Example roles
The flexibility of Boundary's permissions model lets you create custom roles and permissions tailored for your organization's specific needs. This topic provides sample roles based on common Boundary use cases and management needs. You can use the permissions below to create roles, or you can use them as starting points and modify them to meet your specific needs.
Administrative roles
Administrative roles have full access over all resources in a given scope. You can configure administrators for global, org, or project scopes.
| Role | Description |
|---|---|
| Global Admin | Full administrative access to all resources in Boundary |
| Org Admin | Administrative access to all resources in an org scope |
| Project Admin | Administrative access to all resources in a project scope |
Global Admin
The Global Admin has unlimited access to perform any action on any Boundary resource. They have the highest level of access with complete control over all aspects of deployment. Global Admins may manage org or project scopes for the entire deployment.
Use cases could include:
- Managing projects within an org
- Setting up auth methods
- Managing users at the org level
- Configuring storage buckets
We recommend the following permissions for Global Admins, assigned to the global scope.
| Description | Grants |
|---|---|
| Permit any actions on any resource types |
Org Admin
The Org Admin manages a specific organization, with full control over authentication methods, user accounts, group memberships, and role assignments in that organization. They represent the highest administrative role at the organization level. Org Admins manage an org scope and any nested scopes.
Use cases could include:
- Managing projects within an org
- Setting up auth methods
- Managing users at an org level
- Configuring storage buckets
We recommend the following permissions for Org Admins, assigned to the org scope the administrator manages.
| Description | Grants |
|---|---|
| Permit any actions on auth methods | |
| Permit any actions on users | |
| Permit any actions on groups | |
| Permit any actions on roles |
Project Admin
The Project Admin manages a specific project, with full control over host catalogs, targets, credential stores, and sessions in that project. They control the operational aspects of a project's resources.
Use cases could include:
- Setting up target infrastructure
- Configuring access to systems
- Managing credential access
- Managing project-level user access
We recommend the following permissions for Project Admins, assigned to the project scope the administrator manages.
| Description | Grants |
|---|---|
| Permit any actions on host catalogs | |
| Permit any actions on targets | |
| Permit any actions on credential stores | |
| Permit any actions on sessions |
Resource management roles
Resource management roles can manage specific Boundary resources such as sessions, targets, or credentials.
| Role | Description |
|---|---|
| Org Access | Perform actions on an org scope, but not the resources the org contains |
| Project Access | Perform actions on a project scope, but not the resources the project contains |
| Session Manager | View and cancel sessions |
| Target Manager | Create and manage targets |
| Host Resource Manager | Manage hosts and host catalogs |
| Credential Manager | Manage credentials and credential stores |
| User Manager | Manage users, groups, and accounts |
| Auth Method Manager | Manage auth methods and managed groups |
Org Access
Org Access users have administrative access to perform actions on an org scope, but not the resources the org contains.
Use cases include:
- Updating scope information
- Listing the resources in the org scope
- Managing the org scope's encryption keys
We recommend the following permissions for Org Access users, assigned to the org scope.
| Description | Grants |
|---|---|
| Permit any actions on the specified org scope |
Project Access
Project Access users have administrative access to perform actions on a project scope, but not the resources the project contains.
Use cases include:
- Updating scope information
- Listing the resources in the project scope
- Managing the project scope's encryption keys
We recommend the following permissions for Project Access users, assigned to the project scope.
| Description | Grants |
|---|---|
| Permit any actions on the specified project scope |
Session Manager
The Session Manager reviews and monitors active sessions with the ability to terminate them, if needed. They can view targets, but not modify them. This role is primarily focused on security oversight and compliance monitoring.
Use cases could include:
- Supporting help desk
- Monitoring active connections
- Terminating suspicious sessions
We recommend the following permissions for Session Managers, assigned at the org or project scope level.
| Description | Grants |
|---|---|
| Permit any actions on sessions | |
| Read and list targets |
Target Manager
The Target Manager creates and manages targets, which are services that users can connect to. They are responsible for configuring which hosts, credentials, and resources are available to users. Target Managers are frequently DevOps engineers or system administrators.
Uses cases could include:
- Adding new services to Boundary
- Updating target configurations
We recommend the following permissions for Target Managers, assigned at the org or project scope level.
| Description | Grants |
|---|---|
| Permit any actions on targets |
Host Resource Manager
The Host Resource Manager manages the infrastructure catalog, including hosts, host catalogs, and host sets. They are responsible for organizing and maintaining the inventory of connectable systems. Host Resource Managers are frequently infrastructure team members or cloud administrators.
Use cases could include:
- Managing server inventories
- Organizing hosts into sets
We recommend the following permissions for Host Resource Managers, assigned at the org or project scope level.
| Description | Grants |
|---|---|
| Permit any actions on host catalogs | |
| Permit any actions on host sets | |
| Permit any actions on hosts |
Credential Manager
The Credential Manager manages credential stores, libraries, and individual credentials that let users authenticate to targets. They are responsible for secure credential management and access. Credential Managers are frequently members of security teams.
Use cases include:
- Rotating credentials
- Managing secrets
- Integrating Boundary with secret stores
We recommend the following permissions for Credential Managers, assigned at the org or project scope level.
| Description | Grants |
|---|---|
| Permit any actions on credentials | |
| Permit any actions on credential stores | |
| Permit any actions on credential libraries |
User Manager
The User Manager manages user identities, accounts, and group memberships. They are responsible for user lifecycle management and organizing users into functional groups. User Managers are frequently HR or IT administrators.
Use cases include:
- Onboarding and offboarding users
- Managing access groups
- Troubleshooting accounts
We recommend the following permissions for User Managers, assigned at the global or org scope level.
| Description | Grants |
|---|---|
| Permit any actions on users | |
| Permit any actions on groups | |
| Permit any actions on accounts |
Auth Method Manager
The Auth Method Manager configures and manages authentication methods and managed groups. They control how users authenticate to Boundary and how external identity systems integrate with it. Auth Method Managers are frequently identity team members or SSO integration administrators.
Use cases include:
- Integrating SSO
- Configuring LDAP/OIDC
- Troubleshooting authentication issues
We recommend the following permissions for Auth Method Managers, assigned at the global or org scope level.
| Description | Grants |
|---|---|
| Permit any actions on auth methods | |
| Permit any actions on managed groups |
Audit roles
Audit roles can view information about Boundary resources, but they cannot modify them.
| Role | Description |
|---|---|
| Session Auditor | View session recordings |
| Resource Auditor | View resources, but cannot modify them |
Session Auditor
The Session Auditor reviews session information and recordings, but cannot cancel sessions. They focus on audit, compliance, and security reviews of past activities. Session Auditors are frequently security auditors, compliance officers, incident investigators, or members of access review teams.
Use cases include:
- Reviewing session information
- Reviewing session recordings
We recommend the following permissions for Session Auditors, assigned to the global scope.
| Description | Grants |
|---|---|
| List and read sessions | |
| List, read, and download session recordings |
Resource Auditor
The Resource Auditor can view all resources, but cannot make any changes. They are responsible for audit, reporting, and monitoring tasks where visibility is important, but modifications are not required. Resource Auditors are frequently security engineers, compliance observers, or external auditors.
Use cases include:
- Monitoring for security issues
- Training
- Observing for compliance
- Auditing
We recommend the following permissions for Resource Auditors, assigned at the global, org, or project scope level.
| Description | Grants |
|---|---|
| Read and list any resources |
End-user roles
End users can use Boundary to connect to targets, but they cannot modify or manage resources.
| Role | Description |
|---|---|
| User | Connect to targets, but cannot modify or manage resources |
User
The User can connect to targets by creating sessions. They have the ability to view and cancel their own sessions. This role is a basic-end user role intended for accessing protected resources. Users are frequently developers, database administrators, end users requiring server access, or support staff.
Use cases include:
- Connecting to targets
- Viewing session information
- Canceling sessions
We recommend the following permissions for Users, assigned at the org or project scope level.
| Description | Grants |
|---|---|
| Authorize a session, read and list targets | |
| Read and cancel sessions associated with the user |
More information
- To better understand Boundary's permissions model, refer to Permissions in Boundary.
- To learn more about the permissions you can assign to Boundary principals, refer to Assignable permissions.
- To learn more about grant strings and view example formats, refer to Permission grant formats.
- To view a cheat sheet to help you manage your permissions, refer to Resource tables.
- To view a cheat sheet to help you create roles, refer to Example roles.
Next steps
Refer to Manage access with roles for more information about creating roles, assigning principals and grants to roles, and adding grant scopes.