Managed groups are a way to support the dynamic assignment of role memberships in Boundary based on IDP permission claims. This can be used with Azure Active Directory, Auth0, Google, Okta, and other popular IDPs.
Each managed group has an Administrator-defined filter that is used to evaluate user memberships based on the user’s permission claims from their IDP. Permission claim metadata is captured in the Javascript web token exchanged from the IDP to Boundary and login time.
With Managed groups, you could trigger authorization workflows in your IDP such that they are synced to Boundary automatically.
An example workflow would be as follows
User A needs special access to a PROD DB for 30 minutes
User creates a request somewhere
Authorizer is notified
Approval means that the user gets an additional permission claim or group membership in their OIDC IDP.
At login time to Boundary, Boundary reads the JWT from the IDP and dynamically assigns them a group membership based on their time-bound authorization.
After time-limit expires, grant/group membership is revoked in the IDP and Boundary login session expires (Boundary login session lengths can be configured with a time to live)
If Boundary user reauthenticates to Boundary, their IDP JWT is reevaluated based off of all managed group filters and they receive the appropriate level of group memberships
Would a workflow like the above meet your requirement?
A tutorial for getting started with OIDC groups is available here.
Thanks @thameez.bodhanya for the thoughts - your ask also makes total sense. Handling the approval within Boundary (in addition to the already-support external managed groups workflow) is a direction we’d like to head in in the future. For now we don’t have any timelines for approvals within Boundary and using managed groups to shift the approval to your IDP as a workaround is the best solution. Thanks for the great suggestion though and we’ll pay attention to how many upvotes this receives.