@ -7,6 +7,6 @@ description: Common workflows for Boundary
# Common Workflows
This section covers common workflows for managing targets, identities, and sessions within Boundary. This section assumes you've already covered the [getting started](/docs/getting-started) section and are familiar with basic Boundary knowledge. This section extends getting started by showing how to accomplish common workflows in the admin console, the command line, and with our [Terraform provider](https://github.com/hashicorp/terraform-provider-boundary).
This section covers common workflows for managing targets, identities, and sessions within Boundary. This section assumes you've already covered the [Getting Started](/docs/getting-started) section and are familiar with basic Boundary knowledge. This section extends Getting Started by showing how to accomplish common workflows in the admin console, the command line, and with our [Terraform provider](https://github.com/hashicorp/terraform-provider-boundary).
For more detailed guides on using Boundary please consult our [learn site](TBD).
For more detailed guides on using Boundary please consult our [Learn site](https://learn.hashicorp.com/boundary).
description: How to manage Boundary users and groups
---
# Manage Identities
# Managing Principals (Users and Groups)
Identities in Boundary are known as [Principals](/docs/concepts/domain-model/principals). Principals are embodied in two types of resources:
Users and Groups in Boundary are collectively known as principals. Assigning
[grants](/docs/concepts/security/permissions) on
[Roles](/docs/concepts/domain-model/roles) is performed through principal IDs;
that is, the unique IDs of either users, groups, or both.
1. Users
1. Groups
This page will walk you through managing users within Boundary. (Groups will be
added at a later time.)
Both users and groups can be granted access to resources through [grants](/docs/concepts/domain-model/grants) on [roles](/docs/concepts/domain-model/roles).
## Users
In this example, we're going to show you how to create an account and user for
an auth method to allow that user to login to Boundary. Because an
auth method can be at the org and global scopes, we're going to create an
org-scoped auth method in the default generated org.
Users in Boundary represent an _internal_ notion of a particular entity (human,
machine, etc.). Users can be correlated with one or more
[Account](/docs/concepts/domain-model/accounts) resources via [Auth
_external_ notions of a particular entity. Among other use-cases, this mechanism
allows for an easy way to switch users to new IdPs within the organization
deploying Boundary.
~> Note that all resource ID's in this example are illustration only - ID's are uniquely generated for every resource upon creation with the exception being
generated resources in `dev mode`. Please make sure to use the resource ID's that are generated when running this example. For example, if you run
`boundary users create`, use the resource ID of the user seen in stdout, not the ID in the example command.
In this example, we're going to show you how to create an account and user for
an auth method to allow that user to login to Boundary. Because an auth method
can be at the org and global scopes, we're going to create an org-scoped auth
method in the default generated org in a `dev` mode server. (If you're not
running `dev` mode, you'll need to substitute appropriate generated IDs in the
steps below.)
~> Currently, all auth methods auto-vivify users on authentication; that is, on
successful authentication against an account, if there is no user already linked
with that account, a user will be automatically created. This may be a nice
time-saver, but in other situations (such as when you want Terraform to fully
describe the Boundary resoruces) this may be undesirable, so the steps below
walk you through manually making these resources and linking them. A future
Boundary update will allow turning off auto-vivification on a per-auth-method
basis.
## Create an Auth Method
Create a password auth method in the generated default org:
Create a password-type auth method in the generated default org:
<Tabs>
<Tab heading="CLI">
@ -48,6 +66,7 @@ Auth Method information:
Name: Generated org scope
Parent Scope ID: global
Type: org
Attributes:
Minimum Login Name Length: 3
Minimum Password Length: 8
@ -59,7 +78,7 @@ Auth Method information:
1. Navigate to an org, then to auth methods.
1. Choose the **New** button.
1. Fill the auth method details.
1. Fill in the auth method details.
1. Choose **Save** and view the auth method edit form page.
Create an account for the org-scoped auth method. Note that user names must be all lowercase alphanumeric and the password must be 6 or more characters.
Create an account for the org-scoped auth method. Note that by default, user
names must be all lowercase alphanumeric of at least 3 characters and the
password must be 8 or more characters. (The minimum lengths can be changed in
Jeff Mitchell
6 years ago
committed by
GitHub