Use scopes to group and manage resources in Boundary. Learn how to configure global scopes, org scopes, and projects to logically group resources.
---
# Scopes
A scope is a [permission][] boundary modeled as a container.
Scopes are groupings of resources.
Each scope is also a resource.
You create scopes to partition resources and then assign ownership of those resources to principals (users and groups).
There are three types of scopes in Boundary:
A single [global][] scope which is the outermost container;
[organizations][] (orgs) which are contained by the `global` scope;
and [projects][] which are contained by orgs.
Each scope is itself a resource.
- A single [global][] scope is the outermost container.
- [Organizations][] (orgs) are contained by the `global` scope.
- [Projects][] are contained by orgs.
<Note>
Within the software itself and elsewhere in the documentation, Boundary reliably uses "org" instead of "organization". Among other reasons, this removes ambiguity between different regional spellings of the word. It is spelled out here in the domain model for completeness and to ensure its intent is clear.
</Note>
You can only associate certain resources with specific levels of scopes.
For example, while you can create users at the global or org level, you can only create targets within a project.
You can nest projects within orgs to configure access to resources.
For example, you may create an org scope called `IT-Support` that contains the users or groups that make up your IT department.
Then, you might create a project called `QA-Tests` that is contained within the`IT-Support` org.
You can add hosts, host sets, and targets to the `QA-Tests` project to control the resources your IT department can access.
To more granularly control what resources your users can access, you can separate resources out into additional projects.
You can also assign permissons across scopes, if you want a user from one scope to have access to a resource that is not normally granted to that user's scope.
## Global
The global scope is the outermost scope.
There is always a single global scope
and it cannot be deleted.
You use the global scope for the initial administration, setup, and management of any org scopes.
The global scope can directly contain:
[users][], [groups][], [auth methods][], and [organizations][].
## Organizations
~> **Note:** Within the software itself and elsewhere in the documentation, Boundary reliably uses "org" instead of "organization". Among other reasons, this removes ambiguity between different regional spellings of the word. It is spelled out here in the domain model for completeness and to ensure its intent is clear.
An org is a scope directly contained by the global scope.
There can be multiple orgs within the global scope.
You can create multiple orgs within the global scope.
Orgs are used to contain identity and access management-related resources and projects.
An org can directly contain:
[users][], [groups][], [auth methods][], [roles][], and [projects][].
## Projects
A project is a scope directly contained by an org scope.
There can be multiple projects within an org.
You can create multiple projects within an org scope.
Projects are used to contain infrastructure-related resources.
A project can directly contain:
[roles][], [targets][], [host catalogs][], and [credential stores][].
Dan Heath
2 years ago
committed by
GitHub