@ -39,7 +39,7 @@ Collections of resources are top level paths with plural English names for the r
All collection operations require supplying the enclosing resource. Depending on the collection type, this will be one of the following:
* A scope, indicating the scope in which an operation should take place. For instance, a POST to `/roles` would need to indicate whether the role should be created within the `global` scope or some organization scope like `o_1234567890`.
* A scope, indicating the scope in which an operation should take place. For instance, a POST to `/roles` would need to indicate whether the role should be created within the `global` scope or an org-level scope like `o_1234567890`.
* A parent resource of the appropriate type. For instance, hosts and host sets are child resources of host catalogs. When creating a new host set within a host catalog, a POST to `/host-sets` would need to indicate the host catalog ID with which the host-set should be associated.
@ -14,8 +14,10 @@ Identities in Boundary are known as [Principals](/docs/concepts/domain-model/pri
Both users and groups can be granted access to resources through [grants](/docs/concepts/domain-model/grants) on [roles](/docs/concepts/domain-model/roles).
In this example, we're going to show you how to create an account and user for an organization auth method to allow that user to login to Boundary. Because an
auth method can be at the org and global scopes, we're going to create an org-level auth method in the default generated org.
In this example, we're going to show you how to create an account and user for
an auth method to allow that user to login to Boundary. Because an
auth method can be at the org and global scopes, we're going to create an
org-scoped auth method in the default generated org.
~> Note that all resource ID's in this example are illustration only - ID's are uniquely generated for every resource upon creation with the exception being
generated resources in `dev mode`. Please make sure to use the resource ID's that are generated when running this example. For example, if you run
@ -23,7 +25,7 @@ generated resources in `dev mode`. Please make sure to use the resource ID's tha
## Create an Auth Method
Create a password auth method in the generated default organization:
Create a password auth method in the generated default org:
<Tabs>
<Tab heading="CLI">
@ -55,7 +57,7 @@ Auth Method information:
<Tab heading="Admin Console">
1. Navigate to an organization, then to auth methods.
1. Navigate to an org, then to auth methods.
1. Choose the **New** button.
1. Fill the auth method details.
1. Choose **Save** and view the auth method edit form page.
Create an account for the organization auth method. Note that user names must be all lowercase alphanumeric and the password must be 6 or more characters.
Create an account for the org-scoped auth method. Note that user names must be all lowercase alphanumeric and the password must be 6 or more characters.
<Tabs>
<Tab heading="CLI">
@ -118,7 +120,7 @@ Account information:
<Tab heading="Admin Console">
1. Navigate to organizations > auth methods > auth method, then to the **Accounts** tab.
1. Navigate to orgs > auth methods > auth method, then to the **Accounts** tab.
1. Choose the **New** button.
1. Fill the account details.
1. Choose **Save** and view the account edit form page.
@ -7,7 +7,7 @@ description: How to manage Roles and Permissions
# Manage Roles and Permissions
[Roles](/docs/concepts/domain-model/roles) in Boundary manage the permissions given to Principals. Roles can be defined at the global, organization, or project scope.
[Roles](/docs/concepts/domain-model/roles) in Boundary manage the permissions given to Principals. Roles can be defined at the global, org, or project scopes.
In this example, we're going to show you how to create a role in Boundary, assign that roles grants, and assign Principals to the role.
@ -17,7 +17,7 @@ generated resources in `dev mode`. Please make sure to use the resource ID's tha
# Create a Role
Roles can live in the global, organization, or project scope. In this example we will create a role in the generated org scope in dev mode.
Roles can live in the global, org, or project scopes. In this example we will create a role in the generated org scope in dev mode.
<Tabs>
<Tab heading="CLI">
@ -46,7 +46,7 @@ Role information:
<Tab heading="Admin Console">
1. Navigate to an organization, then to roles.
1. Navigate to an org, then to roles.
1. Choose the **New** button.
1. Fill the role details.
1. Choose **Save** and view the role edit form page.
@ -7,23 +7,23 @@ description: How to manage Boundary scopes
# Manage Scopes
Scopes are a foundational part of Boundary. They allow users to segregate resources and assign ownership of resources to principals. There are three hierarchies of scopes within Boundary:
[Scopes](/docs/concepts/domain-model/scopes) are a foundational part of Boundary. They allow users to segregate resources and assign ownership of resources to principals. There are three hierarchies of scopes within Boundary:
1. Global
2. Organization
2. Org
3. Project
Some resources can only be associated with a specific level of scope. Targets for example can only be project scope. Other resources can be of multiple scopes. For example, users can be both global and organization level scoped. See the [domain model](/docs/concepts/domain-model) for detailed resource specific information.
Some resources can only be associated with a specific level of scope. Targets for example can only be project scope. Other resources can be of multiple scopes. For example, users can be created within the `global` scope or an org-level scope. See the [domain model](/docs/concepts/domain-model) for detailed resource specific information.
In this example, we're going to create two scopes, a project and an organization.
In this example, we're going to create two scopes, an org and a project.
~> All resource ID's in this example are illustration only - ID's are uniquely generated for every resource upon creation with the exception being
generated resources in `dev` mode. Please make sure to use the resource ID's that are generated when running this example. For example, if you run
`boundary users create`, use the resource ID of the user seen in stdout, not the ID in the example command.
## Create an Organization
## Create an Org
An organization lives in the global scope. In this example, we're going to create an organization. In doing so, we're going to opt for automated role creation during scope generation in order to simplify management of the scope by the user.
An org lives in the global scope. In this example, we're going to create an org. In doing so, we're going to opt for automated role creation during scope generation in order to simplify management of the scope by the user.
<Tabs>
<Tab heading="CLI">
@ -52,8 +52,8 @@ Scope information:
1. Navigate to the Boundary landing page.
1. Choose the **New** button.
1. Fill organization details.
1. Choose **Save** and view the organization on the Boundary landing page.
1. Fill org details.
1. Choose **Save** and view the org on the Boundary landing page.
Next, we're going to add a project scope to our organization. Again, we're going to opt for automated role creation to simplify management of this scope.
Next, we're going to add a project scope to our org. Again, we're going to opt for automated role creation to simplify management of this scope.
<Tabs>
<Tab heading="CLI">
@ -109,7 +109,7 @@ Scope information:
<Tab heading="Admin Console">
1. Navigate to an organization, which leads to an overview of projects within that organization.
1. Navigate to an org, which leads to an overview of projects within that org.
1. Choose the **New** button.
1. Fill project details.
1. Choose **Save** and view the project edit form page.
A scope is a [permission][] boundary modeled as a container.
There are three types of scopes in Boundary.
A single [global][] scope which is the outermost container.
[Organizations][] which are contained by the global scope.
And [projects][] which are contained by organizations.
There are three types of scopes in Boundary:
A single [global][] scope which is the outermost container;
[organizations][] (orgs) which are contained by the `global` scope;
and [projects][] which are contained by orgs.
Each scope is itself a resource.
## Global
@ -25,15 +25,17 @@ The global scope can directly contain:
## Organizations
An organization is a scope directly contained by the global scope.
There can be multiple organizations within the global scope.
An organization can directly contain:
[users][], [groups][], [auth methods][], and [projects][].
~> Within the software itself and elsewhere in the documentation, Boundary reliably uses "org" instead of "organization". Among other reasons, this removes ambiguity between different regional spellings of the word. It is spelled out here in the domain model for completeness and to ensure its intent is clear.
An org is a scope directly contained by the global scope.
There can be multiple orgs within the global scope.
An org can directly contain:
[users][], [groups][], [auth methods][], [roles][], and [projects][].
## Projects
A project is a scope directly contained by an organization scope.
There can be multiple projects within an organization.
A project is a scope directly contained by an org scope.
@ -32,7 +32,7 @@ Dev mode brings up a fully functioning instance of Boundary, including:
These components should all be considered ephemeral - no data persistence occurs across dev mode restarts. Along with these external components, dev mode also creates several resources within Boundary to make it easier and faster to connect to your first target:
1. A organization [scope](/docs/concepts/domain-model/scopes) and a project scope with a default ID of `o_1234567890` and `p_1234567890` respectively.
1. A org [scope](/docs/concepts/domain-model/scopes) and a project scope with a default ID of `o_1234567890` and `p_1234567890` respectively.
1. An [auth method](/docs/concepts/domain-model/auth-methods) with a random login name and password with a default auth method ID of `ampw_1234567890`.
1. A static [host catalog](/docs/concepts/domain-model/host-catalogs) with a default ID of `hcst_1234567890`.
1. A static [host](/docs/concepts/domain-model/hosts) and [host set](/docs/concepts/domain-model/host-sets) with default ID's of `hst_1234567890` and `hsst_1234567890` respectively.
Jeff Mitchell
6 years ago
committed by
GitHub