Authorize hosts by user group - User Guide (V3.2)| Alibaba Cloud Documentation Center

Host authorization is to associate users with host assets in Bastionhost. If you authorize hosts by user group, users in a user group can access only the hosts authorized to the user group. This topic describes how to authorize hosts and their accounts by user group. This topic also describes how to maintain these hosts and accounts.

Background information

The differences between host authorization by user and host authorization by user group are described as follows:

Host authorization by user: Hosts and their accounts are authorized for a single user.
Host authorization by user group: A user group is a collection of users. Authorization for a user group is to authorize multiple hosts and their accounts for all the users in this user group at a time.

Authorize hosts

To authorize hosts for a user group, follow these steps:

Log on to the Bastionhost system. For more information, see Log on to Bastionhost.
In the left-side navigation pane, click Users > User Groups.
Find the target user group and click Authorize Hosts in the Actions column.
On the Authorized Hosts tab that appears, click Authorize Hosts.
In the Authorize Hosts pane that appears, select one or more hosts that you want to authorize for the user group to maintain and click OK.

Remove authorized hosts

If a user group does not need to maintain certain hosts, follow these steps to remove the authorized hosts to achieve the principle of least privilege:

Log on to the Bastionhost system. For more information, see Log on to Bastionhost.
In the left-side navigation pane, click Users > User Groups.
Find the target user group and click Authorize Hosts in the Actions column.
On the Authorized Hosts tab that appears, select the authorized hosts you want to remove and click Remove in the lower-left corner.
In the message that appears, click Remove.

Authorize the accounts of a single host

To authorize the accounts of a single host for a user group, follow these steps:

Log on to the Bastionhost system. For more information, see Log on to Bastionhost.
In the left-side navigation pane, click Users > User Groups.
Find the target user group and click Authorize Hosts in the Actions column.
On the Authorized Hosts tab that appears, find the target host and click the information in the Authorized Accounts column.
In the Select Accounts pane that appears, select one or more accounts and click Update.

Note If the host does not have an account, you can click Create Host Account in the Select Accounts pane to create one first.

Authorize the accounts of multiple hosts

To authorize the accounts of multiple hosts for a user group at a time, follow these steps:

Log on to the Bastionhost system. For more information, see Log on to Bastionhost.
In the left-side navigation pane, click Users > User Groups.
Find the target user group and click Authorize Hosts in the Actions column.
On the Authorized Hosts tab that appears, select the target hosts and select Batch Authorize Accounts from the Batch drop-down list.
In the Batch Authorize Accounts pane that appears, specify Accounts.

Note Currently, you can select only one host account at a time during the authorization of host accounts.
Click Update.

Remove the authorized accounts of multiple hosts

To remove the authorized accounts of multiple hosts from a user group at a time, follow these steps:

Log on to the Bastionhost system. For more information, see Log on to Bastionhost.
In the left-side navigation pane, click Users > User Groups.
Find the target user group and click Authorize Hosts in the Actions column.
On the Authorized Hosts tab that appears, select the target hosts and select Batch Remove Authorized Accounts from the Batch drop-down list.
In the Batch Remove Authorized Accounts pane that appears, specify Accounts.

Note Currently, you can select only one host account at a time during the removal of authorized host accounts.
Click Update.