Boundary
Scopes
A scope is a permission boundary modeled as a container.
There are three types of scopes in Boundary:
A single global scope which is the outermost container;
organizations (orgs) which are contained by the global
scope;
and projects which are contained by orgs.
Each scope is itself a resource.
Global
The global scope is the outermost scope. There is always a single global scope and it cannot be deleted. The global scope can directly contain: users, groups, auth methods, and organizations.
Organizations
Note: Within the software itself and elsewhere in the documentation, Boundary reliably uses "org" instead of "organization". Among other reasons, this removes ambiguity between different regional spellings of the word. It is spelled out here in the domain model for completeness and to ensure its intent is clear.
An org is a scope directly contained by the global scope. There can be multiple orgs within the global scope. An org can directly contain: users, groups, auth methods, roles, and projects.
Projects
A project is a scope directly contained by an org scope. There can be multiple projects within an org. A project can directly contain: roles, targets, host catalogs, and credential stores.
Attributes
A scope has the following configurable attributes:
name
- (optional) If set, thename
must be unique within the scope's parent scope.description
- (optional)
Referenced by
Service API docs
The following services are relevant to this resource:
Tutorial
Refer to the Manage Scopes with HCP Boundary tutorial to learn how to create an org scope and a project scope.