Question about Role/Grant on HCP Boundary

Hello,
I seem to be having a problem getting a role/grant set up to restrict a user to only a single target.
I have the user/account created on the Org. In the Project I have a role with a grant.
The user can log into the desktop and if I use the grant: id=;type=;actions=* the user can see all the targets.

If I try to lock the grant to:
id="ttcp_5Bm7OSg6lZ";type=*;actions=*

the user can no longer see any targets.

If I try to change to even read only,
id=*;type=*;actions=read,list

the user can not see any targets.

I am using the free version of HCP to test it out and see if it is a good fit.

Any help would be appreciated.

Hi @plesher, if you are using the desktop client for the user, then you need the grant for authorize-session to allow them to see it (and connect to it). If that user logs in through the Admin UI, then they can read/list the targets without authorize-session.

Thank you, for the suggestion.

Unfortunately, I just tried changing the grant to:

id="ttcp_5Bm7OSg6lZ";type=*;actions=authorize-session,read,list

And the user is not able to see the targets in the desktop app. As soon as I change id=*, the user can see all the targets.

This configuration works for me, using 2 grants:

id=*;type=*;actions=no-op
id=<id>;actions=authorize-session

“There is an action that can be granted called no-op . As might be apparent, no-op is not used for any real action in Boundary; the purpose of this action is for listing visibility.”

Learn more here: Assignable Permissions | Boundary | HashiCorp Developer

Those grants work for the user to log into the web page ( only sees the one target ), but still do not see any targets with the Boundary client, unfortunately.

The client I have is version 1.51 on OSX.

Actually, what you had earlier should be correct, just without the quotations.

id=ttcp_5Bm7OSg6lZ;type=*;actions=authorize-session,read,list

I tried it without the quotes, even copy/pasting what you have and it is the same. The user can see only the one target in the web page, but in the desktop client, the user does not see any targets.
As soon as I change the id=*, the user sees all the targets in the desktop app.

I spoke with the engineering team and here is what is recommended:

You can probably create a standalone role called “target-consumer” that every user can get with privileges to list targets and sessions:

type=target;actions=list
and
id=*,type=session;actions=list,read:self,cancel:self

And then, to specifically access the target:
id=<target-id>;actions=authorize-session

Thank you again for all the help, unfortunately, I’m having the same issue.

I created a new role named target-consumer in the project with both of the grants you put above ( there is a , instead of ; in the second one ).
I added the user to target-consumer.
I used the existing role in the project and put your third grant in it and assigned the user to that.
The user is limited to only one target as expected in the web page, but the desktop app still shows zero targets. If I change it to id=*, then the user sees all the targets.

I also tried adding the same target-consumer role to the Org level and assigning the user to the role. Same problem.

Sorry for the late response, we will look into this and get back to you. This may be an issue with our desktop client specifically as the grants you have tried seem correct and you are getting correct behavior on the browser UI.

@plesher wanted to let you know that we are working on a fix for this issue: Fix ListPermissions when separate id/type grants are used by jefferai · Pull Request #3183 · hashicorp/boundary · GitHub