Manage access with roles
Roles map grant strings to principals, which are users, groups, and managed groups. Every role assigns grants within a scope, as determined by the role's grant scope IDs. Scopes are logical groupings of resources. They allow you to partition resources and then assign ownership of those resources to principals.
You can assign roles to multiple scopes to grant permissions to users who need access to resources across multiple scopes. Child scopes can inherit roles from parents. For example, the global scope could have multiple child scopes called "orgs". When you create a role in the global scope, you can configure it to apply to those children org scopes.
Once you create a role, you add principals and grants to it. The principals inherit the grants. You can optionally add grant scopes to the role to configure inheritance across multiple scopes.
Create a role
Roles let you map grant strings or permissions to principals, which are users, groups, and managed groups.
Complete the following steps to create a role:
Log in to Boundary.
Navigate to an org, and then select Roles on the navigation pane.
Click New or New Role.
Complete the following fields:
- Name: (Optional) Enter an optional name for the role for identification purposes.
- Description: (Optional) Enter an optional description of the role for identification purposes.
Click Save.
Boundary creates the role and takes you to the role's Settings page.
To view a cheat sheet to help you create roles, refer to Example roles.
Assign principals to a role
You can grant users, groups, and managed groups permissions to perform actions by assigning them to a role.
Complete the following steps to assign principals to a role:
Log in to Boundary.
Select Roles in the navigation pane, and then select the role you want to assign principals to.
Click the Principals tab.
Click the Add Principals button, or select it from the Manage dropdown.
Select one or more users, groups, or managed groups to associate with the role.
Click Add Principals.
Boundary adds the principals to the role. The role's Principals page should now show the principals you selected.
Assign grants to a role
Grants describe the actions that the principals are allowed to perform. You can add grants to a role either by manually defining grant strings or by using the UI to select from pre-defined templates.
Complete the following steps to assign grants to a role:
- Log in to Boundary.
- In the navigation pane, select Roles, and then select the role you want to assign grants to.
- On the role's Settings page, click the Grants tab.
- Choose how you want to add grants:
- To manually add or modify grants:
- Click Edit Grants.
- Enter or modify grant strings in the editor. Enter each grant string on a different line.
- To add pre-defined grant templates:
- Click Add Grant Templates.
- In the template list, select the grant strings to add.
- Click Add Grant Templates.
- To manually add or modify grants:
- Click Save to apply your changes.
To view common use cases for grants based on job function, refer to Common use cases.
Add grant scopes
You can assign roles to multiple scopes to configure role inheritance. Roles can have a combination of the following grant scopes:
this(this scope)children(all direct children of the assigned scope,globaland org scopes only)descendants(all descendants of a scope,global only)- ID (such as
o_v2MpV4vBHNorp_0vfvaQPwhD. Roles accept multiple grant scope IDs)
Boundary automatically assigns grants the this scope, when you create them.
Complete the following steps to add grant scopes to a role:
Log in to Boundary.
Select Roles in the navigation pane, and then select the role you want to add grant scopes to.
Click the Scopes tab.
From the Manage dropdown, select Manage Scopes.
Select from the following:
- Add this scope: Adds the current scope to the grant.
- Add all children: Adds all direct children of the current scope and can only be used with global and org scopes.
- Add all descendants: Adds all descendants of the current scope and can only be used with the global scope.
To add additional scopes:
- Click Manage custom scopes.
- Select any additional scopes that you want to assign to the grant.
- Click Save.
Click Save.
Boundary assigns the grant scopes to the role.
Next steps
To manage access to resources dynamically, refer to Manage principals and Filter managed groups.
More information
- To better understand Boundary's permissions model, refer to Permissions in Boundary.
- For more specific information about the roles resource, refer to the Roles domain model topic.
- To learn more about creating or managing roles, refer to the CLI
rolestopic or the API Role service topic. - To view a cheat sheet to help you create roles, refer to Example roles.
- To view common use cases for grants based on job function, refer to Common use cases.
Tutorials
For hands on practice creating partition boundaries to assign ownership over resources, refer to the following tutorials: