Manage users and groups
Users and groups in Boundary are collectively known as principals. Assigning grants on roles is performed through principal IDs; that is, the unique IDs of users, groups, or both.
This tutorial focus on completing user management tasks within a Boundary environment.
Prerequisites
This tutorial assumes that you successfully completed the Manage Scopes tutorial.
Users
Users in Boundary represent an internal notion of a particular entity (human, machine, etc.). Users can be correlated with one or more account resources via auth methods. Accounts represent external notions of a particular entity. Among other use-cases, this mechanism allows for an easy way to switch users to new IdPs within the organization deploying Boundary.
An auth method can be defined at the org and global scopes. In this tutorial, you will create an account and user for an auth method at the org level.
Currently, all auth methods create users upon authentication. If there is no user linked with an account, Boundary creates a user when the authentication against that account was successful. This behavior may be convenient, but in other situations (such as when you want Terraform to describe the Boundary resources), this may be undesirable. The steps in this tutorial demonstrate manually making these resources and linking them. A future Boundary update will allow turning off auto-vivification on a per-auth-method basis.
Add an auth method
Enable a password-type auth method in the IT_Support
org which you created in
the Manage Scopes tutorial.
Authenticate to Boundary as the admin
user with the login name of password
.
Create a password auth method in the IT_Support
org.
Example:
In this example output, the password auth method ID is ampw_ZbB6UXpW3B
.
Copy the auth method ID and save it as an environment variable, BOUNDARY_AUTH_METHOD_ID
.
Example:
Create an account
Create an account for the org-scoped auth method.
Note
User names must be all lowercase alphanumeric of at least 3 characters and the password must be 8 or more characters. (The minimum lengths can be changed in the attributes for the auth method if desired.)
Create an account named "test_account". Give it a password supersecure
when prompted.
Example output:
In this example, the generated account ID is acctpw_A8R1escktO
.
Copy the ID of test_account
and save it as an environment variable, ACCOUNT_ID
.
Create a user
Next, create a user at the org scope.
Create a user, "tester01" under the IT_Support
org.
In the example output, the tester01
user ID is u_ogz79sV4sT
.
Copy the generated user ID and save it as an environment variable, USER_ID
.
Example:
Now, associate the tester01
user with the test_account
account previously
created.
Verify Users
Now, test to make sure that you can authenticate with Boundary as tester01
user.
Authenticate with Boundary using the newly created user, tester01
. Enter
supersecure
at the Please enter the password (it will be hidden):
prompt.
Warning
To continue the tutorial, re-authenticate with the admin username and password that you were using. Make sure to then select the IT_Support group again.
Example: If you are running Boundary in dev mode, authenticate as the
admin
user. When prompted, enter password
which is the default admin
password in dev mode.
Groups
A group in Boundary is a resource that represents a collection of users that are treated equally for the purposes of access control. A group is a principal, which allows it to be assigned to roles. Roles assigned to a group are indirectly assigned to the users in the group, and users receive all permissions of the assigned roles. Groups can be defined at the Global, Organization, or Project scope.
The group resource membership is managed manually. If using an OIDC Auth provider, such as Auth0, Okta or Azure AD, Managed Groups can be used to automatically map membership to a collection of accounts defined by the auth method's identity provider using filtering.
Create a group
Create a user at the org scope.
Create a group, "group01" under the IT_Support
org.
In the example output, the group01
group ID is g_wRpm66iPOX
.
Copy the generated group ID and save it as an environment variable, GROUP_ID
.
Example:
Now, add the tester01
user created previously to group01
.
By itself, group membership does not inherently assign its members any permissions. In the next tutorial, a role will be assigned to the group and the included members will inherit the role's permissions.
Next steps
This tutorial demonstrated the steps to add a new authentication method to an
org (IT_Support
), created a new user and group within the org, and added the
user as a member of the group. You verified that you can authenticate and logged
into the IT_Support
org using the newly created user credential.
The next step is to define the permissions to control what operations members of the group can perform. In the Manage Roles and Permissions tutorial, you will create a role, assign grants to the role, and then add the group as a principle of the new role. This group members will then inherit the defined permissions.