Managing Access in Border0

Access Types (Administrators vs Clients)

When thinking of access management in Border0, is it useful to recognize two distinct types of access:

  • Administrator Access: administrators have the ability to create/remove other users, service accounts, connectors, policies, make changes to sockets' configuration, organization settings, and so on... Administrator privileges are managed with Role Based Access Control (RBAC).
  • Client Access: clients have the ability to connect to sockets/services. That is, they can connect to databases, ssh servers, and web applications - they cannot see nor make any kind of changes to the configuration of your Border0 organization. Client privileges are managed with Policies.

Note that Administrators can also behave as Clients if (and only if) they are referenced in any Policies.

Entity Types (Users vs Service Accounts)

In Border0 there are two entities capable of interacting with your Border0 resources as either an administrator, a client, or both:

  • Users: Users represent human users i.e. people in your organization.
    • When logging in as an administrator, they authenticate against their Border0 account with either username and password, Google, or GitHub and then can perform administrative actions in accordance to their assigned role.
    • When logging in as a client, they authenticate against your Border0 organization with the identity provider(s) configured for the specific organization and then can connect to sockets in accordance to the policies they are referenced in.

📘

Your Clients Don't Need a Border0 Account!

Note that your Border0 Organization's users only need a Border0 Account if they will be managing your Border0 Organization. If they will only ever be clients (i.e. connecting to sockets) - they do not need a Border0 account.

  • Service Accounts: Service Accounts represent entities for programmatic usage of Border0 (both as an administrator or a client). Credentials can be generated for the service account such that your programs or other services can interact with your Border0 organization programmatically.
    • When used for the Border0 (administrator) API they can perform administrative actions in accordance to their assigned role.
    • When used as a socket client: they can connect to sockets in accordance to the policies they are referenced in.