Scopes

A scope is a permission boundary modeled as a container. There are three types of scopes in Boundary: A single global scope which is the outermost container; organizations (orgs) which are contained by the global scope; and projects which are contained by orgs. Each scope is itself a resource.

Global

The global scope is the outermost scope. There is always a single global scope and it cannot be deleted. The global scope can directly contain: users, groups, auth methods, and organizations.

Organizations

Within the software itself and elsewhere in the documentation, Boundary reliably uses “org” instead of “organization”. Among other reasons, this removes ambiguity between different regional spellings of the word. It is spelled out here in the domain model for completeness and to ensure its intent is clear.

An org is a scope directly contained by the global scope. There can be multiple orgs within the global scope. An org can directly contain: users, groups, auth methods, roles, and projects.

Projects

A project is a scope directly contained by an org scope. There can be multiple projects within an org. A project can directly contain: roles, targets, host catalogs, and credential stores.

Attributes

A scope has the following configurable attributes:

  • name - (optional) If set, the name must be unique within the scope’s parent scope.

  • description - (optional)

Referenced By

Service API Docs

The following services are relevant to this resource: