Platform Engineer
The Platform Engineer requires full or high-level access. They install Boundary and monitor the system.
Responsibilities
The Platform Engineer may be responsible for some or all of the following tasks.
Infrastructure deployment and worker health
Tasks may focus on building and maintaining the data plane that tunnels traffic:
- Worker management - Deploy and manage Boundary workers to manage traffic.
- System troubleshooting - Monitor worker status and connectivity to ensure platform reliability.
Secure integration and credential brokering
Tasks may focus on configuring credentials in Boundary:
- Credential library management - Configure and update the credential libraries that map Vault secrets to Boundary targets.
Operational monitoring and session governance
Tasks may focus on providing technical visibility and supporting compliance:
- Active session oversight - List and monitor active sessions.
- Audit configuration - Set up the storage bucket for session recording.
Example roles
Boundary's permissions model lets you create custom roles and permissions tailored for your organization's specific needs. The following example roles are based on common Boundary use cases and management needs for Platform Engineers.
You can use the permissions below to create a role, or you can use them as a starting point and modify them to meet your specific needs.
Org Admin
The Org Admin manages a specific organization, with full control over authentication methods, user accounts, group memberships, and role assignments in that organization. They represent the highest administrative role at the organization level. Org Admins manage an org scope and any nested scopes.
Use cases could include:
- Managing projects within an org
- Setting up auth methods
- Managing users at an org level
- Configuring storage buckets
We recommend the following permissions for Org Admins, assigned to the org scope the administrator manages.
| Description | Grants |
|---|---|
| Permit any actions on auth methods | |
| Permit any actions on users | |
| Permit any actions on groups | |
| Permit any actions on roles |
Project Admin
The Project Admin manages a specific project, with full control over host catalogs, targets, credential stores, and sessions in that project. They control the operational aspects of a project's resources.
Use cases could include:
- Setting up target infrastructure
- Configuring access to systems
- Managing credential access
- Managing project-level user access
We recommend the following permissions for Project Admins, assigned to the project scope the administrator manages.
| Description | Grants |
|---|---|
| Permit any actions on host catalogs | |
| Permit any actions on targets | |
| Permit any actions on credential stores | |
| Permit any actions on sessions |
Target Manager
The Target Manager creates and manages targets, which are services that users can connect to. They are responsible for configuring which hosts, credentials, and resources are available to users. Target Managers are frequently DevOps engineers or system administrators.
Uses cases could include:
- Adding new services to Boundary
- Updating target configurations
We recommend the following permissions for Target Managers, assigned at the org or project scope level.
| Description | Grants |
|---|---|
| Permit any actions on targets |
Host Resource Manager
The Host Resource Manager manages the infrastructure catalog, including hosts, host catalogs, and host sets. They are responsible for organizing and maintaining the inventory of connectable systems. Host Resource Managers are frequently infrastructure team members or cloud administrators.
Use cases could include:
- Managing server inventories
- Organizing hosts into sets
We recommend the following permissions for Host Resource Managers, assigned at the org or project scope level.
| Description | Grants |
|---|---|
| Permit any actions on host catalogs | |
| Permit any actions on host sets | |
| Permit any actions on hosts |
Credential Manager
The Credential Manager manages credential stores, libraries, and individual credentials that let users authenticate to targets. They are responsible for secure credential management and access. Credential Managers are frequently members of security teams.
Use cases include:
- Rotating credentials
- Managing secrets
- Integrating Boundary with secret stores
We recommend the following permissions for Credential Managers, assigned at the org or project scope level.
| Description | Grants |
|---|---|
| Permit any actions on credentials | |
| Permit any actions on credential stores | |
| Permit any actions on credential libraries |
Session Auditor
The Session Auditor reviews session information and recordings, but cannot cancel sessions. They focus on audit, compliance, and security reviews of past activities. Session Auditors are frequently security auditors, compliance officers, incident investigators, or members of access review teams.
Use cases include:
- Reviewing session information
- Reviewing session recordings
We recommend the following permissions for Session Auditors, assigned to the global scope.
| Description | Grants |
|---|---|
| List and read sessions | |
| List, read, and download session recordings |
More information
To view other example roles based on common Boundary use cases, refer to Example roles.
Next steps
- To create scopes that logically group your resources, refer to Create scopes to group resources.
- To configure roles and grant scopes for users and groups, refer to Manage access with roles.
- To manage access to resources dynamically, refer to Manage principals and Filter managed groups.