IT Administrator
IT Administrators require mid-level access to Boundary. They update Boundary when new team members are added.
Responsibilities
IT Administrators may be responsible for some or all of the following tasks.
User onboarding and identity lifecycle
Tasks may focus on managing the onboarding of new team members into Boundary:
- User provisioning - Add and configure new users with the appropriate auth methods to ensure they can authenticate to Boundary.
- Account maintenance - Update user metadata and account details as team members change roles or departments and access to targets.
- Managed groups - Manage the lifecycle of groups and managed groups.
Access delegation and group management
Tasks may focus on organizing users into logical units and connecting principals to specific project permissions:
- Group creation - Build and manage groups within org and project scopes to address company needs.
- Membership updates - Add or remove users and groups as principals in existing roles to grant or revoke project-level access.
- Access audit - Review group membership and role assignments periodically to ensure they align with the user's job requirements.
Example roles
Boundary's permissions model lets you create custom roles and permissions tailored for your organization's specific needs. The following example roles are based on common Boundary use cases and management needs for IT Administrators.
You can use the permissions below to create a role, or you can use them as a starting point and modify them to meet your specific needs.
Org Admin
The Org Admin manages a specific organization, with full control over authentication methods, user accounts, group memberships, and role assignments in that organization. They represent the highest administrative role at the organization level. Org Admins manage an org scope and any nested scopes.
Use cases could include:
- Managing projects within an org
- Setting up auth methods
- Managing users at an org level
- Configuring storage buckets
We recommend the following permissions for Org Admins, assigned to the org scope the administrator manages.
| Description | Grants |
|---|---|
| Permit any actions on auth methods | |
| Permit any actions on users | |
| Permit any actions on groups | |
| Permit any actions on roles |
Project Admin
The Project Admin manages a specific project, with full control over host catalogs, targets, credential stores, and sessions in that project. They control the operational aspects of a project's resources.
Use cases could include:
- Setting up target infrastructure
- Configuring access to systems
- Managing credential access
- Managing project-level user access
We recommend the following permissions for Project Admins, assigned to the project scope the administrator manages.
| Description | Grants |
|---|---|
| Permit any actions on host catalogs | |
| Permit any actions on targets | |
| Permit any actions on credential stores | |
| Permit any actions on sessions |
User Manager
The User Manager manages user identities, accounts, and group memberships. They are responsible for user lifecycle management and organizing users into functional groups. User Managers are frequently HR or IT administrators.
Use cases include:
- Onboarding and offboarding users
- Managing access groups
- Troubleshooting accounts
We recommend the following permissions for User Managers, assigned at the global or org scope level.
| Description | Grants |
|---|---|
| Permit any actions on users | |
| Permit any actions on groups | |
| Permit any actions on accounts |
Credential Manager
The Credential Manager manages credential stores, libraries, and individual credentials that let users authenticate to targets. They are responsible for secure credential management and access. Credential Managers are frequently members of security teams.
Use cases include:
- Rotating credentials
- Managing secrets
- Integrating Boundary with secret stores
We recommend the following permissions for Credential Managers, assigned at the org or project scope level.
| Description | Grants |
|---|---|
| Permit any actions on credentials | |
| Permit any actions on credential stores | |
| Permit any actions on credential libraries |
More information
To view other example roles based on common Boundary use cases, refer to Example roles.
Next steps
- To create scopes that logically group your resources, refer to Create scopes to group resources.
- To configure roles and grant scopes for users and groups, refer to Manage access with roles.
- To manage access to resources dynamically, refer to Manage principals and Filter managed groups.