Boundary's Admin Console provides an easy way to manage resources. This tutorial takes a quick tour of the Boundary admin console by exploring the resources in the Generated org scope.
»Explore Admin Console
Select Administration and then click the Principals tab.
adminuser is listed. User, group, and project are a type of principal which can be assigned to roles.
Click on the Grants tab to view the permissions allowed on this role.
Grants represent strings of actions on resources:
The grant for Administration role indicates that all actions (
actions=*) on all resources (
id=*;type=*) are permitted. Refer to the documentation for more details.
Return to the Roles list and select Login and Default Grants role.
Click the Grants to view its permissions.
A role can have multiple grants defined. Those grants are deleted when the role is deleted. A grant is also deleted if its associated resource is deleted.
Select Projects and then Generated project scope.
Notice that you can see Sessions, Targets and Host Catalogs.
Select Host Catalogs.
Select Generated host catalog.
Click on the Host Sets tab and then Generated host set to view its details.
Click on the Hosts tab to view attached hosts.
Currently, Generated host with ID,
hst_1234567890is the only host attached to this host set. From the Manage menu, you can add or delete hosts from the host set.
Select Generated host. Its Address is set to
Select Targets from the left-pane.
Select Generated target.
The Generated target allows TCP connection, and its ID is
Using the Manage menu, you can add additional host sets to the target, or delete this target.
»Boundary resource summary
The relationships between hosts, host sets, and targets are as shown in the following diagram:
Host catalog contains host sets, and each host set has a list of hosts with its network address. Targets define zero or more host sets. Targets are what end user uses to connect through Boundary. For example, to create an ssh session to a host through Boundary, an administrator must first define a target. Admins can define targets by specifying a host set - which provide host addressing information - as well as the type of connection (eg TCP).
|Scope||Abstract permission boundary modeled as a container. A scope can contain scopes forming a tree.|
|Organization||Top-level container (scope) which owns zero to many projects and zero to many authentication methods. An organization inherits from scope allowing it to own zero to many groups, roles, policies, targets, host catalogs or credential stores.|
|Project||Child scope of an organization.|
|User||Any entity authorized to access Boundary using authentication credentials specific to one of the configured authentication methods. A user can belong to zero or more groups.|
|Group||Collection of users used for access control. A group is owned by one and only one scope.|
|Role||Collection of capabilities granted to any principal (user, group, or project) the role is assigned to. A role belongs to one and only one scope, and owns zero or more direct grants.|
|Host||Computing element with a network address reachable from Boundary.|
|Host catalog||Permission boundary modeled as a container containing scopes forming a tree.|
|Host set||Subset of hosts from the set of hosts of the host catalog it belongs to. A host set belongs to one and only one host; therefore, it gets deleted when its host catalog is deleted.|
|Target||Networked service a user can connect to and interact with through Boundary. A target can contain zero or more host sets.|
This tutorial explored the Boundary resources created by default when you run Boundary in dev mode.
Next, you are going to connect to a target using the generated configurations and view and manage the established sessions.