Boundary is a tool for managing identity-based access for modern, dynamic infrastructure. Just as infrastructure itself can be complex, at first glance Boundary can seem complex as well. As a result, it's helpful to understand how Boundary organizes security principals and resources, as well as how it allows you define granular permissions to those principals. A glossary of terms is contained in the domain model section.

»Identity & Permission Management

Identity is a core concept in Boundary. Identity is represented by two types of resources, mapping to common security principals:

  • Users, which represent distinct entities that can be tied to authentication accounts
  • Groups, which are collections of Users that allow for easier access management

Roles map users and groups to a set of grants, which provide the ability to perform actions within the system.

»Resource Management

Boundary enables flexible management of the hosts and services for which it can broker access. Boundary administrators define host catalogs that contain information about hosts. These hosts are then collected into host sets which represent sets of equivalent hosts. Finally, targets tie together host sets with connection information. Final access to a resource is granted via roles that provide authorization to create sessions against these targets.


Some parts of Boundary support filters for various purposes. For a description of the filter syntax, see the filtering page. See the docs pages for the individual resources or capabilities where filters are supported for the specific inputs and examples with those inputs.

»Next Steps

Be sure Boundary is able to run locally with the instructions at Getting Started. Then, learn how to create targets and initiate a session with Connect to Your First Target.

»Further Reading

For more information see our general recommendations for deployment architecture, and see the security model documentation for an explanation of the security foundations of Boundary.