Manage roles and permissions
Roles in Boundary manage the permissions given to principals (users and groups). Roles can be defined at the global, org, or project scopes.
This tutorial demonstrates the creation of a role in Boundary. You will assign grants and principals to the role.
All resource IDs in this tutorial are illustrations only. IDs are uniquely generated for every resource upon creation with the exception being generated resources in development mode. Be sure to use the resource IDs that are generated for your environment.
Prerequisites
This tutorial assumes that you successfully completed the Manage Scopes and Manage Users and Groups tutorials.
Verify user permissions
To begin, verify the current permissions for the tester01
user created in the
previous tutorial.
Find the auth method ID for the org_auth_method
created in the Manage Scopes
tutorial.
$ boundary auth-methods list -recursive Auth Method information: ID: amoidc_1234567890 Scope ID: global Version: 1 Type: oidc Name: Generated global scope initial oidc auth method Description: Provides initial administrative and unprivileged authentication into Boundary Authorized Actions: no-op read update delete change-state authenticate ID: ampw_1234567890 Scope ID: global Version: 1 Type: password Name: Generated global scope initial password auth method Description: Provides initial administrative and unprivileged authentication into Boundary Is Primary For Scope: true Authorized Actions: no-op read update delete authenticate ID: ampw_ZbB6UXpW3B Scope ID: o_u54jrD6ydN Version: 1 Type: password Name: org_auth_method Description: Org auth method Authorized Actions: no-op read update delete authenticate
In this example, the generate auth method ID is ampw_ZbB6UXpW3B
.
If you haven't already, copy the ID for org_auth_method
and save it as an
environment variable, BOUNDARY_AUTH_METHOD_ID
.
Example:
$ export BOUNDARY_AUTH_METHOD_ID=ampw_ZbB6UXpW3B
Log in to the CLI as the tester01
user. Enter supersecure
at the Please
enter the password (it will be hidden):
prompt.
$ boundary authenticatePlease enter the login name (it will be hidden):Please enter the password (it will be hidden):Authentication information: Account ID: acctpw_A8R1escktO Auth Method ID: ampw_ZbB6UXpW3B Expiration Time: Mon, 13 Feb 2023 12:35:32 MST User ID: u_ogz79sV4sTThe token was successfully stored in the chosen keyring and is not displayed here.
Now attempt to read the details of the group.
$ boundary groups read -id $GROUP_IDError from controller when performing read on group Error information: Kind: PermissionDenied Message: Forbidden. Status: 403 context: Error from controller when performing read on group
The user does not currently have read permissions for any resources. In this
tutorial you will create a role with read-only permissions, and assign the
group01
resource created in the previous tutorial to the role.
Create a role
You can create roles in the global, org, or project scopes. In this tutorial,
you will create a role in the IT_Support
org which you created in the Manage
Scopes tutorial.
If using Terraform, skip to the assign grants section.
Log back into the CLI as the admin
user. Enter password
at the Please enter
the password (it will be hidden):
prompt.
$ boundary authenticatePlease enter the login name (it will be hidden):Please enter the password (it will be hidden):Authentication information: Account ID: acctpw_VOeNSFX8pQ Auth Method ID: ampw_ZbB6UXpW3B Expiration Time: Mon, 13 Feb 2023 12:35:32 MST User ID: u_ogz79sV4sTThe token was successfully stored in the chosen keyring and is not displayed here.
Create a role named, read-only
.
$ boundary roles create \ -scope-id=$ORG_ID \ -name="read-only" \ -description="Role with read-only permission"
Example output:
$ boundary roles create \ -scope-id=$ORG_ID \ -name="read-only" \ -description="Role with read-only permission" Role information: Created Time: Fri, 27 May 2022 11:28:49 MDT Description: Role with read-only permission Grant Scope ID: o_u54jrD6ydN ID: r_8ziMMwippL Name: read-only Updated Time: Fri, 27 May 2022 11:28:49 MDT Version: 1 Scope: ID: o_u54jrD6ydN Name: IT_Support Parent Scope ID: global Type: org Authorized Actions: no-op read update delete add-principals set-principals remove-principals add-grants set-grants remove-grants
In the example output, the read-only
role ID is r_8ziMMwippL
.
Copy the generated role ID and save it as an environment variable, ROLE_ID
.
Example:
$ export ROLE_ID=r_8ziMMwippL
Assign principals to a role
Users and groups (collectively known as principals) are granted permissions to perform actions by assigning them to
a role. Add the tester01
user which you created in the Manage Users and
Groups tutorial to the newly created
read-only
role by assigning the group it belongs to as a principal to the role.
Retrieve the group01
ID.
$ boundary groups list -scope-id=$ORG_ID Group information: ID: g_wRpm66iPOX Version: 2 Name: group01 Description: A test group Authorized Actions: no-op read update delete add-members set-members remove-members
In the example, the group ID is g_wRpm66iPOX
.
If you haven't already, copy the ID and save it as an environment variable,
GROUP_ID
.
Example:
$ export GROUP_ID=g_wRpm66iPOX
Now, assign the group01
group to the read-only
role.
$ boundary roles add-principals -id=$ROLE_ID -principal=$GROUP_ID Role information: Created Time: Fri, 27 May 2022 11:28:49 MDT Description: Role with read-only permission Grant Scope ID: o_u54jrD6ydN ID: r_8ziMMwippL Name: read-only Updated Time: Fri, 27 May 2022 11:30:47 MDT Version: 2 Scope: ID: o_u54jrD6ydN Name: IT_Support Parent Scope ID: global Type: org Authorized Actions: no-op read update delete add-principals set-principals remove-principals add-grants set-grants remove-grants Principals: ID: g_wRpm66iPOX Type: group Scope ID: o_u54jrD6ydN
Assign grants to a role
Grants describe the actions that the principals can perform. For more
information on how to format grants, refer to Permission Grant
Formats.
In this tutorial, you give read and list permissions to the read-only
role you
created.
Define the grant which permits read and list all resources
(ids=*;type=*;actions=read,list
) and assign it to the read-only
role. Be sure
to replace <role_id>
with your read-only
role ID.
$ boundary roles add-grants -id=$ROLE_ID -grant="ids=*;type=*;actions=read,list" Role information: Created Time: Fri, 27 May 2022 11:28:49 MDT Description: Role with read-only permission Grant Scope ID: o_u54jrD6ydN ID: r_8ziMMwippL Name: read-only Updated Time: Fri, 27 May 2022 11:31:10 MDT Version: 3 Scope: ID: o_u54jrD6ydN Name: IT_Support Parent Scope ID: global Type: org Authorized Actions: no-op read update delete add-principals set-principals remove-principals add-grants set-grants remove-grants Principals: ID: g_wRpm66iPOX Type: group Scope ID: o_u54jrD6ydN Canonical Grants: ids=*;type=*;actions=list,read
Verify read-only permissions
Log back into the CLI as the tester01
user.
$ boundary authenticatePlease enter the login name (it will be hidden):Please enter the password (it will be hidden):Authentication information: Account ID: acctpw_A8R1escktO Auth Method ID: ampw_ZbB6UXpW3B Expiration Time: Mon, 13 Feb 2023 12:35:32 MST User ID: u_ogz79sV4sTThe token was successfully stored in the chosen keyring and is not displayed here.
Now attempt to read the details of the group again.
$ boundary groups read -id $GROUP_ID Group information: Created Time: Fri, 27 May 2022 11:20:55 MDT Description: A test group ID: g_wRpm66iPOX Name: group01 Updated Time: Fri, 27 May 2022 11:21:42 MDT Version: 2 Scope: ID: o_u54jrD6ydN Name: IT_Support Parent Scope ID: global Type: org Authorized Actions: read Members: ID: u_ogz79sV4sT Scope ID: o_u54jrD6ydN
The tester01
user is a member of group01
, and as a principal of the
read-only
role it automatically inherits the defined permissions.
Next steps
You have completed the common Boundary resource management tasks. In the Manage Sessions tutorial you will learn about connecting to targets and managing sessions.