HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Boundary Home

SecOps Analyst

SecOps Analysts require view-only or limited access to Boundary. They are responsible for monitoring the environment and incident response.

Responsibilities

The SecOps Analyst may be responsible for some or all of the following tasks:

Compliance and configuration review

Tasks may focus on verifying that the system is configured according to regulatory standards:

  • Resource inspection - Navigate through org and project scopes to review the current configuration of targets and host sets.
  • Security posture audit - Verify whether resources are correctly configured and generate reports. Perform all monitoring and review resources using view-only permissions, ensuring that the analyst can audit the system without the ability to modify security configurations.
  • Recording configuration review - Inspect the session recording settings for specific targets to ensure that auditing is active for high-privilege access.
  • Storage verification - Confirm that session logs and recordings are being correctly directed to the mandated storage buckets for long-term retention.
  • Session recording playback - Access and view recorded sessions to investigate specific user activities or security incidents.

Example roles

Boundary's permissions model lets you create custom roles and permissions tailored for your organization's specific needs. The following example roles are based on common Boundary use cases and management needs for SecOps Analysts.

You can use the permissions below to create a role, or you can use them as a starting point and modify them to meet your specific needs.

Session Auditor

The Session Auditor reviews session information and recordings, but cannot cancel sessions. They focus on audit, compliance, and security reviews of past activities. Session Auditors are frequently security auditors, compliance officers, incident investigators, or members of access review teams.

Use cases include:

  • Reviewing session information
  • Reviewing session recordings

We recommend the following permissions for Session Auditors, assigned to the global scope.

ids=*;type=session;actions=list,read

ids=*;type=session-recording;actions=list,read,download
DescriptionGrants
List and read sessions
List, read, and download session recordings

Resource Auditor

The Resource Auditor can view all resources, but cannot make any changes. They are responsible for audit, reporting, and monitoring tasks where visibility is important, but modifications are not required. Resource Auditors are frequently security engineers, compliance observers, or external auditors.

Use cases include:

  • Monitoring for security issues
  • Training
  • Observing for compliance
  • Auditing

We recommend the following permissions for Resource Auditors, assigned at the global, org, or project scope level.

ids=*;type=*;actions=list,read
DescriptionGrants
Read and list any resources

More information

To view other example roles based on common Boundary use cases, refer to Example roles.

Next steps

  1. To create scopes that logically group your resources, refer to Create scopes to group resources.
  2. To configure roles and grant scopes for users and groups, refer to Manage access with roles.
  3. To manage access to resources dynamically, refer to Manage principals and Filter managed groups.
Edit this page on GitHub