ยปManaging Principals (Users and Groups)
Users and Groups in Boundary are collectively known as principals. Assigning grants on Roles is performed through principal IDs; that is, the unique IDs of either users, groups, or both.
This page will walk you through managing users within Boundary. (Groups will be added at a later time.)
Users
Users in Boundary represent an internal notion of a particular entity (human, machine, etc.). Users can be correlated with one or more Account resources via Auth Methods. Accounts represent external notions of a particular entity. Among other use-cases, this mechanism allows for an easy way to switch users to new IdPs within the organization deploying Boundary.
In this example, we're going to show you how to create an account and user for
an auth method to allow that user to login to Boundary. Because an auth method
can be at the org and global scopes, we're going to create an org-scoped auth
method in the default generated org in a dev
mode server. (If you're not
running dev
mode, you'll need to substitute appropriate generated IDs in the
steps below.)
Currently, all auth methods auto-vivify users on authentication; that is, on successful authentication against an account, if there is no user already linked with that account, a user will be automatically created. This may be a nice time-saver, but in other situations (such as when you want Terraform to fully describe the Boundary resources) this may be undesirable, so the steps below walk you through manually making these resources and linking them. A future Boundary update will allow turning off auto-vivification on a per-auth-method basis.
Create an Auth Method
Create a password-type auth method in the generated default org:
Create Account
Create an account for the org-scoped auth method. Note that by default, user names must be all lowercase alphanumeric of at least 3 characters and the password must be 8 or more characters. (The minimum lengths can be changed in the attributes for the auth method, if desired.)
Create a User
Next, create a user at the org scope.
First, create the user resource:
Then associate the user with the account previously created:
Login
Now you can test logging in.