I’m trying to understand Boundary permissions model.
I have auth-method and groups/users defined in ‘global’ scope. I added a few organization scopes and in each org a few projects.
I tried to set permissions like:
- ‘global admin’ - access all hosts/targets in all orgs/projects
- ‘org admin’ - access all hosts/targets in all projects in selected org
For ‘global admin’ I created a role in the global scope (for simplicity I added grants like
id=*;type=*;actions=*) and attached to a group/user (with global scope selected). Similarly, I created a role in org scope (with scope for the org).
With such setup I was not able to see all defined targets (globally or in selected org). to be able to do it - I had to change the scope of the role to the project level.
I read Permissions | Boundary by HashiCorp and I see that targets have only ‘project’ level ‘applicable scope’.
So my questions are:
- is it possible to define such ‘global admin’ without creating separate roles for each project (and I’m just missing something in my configuration)? Or is it possible only to add access to targets defining roles with ‘project’ scope?
- what is the reason behind it? (I understand there’s sometimes a need for strict access but on the other hand, it enforces us to create multiple roles, adding principals there, etc)