Roles are not working as expected

[achetronic]

Describe the bug
A user is inside two different groups, for example: admins and developers.

In the global scope the group 'admins' is linked to the GlobalAdmin role, whose permissions are:

ids=*;type=*;actions=*

And inside a project, the group developers which is linked to a role that has the following permissions:

ids=ttcp_a0r6J8Djju;type=target;actions=authorize-session
ids=*;type=target;actions=read,list

after setting these permissions, the mentioned user can not see everything, but only one target on that project. So I see the project permissions are overriding the global ones

I have read permissions are additive in Boundary, is this the intended behavior? How can I manage this use case? I read about no-op but I don't know if this can help my use case

What am I doing wrong?

Expected behavior
What I expected is: "if you have the permissions in the global scope, having less in the project should not limit you, as you already have them"

What I wanted to do is trying to give permissions to use some specific targets to all the company, but some additional ones (over those general ones) to other teams

Additional context
Add any other context about the problem here.

[moduli]

When defining grants in a global scope, by default, those grants only apply to items within the global scope and not any scopes further down the chain.

If you want a grant to apply to additional scopes, you can go here to select your desired settings.

More information here

[achetronic]

Hello @moduli, thanks for your response. We are putting a lot of effort crafting our tools around Boundary

Which version are you using? I don't have those options in v0.15.4. I have reviewed the changelog and I can not find those in messages (btw, very interesting things in latest versions about the targets aliases)

[moduli]

Ah. Support for this feature in the Admin UI came in v0.17.0, however, you are able to utilize this feature via the CLI in 0.15.x.

boundary roles add-grant-scopes ...

https://developer.hashicorp.com/boundary/docs/v0.15.x/commands/roles/add-grant-scopes

[achetronic]

Oh, thanks! I can update my deployment to give you some feedback about that functionality. Apart from updating the image, is it needed to execute database migrations? (I assume so, but asking just in case) :)

[moduli]

Yes. You will need to execute a database migration. Here's a document that goes into more detail: https://developer.hashicorp.com/boundary/tutorials/self-managed-deployment/upgrade-version#upgrade-version

[achetronic]

Hey @moduli , as promised I have upgraded Boundary to 0.17.0 and I have seen the feature implemented

I have to play a bit before giving feedback :)

[achetronic]

Hi @moduli , I have used your recommended approach and simplified roles, etc to give the propper feedback, there we go :)

1. Global Admin Role

I have a Role in global scope called GlobalAdmin, with the following grants:

ids=*;type=*;actions=*

• This role has scope this and descendants
• Several users into a group called admins@company.com are the principals for this

2. Global Authenticated Role

Another role is in global scope called GlobalAuthenticatedUser with the following grants:

ids={{.Account.Id}};actions=read,change-password
ids=*;type=scope;actions=read,list
ids=*;type=session;actions=list,read:self,cancel:self
type=target;actions=list
ids=*;type=auth-token;actions=list,read:self,delete:self
ids=*;type=auth-method;actions=list

• This role has scope this and descendants
• authenticated are the principals for this role

3. Project Role

I have another role called Everyone configured in a project, with the following grants:

ids=ttcp_3TVykHRQLM;type=target;actions=read,authorize-session

• This role has scope this
• everyone@company.com are the principals for this role. This includes the people inside admins@company.com

---

The problem I'm observing is that admins are loosing permissions on that project scope.
I expected that admins keep the admin permissions, but what is happening is that, in thar project, admins can observe ONLY that target, and not the others due to that project role

Can you give your opinions or help on this topic? I think managing permissions is super important and grants being additive with the descendants should projects so should behave keeping all the permissions, not removing them IMHO

[moduli]

I'm trying to reproduce your setup. To clarify, what do you mean by "admins can observe ONLY that target"?

I did get into a situation where...

• the admin can only list the target that is specified in the project role (potentially an issue we'll have to investigate)
• the admin can still read/connect to the other targets in that project (which I think is the behavior you're looking for?)

[achetronic]

Well, the issue is as you described. The admin can only see that target in the project

Honestly, I did not try to connect, but if you need it I can try it to give deeper feedback :)

What I expected was admins to be able to see and connect everything. In fact, in other projects where the admins are alone and no more roles are involved, admins inherit propperly.

I think it's a code issue in the process of mixing permissions when several grants and scopes affect the same user. WDYT?

[moduli]

Yes. It does look like there might be something up there that we will investigate internally.

I do want to confirm that my setup matches yours. If you don't mind, could you confirm whether or not you're still able to connect to the other target even though you cannot see it when listed?

[achetronic]

@moduli Confirmed, the situation is as you described. It's not possible to see the targets but you can connect to them

[moduli]

Thanks for clarifying!

[achetronic]

@moduli Hello there :)

Any update on this regard?

[moduli]

We have filed a ticket internally. I'll forward this to the appropriate team to try to get this prioritized.

[achetronic]

@moduli oh, thank you! :) this is affecting us a bit. I appreciate your effort