If I understood the grant model in Boundary correctly there is no way to set grants in such a way that some role R1 can see a subset of Organisations or Projects while role R2 only sees a different (possibly overlapping) subset of Organisations ans Projects. This way some scopes woud effectively become hidden to members of R1 while others are hidden to R2. You can either list all scopes or or none but not get a subste, right? Just want to make sure I am not missing anything.
You can definitely do this! You just have to use the ids=<scope1_id>,<scope2_id>;actions=read,list form of a grant to specify explicitly which scopes to make visible to the principals on that role.
I just tried that for roles (of an org) and scopes (projects of an org). It works to the point that the members of the role having the grants can read the scopes and roles but listing is denied completely. It’s better than nothing but I would prefer if they could list the ids they are allowed to interact with instead of having to guess them.
Apologies, I led you down a wrong path. Listing is a collection action, so the grant needs to be on the collection itself; see Resource table | Boundary | HashiCorp Developer
However, listing visibility means that you need to also grant some permission on the individual scopes. I inadvertently combined the two in my example above, but they need to be separate grants because one grant is for the collection and another is giving read (or no-op, or some other action) to individual IDs, which will satisfy listing visibility.
Yes! That did the trick. As you said, one actions=list grant for the type without the id and one actions=no-op grant with the the specific id:
type=role;actions=list
id=p_[redacted];type=scope;actions=no-op
From all the projects only the one specified is shown. Thank you!
1 Like
This is a bit odd. Hiding works for signed in users but does not for u_anon. If I am not logged in and the setup of grants as descibed is assigned to the u_anon principal I can still list all scopes. u_anon seems to be handled differently when it comes to listing entries. Is this intended? It feels highly unexpected to me. If there is no explicit id=p_xxx listed then u_anon does not see anything but if there is at leas one (and the id does not even have to exist) u_anon can list all scopes.
Setup:
- Create an org
o1 - Create project
p1ino1 - Create project
p2ino1 - Create role
r1ino1 - Assign
u_anontor1 - Add grants to
r1:type=scope;actions=listandid=p_x;type=scope;actions=no-op
Not signed in, I can now list all the scopes. Signed in the list of scopes is empty (because p_x is invalid).