Introduction
This article explains how to resolve an issue where users cannot see specific targets in the HashiCorp Boundary desktop app, even after appropriate target filtering grants have been applied. The solution involves ensuring proper global authentication grants are in place alongside target-specific access rules.
Problem
When configuring HashiCorp Boundary grants to restrict access to specific targets (e.g., ids=ttcp_N8T6idLFPB;actions=read,authorize-session
), users may find that the designated target does not appear in the Boundary desktop app. This occurs despite correct target-specific grants, indicating an underlying issue with how the Boundary UI handles user authentication sessions when highly restrictive grants are present.
Solution
The core of this issue lies in the user's ability to manage their own authentication tokens within Boundary, which is crucial for the desktop app's functionality. To resolve this and enable target visibility while maintaining strict access control, a global authentication grant is required.
Follow these steps to configure the necessary grants:
-
Grant for Authentication Token Management: Add the following global grant rule. This rule allows users to view, list, and delete their own authentication tokens, which is essential for the Boundary desktop app to operate correctly and display any accessible resources.
ids=*;type=auth-token;actions=delete:self,list,read:self
-
Grant for Target-Specific Access: In addition to the above, ensure you have a grant that specifically defines the target(s) the user should access. This grant limits the user to only the designated target(s).
ids=ttcp_N8T6idLFPB;actions=read,authorize-session
Verification
After applying both grants, instruct the user to log in to the Boundary desktop app.
-
Confirm Visibility: The target with the ID
ttcp_N8T6idLFPB
should now be visible in the desktop app. - Confirm Access Control: The user should only see and be able to interact with the specified target and no others.
- Confirm Functionality: The user should be able to generate credentials for the specified target without issues.
Conclusion
By combining the essential global authentication grant with target-specific access grants, users will gain the necessary visibility within the HashiCorp Boundary desktop app while strictly adhering to the defined access controls. This ensures users can interact only with their authorized targets and generate credentials as needed.
If issues persist, please review your role and grant configurations carefully, and verify that all target IDs are correct. For further assistance, contact HashiCorp support.