diff --git a/website/content/docs/concepts/domain-model/accounts.mdx b/website/content/docs/concepts/domain-model/accounts.mdx index f1ab113758..f9d50aa4e7 100644 --- a/website/content/docs/concepts/domain-model/accounts.mdx +++ b/website/content/docs/concepts/domain-model/accounts.mdx @@ -8,7 +8,13 @@ description: |- # Action -A Boundary account is a resource that contains the login name and password for the password authentication method. Accounts are not users, but can be associated with users. A login name is a not a username and vice versa. Accounts are a special case for the password auth method because other auth methods already store account information (such as OIDC). +A Boundary account is a resource +that contains the login name and password for the password authentication method. +Accounts are not users, +but can be associated with users. +A login name is a not a username and vice versa. +Accounts are a special case for the password auth method +because other auth methods already store account information (such as OIDC). ## Attributes diff --git a/website/content/docs/concepts/domain-model/actions.mdx b/website/content/docs/concepts/domain-model/actions.mdx index 9cf2fbbd46..bf4ddf0c39 100644 --- a/website/content/docs/concepts/domain-model/actions.mdx +++ b/website/content/docs/concepts/domain-model/actions.mdx @@ -8,11 +8,22 @@ description: |- # Action -An action is a defined capability within the Boundary system. Each Resource Type defines its own set of Actions. Currently, the union of actions from all Resource Types is: create, read, update, delete, list, connect. This is not a fixed list and no design or implementation should assume it will ever be a fixed list. +An action is a defined capability within the Boundary system. +Each Resource Type defines its own set of Actions. +Currently, the union of actions from all Resource Types is: +create, +read, +update, +delete, +list, +connect. +This is not a fixed list +and no design or implementation should assume it will ever be a fixed list. ## Attributes -For information on how actions are constructed into grant strings, see the [grants]() section. +For information on how actions are constructed into grant strings, +see the [grants]() section. ## Referenced By diff --git a/website/content/docs/concepts/domain-model/auth-methods.mdx b/website/content/docs/concepts/domain-model/auth-methods.mdx index bf44f1772a..4f94f0c3ba 100644 --- a/website/content/docs/concepts/domain-model/auth-methods.mdx +++ b/website/content/docs/concepts/domain-model/auth-methods.mdx @@ -8,7 +8,14 @@ description: |- # Authentication Methods -An authentication method is a method configured for an Organization to authenticate Users. The configuration of an Authentication Method may contain secrets. Zero or one Authentication Method can be configured to create Users. Creation of Groups may be added later. An Authentication Method is owned by one and only one Organization. An Authentication Method creates and references zero or more Users. An Authentication Method is deleted when the Organization it belongs to is deleted. The lifecycle of an Authentication Method is not tied to the lifecycle of any User. +An authentication method is a method configured for an Organization to authenticate Users. +The configuration of an Authentication Method may contain secrets. +Zero or one Authentication Method can be configured to create Users. +Creation of Groups may be added later. +An Authentication Method is owned by one and only one Organization. +An Authentication Method creates and references zero or more Users. +An Authentication Method is deleted when the Organization it belongs to is deleted. +The lifecycle of an Authentication Method is not tied to the lifecycle of any User. ```shell-session +---------------------------------------------+ diff --git a/website/content/docs/concepts/domain-model/grants.mdx b/website/content/docs/concepts/domain-model/grants.mdx index 07600a0577..d8865f0674 100644 --- a/website/content/docs/concepts/domain-model/grants.mdx +++ b/website/content/docs/concepts/domain-model/grants.mdx @@ -8,7 +8,19 @@ description: |- # Grants -A grant represents a set of capabilities granted to a roley. It couples a set of Actions to either a set of Resource Types or an individual Resource. A Direct Grant belongs exclusively to one and only one Role. However, equivalent Direct Grants may exist across different Roles. A Direct Grant references one or more Actions and either one or more Resource types or one specific Resource. A Direct Grant is deleted when the Role it belongs to is deleted. A Direct Grant is also deleted if it is associated with a specific Resource and that Resource itself is deleted. The lifecycle of a Direct Grant is not tied to the lifecycle of any Action or Resource Type. +A grant represents a set of capabilities granted to a roley. +It couples a set of Actions to either +a set of Resource Types +or an individual Resource. +A Direct Grant belongs exclusively to one and only one Role. +However, equivalent Direct Grants may exist across different Roles. +A Direct Grant references one or more Actions +and either one or more Resource types +or one specific Resource. +A Direct Grant is deleted when the Role it belongs to is deleted. +A Direct Grant is also deleted if it is associated with a specific Resource +and that Resource itself is deleted. +The lifecycle of a Direct Grant is not tied to the lifecycle of any Action or Resource Type. ```shell-session +----------------------------------------+ @@ -28,7 +40,8 @@ Example: `id=p_0123456789; action=read` The above example grants `read` action on the `p_0123456789` project resource. -The glob `*` pattern can be used on IDs and actions as well: `id=*;action=*`, will allow all actions on all resources. +The glob `*` pattern can be used on IDs and actions as well: +`id=*;action=*`, will allow all actions on all resources. ## Referenced By diff --git a/website/content/docs/concepts/domain-model/groups.mdx b/website/content/docs/concepts/domain-model/groups.mdx index 281bc3553d..d05103dc29 100644 --- a/website/content/docs/concepts/domain-model/groups.mdx +++ b/website/content/docs/concepts/domain-model/groups.mdx @@ -8,7 +8,14 @@ description: |- # Group -Groups are collections of Users used only for access control purposes. A Group is owned by one and only one Scope. A Group can contain zero or more Users. A Group inherits from Principal ("is-a" Principal) allowing it to be associated with zero or more Roles. All Users in a Group are granted the capabilities of all Roles the Group is associated with. A Group is deleted when the Scope it belongs to is deleted. The lifecycle of a Group is not tied to the lifecycle of any User or Role. +Groups are collections of Users used only for access control purposes. +A Group is owned by one and only one Scope. +A Group can contain zero or more Users. +A Group inherits from Principal ("is-a" Principal) +allowing it to be associated with zero or more Roles. +All Users in a Group are granted the capabilities of all Roles the Group is associated with. +A Group is deleted when the Scope it belongs to is deleted. +The lifecycle of a Group is not tied to the lifecycle of any User or Role. ```shell-session +-------------------------------------+ diff --git a/website/content/docs/concepts/domain-model/host-catalogs.mdx b/website/content/docs/concepts/domain-model/host-catalogs.mdx index 48bf8702fb..07cca60740 100644 --- a/website/content/docs/concepts/domain-model/host-catalogs.mdx +++ b/website/content/docs/concepts/domain-model/host-catalogs.mdx @@ -8,6 +8,15 @@ description: |- # Host Catalog -A host catalog is a permission boundary modeled as a container. A Host Catalog can contain Scopes forming a tree. A Scope can own zero to many Groups, Roles, Targets, and Host Catalogs. Scope is abstract. Organization and Project are concrete Scopes. All resources owned by a Scope are deleted when the Scope is deleted. +A host catalog is a permission boundary modeled as a container. +A Host Catalog can contain Scopes forming a tree. +A Scope can own zero to many +Groups, +Roles, +Targets, +and Host Catalogs. +Scope is abstract. +Organization and Project are concrete Scopes. +All resources owned by a Scope are deleted when the Scope is deleted. ## Attributes diff --git a/website/content/docs/concepts/domain-model/host-sets.mdx b/website/content/docs/concepts/domain-model/host-sets.mdx index e13dcfec9b..bccbd9639f 100644 --- a/website/content/docs/concepts/domain-model/host-sets.mdx +++ b/website/content/docs/concepts/domain-model/host-sets.mdx @@ -8,6 +8,14 @@ description: |- # Host Set -A host set is a resource which provides a subset of Hosts from the set of Hosts of the Host Catalog it belongs to. A Host Set belongs to one and only one Host Catalog. A Host Set can contain zero or more Hosts. A Host Set can be contained by zero or more Targets. Host Set is abstract. A Host Set is deleted when the Host Catalog it belongs to is deleted. The lifecycle of a Host Set is not tied to the lifecycle of any Targets or Hosts. +A host set is a resource +which provides a subset of Hosts +from the set of Hosts of the Host Catalog it belongs to. +A Host Set belongs to one and only one Host Catalog. +A Host Set can contain zero or more Hosts. +A Host Set can be contained by zero or more Targets. +Host Set is abstract. +A Host Set is deleted when the Host Catalog it belongs to is deleted. +The lifecycle of a Host Set is not tied to the lifecycle of any Targets or Hosts. ## Attributes diff --git a/website/content/docs/concepts/domain-model/hosts.mdx b/website/content/docs/concepts/domain-model/hosts.mdx index 3c5769938b..01ef499f3a 100644 --- a/website/content/docs/concepts/domain-model/hosts.mdx +++ b/website/content/docs/concepts/domain-model/hosts.mdx @@ -8,6 +8,11 @@ description: |- # Host -A host is a computing element with a network address reachable from Boundary. A Host belongs to one and only one Host Catalog. A Host can be contained by zero or more Host Sets. Host is abstract. A Host is deleted when the Host Catalog it belongs to is deleted. The lifecycle of a Host is not tied to the lifecycle of any Host Sets. +A host is a computing element with a network address reachable from Boundary. +A Host belongs to one and only one Host Catalog. +A Host can be contained by zero or more Host Sets. +Host is abstract. +A Host is deleted when the Host Catalog it belongs to is deleted. +The lifecycle of a Host is not tied to the lifecycle of any Host Sets. ## Attributes diff --git a/website/content/docs/concepts/domain-model/index.mdx b/website/content/docs/concepts/domain-model/index.mdx index 72c50ddcee..db717609d3 100644 --- a/website/content/docs/concepts/domain-model/index.mdx +++ b/website/content/docs/concepts/domain-model/index.mdx @@ -8,6 +8,17 @@ description: |- # Overview -Boundary has a rich domain model consisting of resources that represent IAM principals, infrastructure, and the means to tie them together. This section contains information about the various resources within the domain and how they relate to each other. +Boundary has a rich domain model +consisting of resources that represent +IAM principals, +infrastructure, +and the means to tie them together. +This section contains information about the various resources within the domain +and how they relate to each other. -When getting started with Boundary, the first resource to look at should probably be [Scopes](/docs/concepts/domain-model/scopes). Every other resources is either contained within a scope, or contained within another resource that is itself contained within a scope. That page can help you understand the structure of resources within Boundary. \ No newline at end of file +When getting started with Boundary, +the first resource to look at should probably be [Scopes](/docs/concepts/domain-model/scopes). +Every other resources is either contained within a scope, +or contained within another resource +that is itself contained within a scope. +That page can help you understand the structure of resources within Boundary. diff --git a/website/content/docs/concepts/domain-model/organizations.mdx b/website/content/docs/concepts/domain-model/organizations.mdx index 6c22123b60..4374417594 100644 --- a/website/content/docs/concepts/domain-model/organizations.mdx +++ b/website/content/docs/concepts/domain-model/organizations.mdx @@ -8,7 +8,21 @@ description: |- # Organization -An Organization is a top-level container, and owns zero to many Projects and zero to many Authentication Methods. An Organization inherits from Scope ("is-a" Scope) allowing it to own zero to many Groups, Roles, Policies, Targets, Host Catalogs or Credential Stores. When an Organization is deleted, all resources owned by it are also deleted. The lifecycle of an Organization is not tied to anything else. A Role at the Organization level can grant permissions at the Project level. +An Organization is a top-level container, +and owns zero to many Projects +and zero to many Authentication Methods. +An Organization inherits from Scope ("is-a" Scope) +allowing it to own zero to many +Groups, +Roles, +Policies, +Targets, +Host Catalogs +or Credential Stores. +When an Organization is deleted, +all resources owned by it are also deleted. +The lifecycle of an Organization is not tied to anything else. +A Role at the Organization level can grant permissions at the Project level. # Attributes diff --git a/website/content/docs/concepts/domain-model/principals.mdx b/website/content/docs/concepts/domain-model/principals.mdx index f1a73599c1..8260f4a997 100644 --- a/website/content/docs/concepts/domain-model/principals.mdx +++ b/website/content/docs/concepts/domain-model/principals.mdx @@ -8,4 +8,10 @@ description: |- # Principal -A principal is any entity which can be assigned capabilities. Principal is abstract. User, Group, and Project are concrete Principals. A Principal can be assigned to zero or more Roles. +A principal is any entity which can be assigned capabilities. +Principal is abstract. +User, +Group, +and Project +are concrete Principals. +A Principal can be assigned to zero or more Roles. diff --git a/website/content/docs/concepts/domain-model/projects.mdx b/website/content/docs/concepts/domain-model/projects.mdx index 8d341847a8..e7a01a536a 100644 --- a/website/content/docs/concepts/domain-model/projects.mdx +++ b/website/content/docs/concepts/domain-model/projects.mdx @@ -8,7 +8,23 @@ description: |- # Project -A project is a child scope of an organization and is owned by an Organization. A Project inherits from Scope ("is-a" Scope) allowing it to own zero to many Groups, Roles, Policies, Targets, Host Catalogs or Credential Stores. A Project also inherits from Principal ("is-a" Principal) allowing it to be associated with zero or more Roles. A Project has no additional relationships beyond those defined in Scope and Principal. A Project is deleted when the Organization it belongs to is deleted. When a Project is deleted, all resources owned by it are also deleted. The lifecycle of a Project is not tied to any resource it contains. +A project is a child scope of an organization +and is owned by an Organization. +A Project inherits from Scope ("is-a" Scope) +allowing it to own zero to many +Groups, +Roles, +Policies, +Targets, +Host Catalogs +or Credential Stores. +A Project also inherits from Principal ("is-a" Principal) +allowing it to be associated with zero or more Roles. +A Project has no additional relationships beyond those defined in Scope and Principal. +A Project is deleted when the Organization it belongs to is deleted. +When a Project is deleted, +all resources owned by it are also deleted. +The lifecycle of a Project is not tied to any resource it contains. ```shell-session +-----------------------------------+ diff --git a/website/content/docs/concepts/domain-model/resources.mdx b/website/content/docs/concepts/domain-model/resources.mdx index bb75719bc4..76f5c74c90 100644 --- a/website/content/docs/concepts/domain-model/resources.mdx +++ b/website/content/docs/concepts/domain-model/resources.mdx @@ -8,4 +8,17 @@ description: |- # Resource -A resource is an instance of one of the Resource Types. Resource is abstract. A Resource can be associated with zero or more Direct Grants. A resource can be any one of the following: organization, project, authentication-method, group, role, target, host-catalog, host-set, credential-catalog, credential-set. +A resource is an instance of one of the Resource Types. +Resource is abstract. +A Resource can be associated with zero or more Direct Grants. +A resource can be any one of the following: +organization, +project, +authentication-method, +group, +role, +target, +host-catalog, +host-set, +credential-catalog, +credential-set. diff --git a/website/content/docs/concepts/domain-model/roles.mdx b/website/content/docs/concepts/domain-model/roles.mdx index f7718a3eca..3a3a541e75 100644 --- a/website/content/docs/concepts/domain-model/roles.mdx +++ b/website/content/docs/concepts/domain-model/roles.mdx @@ -8,7 +8,14 @@ description: |- # Roles -A role is a collection of capabilities granted to any Principal the Role is assigned to. A Role belongs to one and only one Scope. A Role owns zero or more Direct Grants. A Role can be assigned to zero or more Principals. A Principal assigned a Role receives all capabilities granted by any Direct Grant owned by the Role. A Role is deleted when the Scope it belongs to is deleted. All Direct Grants owned by a Role are deleted when the Role is deleted. The lifecycle of a Role is not tied to the lifecycle of any Principal. +A role is a collection of capabilities granted to any Principal the Role is assigned to. +A Role belongs to one and only one Scope. +A Role owns zero or more Direct Grants. +A Role can be assigned to zero or more Principals. +A Principal assigned a Role receives all capabilities granted by any Direct Grant owned by the Role. +A Role is deleted when the Scope it belongs to is deleted. +All Direct Grants owned by a Role are deleted when the Role is deleted. +The lifecycle of a Role is not tied to the lifecycle of any Principal. ```shell-session +---------------------------------+ diff --git a/website/content/docs/concepts/domain-model/scopes.mdx b/website/content/docs/concepts/domain-model/scopes.mdx index 4211f8101e..192a1bbc24 100644 --- a/website/content/docs/concepts/domain-model/scopes.mdx +++ b/website/content/docs/concepts/domain-model/scopes.mdx @@ -8,4 +8,15 @@ description: |- # Scope -A scope is a permission boundary modeled as a container. A Scope can contain Scopes forming a tree. A Scope can own zero to many Groups, Roles, Policies, Targets, Host Catalogs and Credential Stores. Scope is abstract. Organization and Project are concrete Scopes. All resources owned by a Scope are deleted when the Scope is deleted. +A scope is a permission boundary modeled as a container. +A Scope can contain Scopes forming a tree. +A Scope can own zero to many +Groups, +Roles, +Policies, +Targets, +Host Catalogs +and Credential Stores. +Scope is abstract. +Organization and Project are concrete Scopes. +All resources owned by a Scope are deleted when the Scope is deleted. diff --git a/website/content/docs/concepts/domain-model/targets.mdx b/website/content/docs/concepts/domain-model/targets.mdx index 6fde92b803..757c7198c8 100644 --- a/website/content/docs/concepts/domain-model/targets.mdx +++ b/website/content/docs/concepts/domain-model/targets.mdx @@ -8,6 +8,16 @@ description: |- # Target -A target is a networked service a User can connect to and interact with through Boundary. A Target does not directly contain any secrets. A Target contains a collection of Hosts. A Target belongs to one and only one Scope. A Target can contain zero or more Host Sets. Target is abstract. A Target is deleted when the Scope it belongs to is deleted. The lifecycle of a Target is not tied to the lifecycle of any Host Set. +A target is a networked service +a User can connect to +and interact with +through Boundary. +A Target does not directly contain any secrets. +A Target contains a collection of Hosts. +A Target belongs to one and only one Scope. +A Target can contain zero or more Host Sets. +Target is abstract. +A Target is deleted when the Scope it belongs to is deleted. +The lifecycle of a Target is not tied to the lifecycle of any Host Set. ## Attributes diff --git a/website/content/docs/concepts/domain-model/users.mdx b/website/content/docs/concepts/domain-model/users.mdx index b334a1ca7b..d115d3ea19 100644 --- a/website/content/docs/concepts/domain-model/users.mdx +++ b/website/content/docs/concepts/domain-model/users.mdx @@ -8,7 +8,19 @@ description: |- # User -A user is any entity authorized to access Boundary using authentication credentials specific to one of the configured Authentication Methods. A User is owned by one and only one Organization. A User is associated with zero or one Authentication Methods. A User not associated with an Authentication Method can not log in to the system. A User can belong to zero or more Groups. A User inherits from Principal ("is-a" Principal) allowing it to be associated with zero or more Roles. A User is deleted when the Organization it belongs to is deleted. The lifecycle of a User is not tied to the lifecycle of any Authentication Method, Group or Role, but rather to its Organization only +A user is any entity authorized to access Boundary +using authentication credentials specific to one of the configured Authentication Methods. +A User is owned by one and only one Organization. +A User is associated with zero or one Authentication Methods. +A User not associated with an Authentication Method can not log in to the system. +A User can belong to zero or more Groups. +A User inherits from Principal ("is-a" Principal) allowing it to be associated with zero or more Roles. +A User is deleted when the Organization it belongs to is deleted. +The lifecycle of a User is not tied to the lifecycle of any +Authentication Method, +Group +or Role, +but rather to its Organization only ```shell-session +-------------------------------------+