Create scopes to group resources

Scopes are groupings of resources. You create scopes to partition resources and then assign ownership of those resources to users and groups. You can think of scopes as permission boundaries, modeled as containers.

There are three types of scopes in Boundary, they have the following hierarchy:

Global
There is only one global scope. It is the outermost container. You perform the initial administration and setup in the global scope. You also use the global scope to manage any org scopes.
Org
You can create multiple org scopes under the global scope. Org scopes contain identity and access management-related resources and project scopes.
Project
You can create multiple project scopes under an org scope. Project scopes contain infrastructure-related resources.

You can associate some resources only with a specific scope type. For example, you can create targets only in a project scope. Other resources can exist in multiple scopes. You can create users in either the global scope or an org scope, depending on the resources you want them to access.

For specific information about Boundary resources and their valid scope types, refer to the scopes domain model documentation.

Create an org scope

Complete the following steps to create an org scope in the global scope:

Log in to Boundary.
In the navigation menu, select Orgs.
Click New or New Org.
(Optional) Enter a name and description for the org scope.
Click Save.
Boundary creates the new org scope in the global scope.

Log in to Boundary.
Use the following command to create the scope.
You can optionally provide a name and description for the scope:
```
$ boundary scopes create \
  -scope-id global \
  -name <ORG_NAME> \
  -description <ORG_DESCRIPTION>
```
Boundary creates the new org scope in the global scope.

Use the following command to create an org scope using the Terraform provider.

You can optionally provide a name and description for the scope.

The Terraform provider does not create administrative roles for the scope by default. To ensure the user who creates the scope can manage it immediately, set auto_create_default_role and auto_create_admin_role to true:

resource "boundary_scope" "org" {
  scope_id                 = "global"
  name                     = "org-name"
  description              = "org-description"
  auto_create_default_role = true
  auto_create_admin_role   = true
}

Boundary creates the new org scope in the global scope.

Create a project scope

Complete the following steps to create a project scope in an org scope:

Log in to Boundary.
In the navigation menu, select Orgs.
Select the org you want to add a project scope to.
Click New or New Project.
(Optional) Enter a name and description for the project scope.
Click Save.
Boundary creates the new project scope in the org scope that you specified.

Log in to Boundary.
Use the following command to create the scope.
You must provide the scope-id of the org scope you want to create the project scope in. You can optionally provide a name and description for the scope:
```
$ boundary scopes create \
  -scope-id <ORG_SCOPE_ID> \
  -name <PROJECT_NAME> \
  -description <PROJECT_DESCRIPTION>
```
Boundary creates the new project scope in the org scope that you specified.

Use the following command to create a project scope using the Terraform provider.

You must provide the scope_id of the org scope you want to create the project scope in. You can optionally provide a name and description for the scope.

resource "boundary_scope" "project" {
  name             = "project-name"
  description      = "project-description"

  # scope_id is taken from the parent org resource
  scope_id                 = boundary_scope.org.id
  auto_create_default_role = true
  auto_create_admin_role   = true
}

Boundary creates the new project scope in the org scope that you specified.

More information

To better understand Boundary's permissions model, refer to Permissions in Boundary.
For more specific information about the scopes resource, refer to the Scopes domain model topic.
To learn more about creating or managing scopes, refer to the CLI scopes topic or the API Scope service topic.

Next steps

After you create scopes to contain your resources, you can Manage access with roles.
To manage access to resources dynamically, refer to Manage principals and Filter managed groups.