Wondering if Boundary has a pre-built solution to allow for temporary additional granting of grants/roles to a role/user?
Obviously this can be done in TF or via the API, but I was hoping for an easier solution that already exists. like slackbot or email to an authorizer.
For example:
- User A needs special access to a PROD DB for 30 minutes
- User creates a request somewhere
- Authorizer is notified
- Approval means that the user gets an additional grant applied to their role/or an additional policy is generated and added to the user
- After time-limit expires, role/grant is revoked
Hi @thameez.bodhanya, have you considered OIDC managed groups?
Managed groups are a way to support the dynamic assignment of role memberships in Boundary based on IDP permission claims. This can be used with Azure Active Directory, Auth0, Google, Okta, and other popular IDPs.
Each managed group has an Administrator-defined filter that is used to evaluate user memberships based on the user’s permission claims from their IDP. Permission claim metadata is captured in the Javascript web token exchanged from the IDP to Boundary and login time.
With Managed groups, you could trigger authorization workflows in your IDP such that they are synced to Boundary automatically.
An example workflow would be as follows
- User A needs special access to a PROD DB for 30 minutes
- User creates a request somewhere
- Authorizer is notified
- Approval means that the user gets an additional permission claim or group membership in their OIDC IDP.
- At login time to Boundary, Boundary reads the JWT from the IDP and dynamically assigns them a group membership based on their time-bound authorization.
- After time-limit expires, grant/group membership is revoked in the IDP and Boundary login session expires (Boundary login session lengths can be configured with a time to live)
- If Boundary user reauthenticates to Boundary, their IDP JWT is reevaluated based off of all managed group filters and they receive the appropriate level of group memberships
Would a workflow like the above meet your requirement?
A tutorial for getting started with OIDC groups is available here.
Thanks for the response
That workflow makes sense, however I was hoping that Boundary would act as the somewhere in * User creates a request somewhere*
It makes sense though as the auth structure is being synced externally
Thanks @thameez.bodhanya for the thoughts - your ask also makes total sense. Handling the approval within Boundary (in addition to the already-support external managed groups workflow) is a direction we’d like to head in in the future. For now we don’t have any timelines for approvals within Boundary and using managed groups to shift the approval to your IDP as a workaround is the best solution. Thanks for the great suggestion though and we’ll pay attention to how many upvotes this receives.
Happy New Year!