A scope is a permission boundary modeled as a container. Scopes are groupings of resources. Each scope is also a resource. You create scopes to partition resources and then assign ownership of those resources to principals (users and groups).
There are three types of scopes in Boundary:
- A single global scope is the outermost container.
- Organizations (orgs) are contained by the
- Projects are contained by orgs.
NoteWithin the software itself and elsewhere in the documentation, Boundary reliably uses "org" instead of "organization". Among other reasons, this removes ambiguity between different regional spellings of the word. It is spelled out here in the domain model for completeness and to ensure its intent is clear.
You can only associate certain resources with specific levels of scopes. For example, while you can create users at the global or org level, you can only create targets within a project. You can nest projects within orgs to configure access to resources.
For example, you may create an org scope called
IT-Support that contains the users or groups that make up your IT department.
Then, you might create a project called
QA-Tests that is contained within the
You can add hosts, host sets, and targets to the
QA-Tests project to control the resources your IT department can access.
To more granularly control what resources your users can access, you can separate resources out into additional projects. You can also assign permissons across scopes, if you want a user from one scope to have access to a resource that is not normally granted to that user's scope.
The global scope is the outermost scope. There is always a single global scope and it cannot be deleted. You use the global scope for the initial administration, setup, and management of any org scopes. The global scope can directly contain: users, groups, auth methods, and organizations.
An org is a scope directly contained by the global scope. You can create multiple orgs within the global scope. Orgs are used to contain identity and access management-related resources and projects. An org can directly contain: users, groups, auth methods, roles, and projects.
A project is a scope directly contained by an org scope. You can create multiple projects within an org scope. Projects are used to contain infrastructure-related resources. A project can directly contain: roles, targets, host catalogs, and credential stores.
A scope has the following configurable attributes:
name- (optional) If set, the
namemust be unique within the scope's parent scope.
This feature requires HCP Boundary or Boundary Enterprise
Storage policies that are created in the global scope can be associated with any org scope. However, a storage policy created in an org scope can only be associated with that org scope. Changing the storage policy assigned to a scope can impact the resultant set of policy, but such a change only affects future recordings that you create within that scope or using that storage policy.
The following services are relevant to this resource:
Refer to the Manage Scopes with HCP Boundary tutorial to learn how to create an org scope and a project scope.