Security Engineer
The Security Engineer requires full or high-level access to security engineering. They configure projects and resources.
Responsibilities
The Security Engineer may be responsible for some or all of the following tasks.
Governance and identity
Tasks may focus on establishing organizational structure and trust:
- Sign-in and global administration - Log in to Boundary with the Global scope using the Admin Console UI or CLI to manage all system resources.
- Organizational partitioning - Create and configure Org and Project scopes to isolate environments by team, for example Production or Development.
- Authentication - Enable and configure OIDC for enterprise-wide access or password auth methods for point-of-contact or emergency access.
Infrastructure and target management
Tasks may focus on onboarding resources and defining how users access them:
- Host orchestration: Create and manage host catalogs and host sets to define the inventory of networked resources.
- Target configuration: Create and update targets, ensuring that users have the specific endpoints they need for work.
- Credential integration: Configure Vault as a credential store to ensure targets use dynamic, injected secrets.
Compliance and session governance
Tasks may focus on ensuring visibility and regulatory adherence:
- Audit configuration: Enable and manage session recording on targets.
- Storage and encryption: Configure storage buckets for recordings.
RBAC and policy guardrails
Tasks may focus on designing and enforcing the principle of least privilege:
- Grant mapping - Define granular permissions such as list, read, or authorize session for different user groups.
- Role assignment - Map OIDC groups to specific roles in project scopes to ensure users cannot view or modify unauthorized configurations.
- Access refinement - Update and delete grants or roles as team requirements evolve to prevent over-provisioning.
Example roles
Boundary's permissions model lets you create custom roles and permissions tailored for your organization's specific needs. The following example roles are based on common Boundary use cases and management needs for Security Engineers.
You can use the permissions below to create a role, or you can use them as a starting point and modify them to meet your specific needs.
Global Admin
The Global Admin has unlimited access to perform any action on any Boundary resource. They have the highest level of access with complete control over all aspects of deployment. Global Admins may manage org or project scopes for the entire deployment.
Use cases could include:
- Managing projects within an org
- Setting up auth methods
- Managing users at the org level
- Configuring storage buckets
We recommend the following permissions for Global Admins, assigned to the global scope.
| Description | Grants |
|---|---|
| Permit any actions on any resource types |
Org Admin
The Org Admin manages a specific organization, with full control over authentication methods, user accounts, group memberships, and role assignments in that organization. They represent the highest administrative role at the organization level. Org Admins manage an org scope and any nested scopes.
Use cases could include:
- Managing projects within an org
- Setting up auth methods
- Managing users at an org level
- Configuring storage buckets
We recommend the following permissions for Org Admins, assigned to the org scope the administrator manages.
| Description | Grants |
|---|---|
| Permit any actions on auth methods | |
| Permit any actions on users | |
| Permit any actions on groups | |
| Permit any actions on roles |
Project Admin
The Project Admin manages a specific project, with full control over host catalogs, targets, credential stores, and sessions in that project. They control the operational aspects of a project's resources.
Use cases could include:
- Setting up target infrastructure
- Configuring access to systems
- Managing credential access
- Managing project-level user access
We recommend the following permissions for Project Admins, assigned to the project scope the administrator manages.
| Description | Grants |
|---|---|
| Permit any actions on host catalogs | |
| Permit any actions on targets | |
| Permit any actions on credential stores | |
| Permit any actions on sessions |
Target Manager
The Target Manager creates and manages targets, which are services that users can connect to. They are responsible for configuring which hosts, credentials, and resources are available to users. Target Managers are frequently DevOps engineers or system administrators.
Uses cases could include:
- Adding new services to Boundary
- Updating target configurations
We recommend the following permissions for Target Managers, assigned at the org or project scope level.
| Description | Grants |
|---|---|
| Permit any actions on targets |
Host Resource Manager
The Host Resource Manager manages the infrastructure catalog, including hosts, host catalogs, and host sets. They are responsible for organizing and maintaining the inventory of connectable systems. Host Resource Managers are frequently infrastructure team members or cloud administrators.
Use cases could include:
- Managing server inventories
- Organizing hosts into sets
We recommend the following permissions for Host Resource Managers, assigned at the org or project scope level.
| Description | Grants |
|---|---|
| Permit any actions on host catalogs | |
| Permit any actions on host sets | |
| Permit any actions on hosts |
Credential Manager
The Credential Manager manages credential stores, libraries, and individual credentials that let users authenticate to targets. They are responsible for secure credential management and access. Credential Managers are frequently members of security teams.
Use cases include:
- Rotating credentials
- Managing secrets
- Integrating Boundary with secret stores
We recommend the following permissions for Credential Managers, assigned at the org or project scope level.
| Description | Grants |
|---|---|
| Permit any actions on credentials | |
| Permit any actions on credential stores | |
| Permit any actions on credential libraries |
User Manager
The User Manager manages user identities, accounts, and group memberships. They are responsible for user lifecycle management and organizing users into functional groups. User Managers are frequently HR or IT administrators.
Use cases include:
- Onboarding and offboarding users
- Managing access groups
- Troubleshooting accounts
We recommend the following permissions for User Managers, assigned at the global or org scope level.
| Description | Grants |
|---|---|
| Permit any actions on users | |
| Permit any actions on groups | |
| Permit any actions on accounts |
Auth Method Manager
The Auth Method Manager configures and manages authentication methods and managed groups. They control how users authenticate to Boundary and how external identity systems integrate with it. Auth Method Managers are frequently identity team members or SSO integration administrators.
Use cases include:
- Integrating SSO
- Configuring LDAP/OIDC
- Troubleshooting authentication issues
We recommend the following permissions for Auth Method Managers, assigned at the global or org scope level.
| Description | Grants |
|---|---|
| Permit any actions on auth methods | |
| Permit any actions on managed groups |
More information
To view other example roles based on common Boundary use cases, refer to Example roles.
Next steps
- To create scopes that logically group your resources, refer to Create scopes to group resources.
- To configure roles and grant scopes for users and groups, refer to Manage access with roles.
- To manage access to resources dynamically, refer to Manage principals and Filter managed groups.