»Manage Scopes

Scopes are a foundational part of Boundary. They allow users to partition resources and assign ownership of resources to principals. There are three types of scopes within Boundary:

Global (global)
Org
Project

These are in a hierarchy:

There is only one single global scope. It is meant as the entry point for initial administration/setup and to manage org scopes.
Under the global scope there can be many org scopes. These are used to hold IAM-related resources and project scopes.
Under each org scope can be many project scopes. These are used to hold infrastructure-related resources.

Some resources can only be associated with a specific level of scope. As an example, Targets can only be contained within a project scope. Other resources can be contained by multiple scopes. For example, users can be created within the global scope or an org-level scope. See the domain model for detailed resource specific information.

In this example, we're going to create two scopes, an org and a project.

All resource IDs in this example are illustration only - IDs are uniquely generated for every resource upon creation with the exception being generated resources in dev mode. Please make sure to use the resource IDs that are generated when running this example. For example, if you run boundary users create, use the resource ID of the user seen in stdout, not the ID in the example command.

»Create an Org

In this example, we're going to create an org, which lives in the global scope.

The CLI and UI will default to having certain administrative roles be created automatically when a scope is created, so that the user that created the scope can immediately manage it. The Terraform provider defaults skipping creation of those roles so that resources are not created outside of Terraform's purview. To simplify this example, we are telling Terraform to allow these roles to be created in both this section and in the next section where we create a project scope.

$ boundary scopes create -scope-id global -name my_org -description 'My first org'

Scope information:
  Created Time:        Tue, 29 Sep 2020 05:48:22 PDT
  Description:         My first org
  ID:                  o_y0fEd8iY2J
  Name:                my_org
  Updated Time:        Tue, 29 Sep 2020 05:48:22 PDT
  Version:             1

  Scope (parent):
    ID:                global
    Name:              global
    Type:              global

$ boundary scopes create -scope-id global -name my_org -description 'My first org'
Scope information:  Created Time:        Tue, 29 Sep 2020 05:48:22 PDT  Description:         My first org  ID:                  o_y0fEd8iY2J  Name:                my_org  Updated Time:        Tue, 29 Sep 2020 05:48:22 PDT  Version:             1
  Scope (parent):    ID:                global    Name:              global    Type:              global

»Create a Project

Next, we're going to add a project scope to our org.

$ boundary scopes create -scope-id o_0MkQUfE9jA -name my_project -description 'My first project'

Scope information:
  Created Time:        Tue, 29 Sep 2020 05:57:45 PDT
  Description:         My first project
  ID:                  p_jqCwqjSTQ4
  Name:                my_project
  Updated Time:        Tue, 29 Sep 2020 05:57:45 PDT
  Version:             1

  Scope (parent):
    ID:                o_0MkQUfE9jA
    Name:              my_org
    Parent Scope ID:   global
    Type:              org

$ boundary scopes create -scope-id o_0MkQUfE9jA -name my_project -description 'My first project'
Scope information:  Created Time:        Tue, 29 Sep 2020 05:57:45 PDT  Description:         My first project  ID:                  p_jqCwqjSTQ4  Name:                my_project  Updated Time:        Tue, 29 Sep 2020 05:57:45 PDT  Version:             1
  Scope (parent):    ID:                o_0MkQUfE9jA    Name:              my_org    Parent Scope ID:   global    Type:              org