Seems A BUG ,Role grant to target seems not work for general user? can someone help me?

omkensey · April 19, 2022, 9:25pm

Boundary permissions are collection-based, and don’t inherit. Just granting all permissions at one level doesn’t grant them at the other levels, and you’re going to need permissions up and down the hierarchy so that things can be enumerated at each level.

This is taken from my Terraform code for the roles in a demo Boundary environment I create; it should work as one example of what you’re proposing. The users in the users group can see one set of targets; the users in the admins group see those plus a couple of others the users don’t. Note that this is not especially tight permissions-wise! For real-world use you probably want to make much more liberal use of the no-op, list and read actions at the global and org levels instead of *.

resource "boundary_role" "webapp_user_global" {
  name          = "webapp-user-global"
  description   = "Web app user"
  principal_ids = [user group ID]
  grant_strings = ["id=*;type=*;actions=*"]
  scope_id      = "global"
}

resource "boundary_role" "webapp_user_org" {
  name          = "webapp-user-org"
  description   = "Web app user"
  principal_ids = [user group ID]
  grant_strings = ["id=*;type=*;actions=*"]
  scope_id      = [org scope ID]
}

resource "boundary_role" "webapp_user_project" {
  name          = "webapp-user-project"
  description   = "Web app user"
  principal_ids = [user group ID]
  grant_strings = [
    "id=[webapp target ID];actions=read,authorize-session",
    "id=[database readonly target ID];actions=read,authorize-session"
  ]
  scope_id      = [project scope ID]
}

resource "boundary_role" "webapp_admin_global" {
  name          = "webapp-admin-global"
  description   = "Web app admin"
  principal_ids = [admin group ID]
  grant_strings = ["id=*;type=*;actions=*"]
  scope_id      = "global"
}

resource "boundary_role" "webapp_admin_org" {
  name          = "webapp-admin-org"
  description   = "Web app admin"
  principal_ids = [admin group ID]
  grant_strings = ["id=*;type=*;actions=*"]
  scope_id      = [org scope ID]
}

resource "boundary_role" "webapp_admin_project" {
  name          = "webapp-admin-project"
  description   = "Web app admin"
  principal_ids = [admin group ID]
  grant_strings = [
    "id=[webapp target ID];actions=read,authorize-session",
    "id=[SSH target ID];actions=read,authorize-session",
    "id=[database admin target ID];actions=read,authorize-session"
  ]
  scope_id      = [project scope ID]
}

In other words, each group belongs to its own set of roles that get "id=*;type=*;actions=*" at the global and org levels. At the project level, the group’s role gets actions=read,authorize-session on the specific IDs of the targets the members of that group should have access to.

Topic		Replies	Views
Administration Role - attaching new user after creating "Corp One" ussing terraform not able to view\ connect targets Boundary	14	1211	August 27, 2021
Giving access to newly creating users Boundary	2	715	October 17, 2020
Authorize session to a single target not working Boundary	14	2929	November 19, 2020
Question about Role/Grant on HCP Boundary Boundary	10	435	April 26, 2023
Role Permissions Boundary	3	161	April 22, 2024

Seems A BUG ,Role grant to target seems not work for general user? can someone help me?

Related topics