Manage users and groups
Users and groups in Boundary are collectively known as principals. Assigning grants on roles is performed through principal IDs; that is, the unique IDs of users, groups, or both.
This tutorial focus on completing user management tasks within a Boundary environment.
Prerequisites
This tutorial assumes that you successfully completed the Manage Scopes tutorial.
Users
Users in Boundary represent an internal notion of a particular entity (human, machine, etc.). Users can be correlated with one or more account resources via auth methods. Accounts represent external notions of a particular entity. Among other use-cases, this mechanism allows for an easy way to switch users to new IdPs within the organization deploying Boundary.
An auth method can be defined at the org and global scopes. In this tutorial, you will create an account and user for an auth method at the org level.
Currently, all auth methods create users upon authentication. If there is no user linked with an account, Boundary creates a user when the authentication against that account was successful. This behavior may be convenient, but in other situations (such as when you want Terraform to describe the Boundary resources), this may be undesirable. The steps in this tutorial demonstrate manually making these resources and linking them. A future Boundary update will allow turning off auto-vivification on a per-auth-method basis.
Add an auth method
Enable a password-type auth method in the IT_Support
org which you created in
the Manage Scopes tutorial.
Authenticate to Boundary as the admin
user with the login name of password
.
$ boundary authenticatePlease enter the login name (it will be hidden):Please enter the password (it will be hidden):Authentication information: Account ID: acctpw_VOeNSFX8pQ Auth Method ID: ampw_ZbB6UXpW3B Expiration Time: Mon, 13 Feb 2023 12:35:32 MST User ID: u_1vUkf5fPs9The token was successfully stored in the chosen keyring and is not displayed here.
Create a password auth method in the IT_Support
org.
$ boundary auth-methods create password \ -scope-id=$ORG_ID \ -name="org_auth_method" \ -description="Org auth method"
Example:
$ boundary auth-methods create password \ -scope-id=$ORG_ID \ -name="org_auth_method" \ -description="Org auth method" Auth Method information: Created Time: Fri, 27 May 2022 11:14:30 MDT Description: Org auth method ID: ampw_ZbB6UXpW3B Name: org_auth_method Type: password Updated Time: Fri, 27 May 2022 11:14:30 MDT Version: 1 Scope: ID: o_u54jrD6ydN Name: IT_Support Parent Scope ID: global Type: org Authorized Actions: no-op read update delete authenticate Authorized Actions on Auth Method's Collections: accounts: create list managed-groups: create list Attributes: Minimum Login Name Length: 3 Minimum Password Length: 8
In this example output, the password auth method ID is ampw_ZbB6UXpW3B
.
Copy the auth method ID and save it as an environment variable, BOUNDARY_AUTH_METHOD_ID
.
Example:
$ export BOUNDARY_AUTH_METHOD_ID=ampw_ZbB6UXpW3B
Create an account
Create an account for the org-scoped auth method.
Note
User names must be all lowercase alphanumeric of at least 3 characters and the password must be 8 or more characters. (The minimum lengths can be changed in the attributes for the auth method if desired.)
Create an account named "test_account". Give it a password supersecure
when prompted.
$ boundary accounts create password \ -auth-method-id=$BOUNDARY_AUTH_METHOD_ID \ -login-name="tester01" \ -name=test_account \ -description="Test password account"
Example output:
$ boundary accounts create password \ -auth-method-id=$BOUNDARY_AUTH_METHOD_ID \ -login-name="tester01" \ -name=test_account \ -description="Test password account"Please enter the password (it will be hidden): Account information: Auth Method ID: ampw_ZbB6UXpW3B Created Time: Fri, 27 May 2022 11:16:47 MDT Description: Test password account ID: acctpw_A8R1escktO Name: test_account Type: password Updated Time: Fri, 27 May 2022 11:16:47 MDT Version: 1 Scope: ID: o_u54jrD6ydN Name: IT_Support Parent Scope ID: global Type: org Authorized Actions: no-op read update delete set-password change-password Attributes: Login Name: tester01
In this example, the generated account ID is acctpw_A8R1escktO
.
Copy the ID of test_account
and save it as an environment variable, ACCOUNT_ID
.
$ export ACCOUNT_ID=acctpw_A8R1escktO
Create a user
Next, create a user at the org scope.
Create a user, "tester01" under the IT_Support
org.
$ boundary users create -name="tester01" -description="A test user" -scope-id=$ORG_ID User information: Created Time: Fri, 27 May 2022 11:17:35 MDT Description: A test user ID: u_ogz79sV4sT Name: tester01 Updated Time: Fri, 27 May 2022 11:17:35 MDT Version: 1 Scope: ID: o_u54jrD6ydN Name: IT_Support Parent Scope ID: global Type: org Authorized Actions: no-op read update delete add-accounts set-accounts remove-accounts
In the example output, the tester01
user ID is u_ogz79sV4sT
.
Copy the generated user ID and save it as an environment variable, USER_ID
.
Example:
$ export USER_ID=u_ogz79sV4sT
Now, associate the tester01
user with the test_account
account previously
created.
$ boundary users set-accounts -id=$USER_ID -account=$ACCOUNT_ID User information: Created Time: Fri, 27 May 2022 11:17:35 MDT Description: A test user ID: u_ogz79sV4sT Name: tester01 Updated Time: Fri, 27 May 2022 11:18:37 MDT Version: 2 Scope: ID: o_u54jrD6ydN Name: IT_Support Parent Scope ID: global Type: org Authorized Actions: no-op read update delete add-accounts set-accounts remove-accounts Accounts: ID: acctpw_A8R1escktO Scope ID: o_u54jrD6ydN
Verify Users
Now, test to make sure that you can authenticate with Boundary as tester01
user.
Authenticate with Boundary using the newly created user, tester01
. Enter
supersecure
at the Please enter the password (it will be hidden):
prompt.
$ boundary authenticatePlease enter the login name (it will be hidden):Please enter the password (it will be hidden):Authentication information: Account ID: acctpw_A8R1escktO Auth Method ID: ampw_ZbB6UXpW3B Expiration Time: Mon, 13 Feb 2023 12:35:32 MST User ID: u_ogz79sV4sTThe token was successfully stored in the chosen keyring and is not displayed here.
Warning
To continue the tutorial, re-authenticate with the admin username and password that you were using. Make sure to then select the IT_Support group again.
Example: If you are running Boundary in dev mode, authenticate as the
admin
user. When prompted, enter password
which is the default admin
password in dev mode.
$ boundary authenticatePlease enter the login name (it will be hidden):Please enter the password (it will be hidden):Authentication information: Account ID: acctpw_VOeNSFX8pQ Auth Method ID: ampw_ZbB6UXpW3B Expiration Time: Mon, 13 Feb 2023 12:35:32 MST User ID: u_1vUkf5fPs9The token was successfully stored in the chosen keyring and is not displayed here.
Groups
A group in Boundary is a resource that represents a collection of users that are treated equally for the purposes of access control. A group is a principal, which allows it to be assigned to roles. Roles assigned to a group are indirectly assigned to the users in the group, and users receive all permissions of the assigned roles. Groups can be defined at the Global, Organization, or Project scope.
The group resource membership is managed manually. If using an OIDC Auth provider, such as Auth0, Okta or Azure AD, Managed Groups can be used to automatically map membership to a collection of accounts defined by the auth method's identity provider using filtering.
Create a group
Create a user at the org scope.
Create a group, "group01" under the IT_Support
org.
$ boundary groups create -name="group01" -description="A test group" -scope-id=$ORG_ID Group information: Created Time: Fri, 27 May 2022 11:20:55 MDT Description: A test group ID: g_wRpm66iPOX Name: group01 Updated Time: Fri, 27 May 2022 11:20:55 MDT Version: 1 Scope: ID: o_u54jrD6ydN Name: IT_Support Parent Scope ID: global Type: org Authorized Actions: no-op read update delete add-members set-members remove-members
In the example output, the group01
group ID is g_wRpm66iPOX
.
Copy the generated group ID and save it as an environment variable, GROUP_ID
.
Example:
$ export GROUP_ID=g_wRpm66iPOX
Now, add the tester01
user created previously to group01
.
$ boundary groups add-members -id=$GROUP_ID -member=$USER_ID Group information: Created Time: Fri, 27 May 2022 11:20:55 MDT Description: A test group ID: g_wRpm66iPOX Name: group01 Updated Time: Fri, 27 May 2022 11:21:42 MDT Version: 2 Scope: ID: o_u54jrD6ydN Name: IT_Support Parent Scope ID: global Type: org Authorized Actions: no-op read update delete add-members set-members remove-members Members: ID: u_ogz79sV4sT Scope ID: o_u54jrD6ydN
By itself, group membership does not inherently assign its members any permissions. In the next tutorial, a role will be assigned to the group and the included members will inherit the role's permissions.
Next steps
This tutorial demonstrated the steps to add a new authentication method to an
org (IT_Support
), created a new user and group within the org, and added the
user as a member of the group. You verified that you can authenticate and logged
into the IT_Support
org using the newly created user credential.
The next step is to define the permissions to control what operations members of the group can perform. In the Manage Roles and Permissions tutorial, you will create a role, assign grants to the role, and then add the group as a principle of the new role. This group members will then inherit the defined permissions.