Giving access to newly creating users

How do I allow newly created users to connect to some hosts?

I’ve tried many things, creating the user, account and roles, tried many different grants, even with the wildcards, but when trying to connect with the CLI (boundary connect ssh -target-id ) I’m always having a 403.

Error from controller when performing authorize-session against target: 
Error information:
  Code:
  Message:             Forbidden
  Status:              403

I guess I’m missing something. Is there any explanation which grants are required to allow these operations?

Hi there! Sorry you’re having trouble.

We tried to put clues in the error message when actions fail: in this case it says it failed to perform authorize-session against the target. The issue is that that you need authorize-session action against that target from a grant. (As explained at https://www.boundaryproject.io/docs/common-workflows/manage-sessions#advanced-session-establishment) under the hood boundary connect is performing the same action as boundary targets authorize-session).

You may find it helpful, if you haven’t seen it, to take a look at https://www.boundaryproject.io/docs/concepts/security/permissions#resource-table which is an (I believe) exhaustive list of the available actions/grants.

Hi Jeff!

Thanks for your reply.
After having a closer look at all the permissions and scope, I figured out what I was missing.
I missed the fact that the required roles and grants must be configured on the project scope.
After creating those resources using the CLI or Terraform, my newly created user is able to connect to the targets. :+1:
It seems like configuring roles and grants on project scope is not possible using the Admin UI.

1 Like