A scope is a permission boundary modeled as a container.
There are three types of scopes in Boundary:
A single global scope which is the outermost container;
organizations (orgs) which are contained by the
and projects which are contained by orgs.
Each scope is itself a resource.
The global scope is the outermost scope. There is always a single global scope and it cannot be deleted. The global scope can directly contain: users, groups, auth methods, and organizations.
Note: Within the software itself and elsewhere in the documentation, Boundary reliably uses "org" instead of "organization". Among other reasons, this removes ambiguity between different regional spellings of the word. It is spelled out here in the domain model for completeness and to ensure its intent is clear.
An org is a scope directly contained by the global scope. There can be multiple orgs within the global scope. An org can directly contain: users, groups, auth methods, roles, and projects.
A project is a scope directly contained by an org scope. There can be multiple projects within an org. A project can directly contain: roles, targets, host catalogs, and credential stores.
A scope has the following configurable attributes:
name- (optional) If set, the
namemust be unique within the scope's parent scope.
Service API Docs
The following services are relevant to this resource:
Refer to the Manage Scopes with HCP Boundary tutorial to learn how to create an org scope and a project scope.