Host set permission denied

Hai, i am using boundary and have a doubt can we assign a set of hosts to a particular user.
Let say i have two set of host which have 4 vm on each.
I need to assign one host set to only user1 and other host set to only user2. Is it possible to do like that ?

I’ve tried the below process :
i created new auth id called super-admin and i added two users ( user1 and user2 ). Under the roles and permission i gave access as * to id, type, actions for both user1 and user2. I created some hosts (VMs).

I faced the below challenge:
when i authenticate using super-admin auth id and user1 credentials it was successful but when i tried to list the hosts I am getting permission denied and when i try to list as a super-admin i am able to list

Kindly assist!

Hosts and host sets are a little weird. Users don’t need to be able to read the host set to connect to a target that uses it – I actually have a couple of users and targets like this in my test environment. But if they can read the host set and its hosts, they’ll be able to choose a specific host to connect to in the desktop app.

Permissions in Boundary don’t inherit, so if you want a user to be able to list hosts in a host set in the desktop app or the admin GUI, it needs a certain baseline level of permissions on the org and project that host set is part of. If you look at a dev-mode Boundary instance, you’ll see roles at the global scope and the default org scope o_123456789 called “Login and default grants” that have permissions id=*;type=scope;actions=list,no-op (among others).

If you want an admin user to be able to edit any host catalog, it probably needs something like id=*;type=host-catalogs;actions=* as well as corresponding grants on host sets and hosts, at the project level. If you want it to be able to edit only a specific host-catalog, it’s probably more like id=*;type=host-catalogs;actions=list plus id=[some host catalog ID];actions=* And it’s going to need those “default grant” permissions on global and the org and project assigned to it too.

1 Like

Hai @omkensey , thanks it worked i gave roles and permission as id=host-catalog id;actions=* plus id=*;type=host catalog;actions=list

I was able to login and see the host catalog but i am not able to see the hosts which has ip address under host catalog. I can oly edit the form or delete it

Any suggestions please?

Give the role list and either no-op or read on hosts in the project and you should be able to see them (read lets the user actually read the host info, no-op just lets the host object be seen in a list). create and update would be needed to create/edit them if they’re static hosts.

Thanks @omkensey , it worked