|
|
|
|
@ -8,15 +8,69 @@ description: |-
|
|
|
|
|
|
|
|
|
|
# Scopes
|
|
|
|
|
|
|
|
|
|
A scope is a permission boundary modeled as a container.
|
|
|
|
|
A Scope can contain Scopes forming a tree.
|
|
|
|
|
A Scope can own zero to many
|
|
|
|
|
Groups,
|
|
|
|
|
Roles,
|
|
|
|
|
Policies,
|
|
|
|
|
Targets,
|
|
|
|
|
Host Catalogs
|
|
|
|
|
and Credential Stores.
|
|
|
|
|
Scope is abstract.
|
|
|
|
|
Organization and Project are concrete Scopes.
|
|
|
|
|
All resources owned by a Scope are deleted when the Scope is deleted.
|
|
|
|
|
A scope is a [permission][] boundary modeled as a container.
|
|
|
|
|
There are three types of scopes in Boundary.
|
|
|
|
|
A single [global][] scope which is the outermost container.
|
|
|
|
|
[Organizations][] which are contained by the global scope.
|
|
|
|
|
And [projects][] which are contained by organizations.
|
|
|
|
|
Each scope is itself a resource.
|
|
|
|
|
|
|
|
|
|
## Global
|
|
|
|
|
|
|
|
|
|
The global scope is the outermost scope.
|
|
|
|
|
There is always a single global scope
|
|
|
|
|
and it cannot be deleted.
|
|
|
|
|
The global scope can directly contain:
|
|
|
|
|
[users][], [groups][], [authentication methods][], and [organizations][].
|
|
|
|
|
|
|
|
|
|
## Organizations
|
|
|
|
|
|
|
|
|
|
An organization is a scope directly contained by the global scope.
|
|
|
|
|
There can be multiple organizations within the global scope.
|
|
|
|
|
An organization can directly contain:
|
|
|
|
|
[users][], [groups][], [authentication methods][], and [projects][].
|
|
|
|
|
|
|
|
|
|
## Projects
|
|
|
|
|
|
|
|
|
|
A project is a scope directly contained by an organization scope.
|
|
|
|
|
There can be multiple projects within an organization.
|
|
|
|
|
A project can directly contain:
|
|
|
|
|
[roles][], [targets][], and [host catalogs][]
|
|
|
|
|
|
|
|
|
|
## Attributes
|
|
|
|
|
|
|
|
|
|
A scope has the following configurable attributes:
|
|
|
|
|
|
|
|
|
|
- `name` - (optional)
|
|
|
|
|
If set, the `name` must be unique within the scope's parent scope.
|
|
|
|
|
|
|
|
|
|
- `description` - (optional)
|
|
|
|
|
|
|
|
|
|
## Referenced By
|
|
|
|
|
|
|
|
|
|
- [Authentication Method][]
|
|
|
|
|
- [Group][]
|
|
|
|
|
- [Host Catalog][]
|
|
|
|
|
- [Role][]
|
|
|
|
|
- [Target][]
|
|
|
|
|
- [User][]
|
|
|
|
|
|
|
|
|
|
[authentication method]: /docs/concepts/domain-model/auth-methods
|
|
|
|
|
[authentication methods]: /docs/concepts/domain-model/auth-methods
|
|
|
|
|
[global]: /docs/concepts/domain-model/scopes#global
|
|
|
|
|
[group]: /docs/concepts/domain-model/groups
|
|
|
|
|
[groups]: /docs/concepts/domain-model/groups
|
|
|
|
|
[host catalog]: /docs/concepts/domain-model/host-catalogs
|
|
|
|
|
[host catalogs]: /docs/concepts/domain-model/host-catalogs
|
|
|
|
|
[organization]: /docs/concepts/domain-model/scopes#organizations
|
|
|
|
|
[organizations]: /docs/concepts/domain-model/scopes#organizations
|
|
|
|
|
[permission]: /docs/concepts/security/permissions
|
|
|
|
|
[permissions]: /docs/concepts/security/permissions
|
|
|
|
|
[project]: /docs/concepts/domain-model/scopes#projects
|
|
|
|
|
[projects]: /docs/concepts/domain-model/scopes#projects
|
|
|
|
|
[role]: /docs/concepts/domain-model/roles
|
|
|
|
|
[roles]: /docs/concepts/domain-model/roles
|
|
|
|
|
[target]: /docs/concepts/domain-model/targets
|
|
|
|
|
[targets]: /docs/concepts/domain-model/targets
|
|
|
|
|
[user]: /docs/concepts/domain-model/users
|
|
|
|
|
[users]: /docs/concepts/domain-model/users
|
|
|
|
|
|
Michael Gaffney
6 years ago
committed by
GitHub