IDs in this tutorial are illustrations only. IDs are uniquely generated for every resource upon creation with the exception being generated resources in development mode. Be sure to use the resource IDs that are generated for your environment.
Prerequisites
This tutorial assumes that you successfully completed the Manage Scopes and Manage Users and Groups tutorials.
Verify user permissions
To begin, verify the current permissions for the tester01
user created in the
previous tutorial.
Find the auth method ID for the org_auth_method
created in the Manage Scopes
tutorial.
In this example, the generate auth method ID is ampw_ZbB6UXpW3B
.
If you haven't already, copy the ID for org_auth_method
and save it as an
environment variable, BOUNDARY_AUTH_METHOD_ID
.
Example:
Log in to the CLI as the tester01
user. Enter supersecure
at the Please
enter the password (it will be hidden):
prompt.
Now attempt to read the details of the group.
The user does not currently have read permissions for any resources. In this
tutorial you will create a role with read-only permissions, and assign the
group01
resource created in the previous tutorial to the role.
Create a role
You can create roles in the global, org, or project scopes. In this tutorial,
you will create a role in the IT_Support
org which you created in the Manage
Scopes tutorial.
If using Terraform, skip to the assign grants section.
Log back into the CLI as the admin
user. Enter password
at the Please enter
the password (it will be hidden):
prompt.
Create a role named, read-only
.
Example output:
In the example output, the read-only
role ID is r_8ziMMwippL
.
Copy the generated role ID and save it as an environment variable, ROLE_ID
.
Example:
Assign principals to a role
Users and groups (collectively known as principals) are granted permissions to perform actions by assigning them to
a role. Add the tester01
user which you created in the Manage Users and
Groups tutorial to the newly created
read-only
role by assigning the group it belongs to as a principal to the role.
Retrieve the group01
ID.
In the example, the group ID is g_wRpm66iPOX
.
If you haven't already, copy the ID and save it as an environment variable,
GROUP_ID
.
Example:
Now, assign the group01
group to the read-only
role.
Assign grants to a role
Grants describe the actions that the principals can perform. For more
information on how to format grants, refer to Permission Grant
Formats.
In this tutorial, you give read and list permissions to the read-only
role you
created.
Define the grant which permits read and list all resources
(ids=*;type=*;actions=read,list
) and assign it to the read-only
role. Be sure
to replace <role_id>
with your read-only
role ID.
Verify read-only permissions
Log back into the CLI as the tester01
user.
Now attempt to read the details of the group again.
The tester01
user is a member of group01
, and as a principal of the
read-only
role it automatically inherits the defined permissions.
Next steps
You have completed the common Boundary resource management tasks. In the Manage Sessions tutorial you will learn about connecting to targets and managing sessions.