Bastionhost allows you to authorize a user to manage host groups. After you add a user, you can authorize the user to manage host groups. After the host groups are authorized for the user to manage, the user can log on to a bastion host to perform O&M operations on the hosts in the host groups. This topic describes how to authorize a user to manage host groups.

Authorize a user to manage host groups

To authorize a user to manage host groups, perform the following steps:

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. Find the user group that you want to authorize to manage host groups and click Authorize Host Groups in the Actions column.
    Authorize a user to manage host groups
  4. On the Authorized Host Groups tab, click Authorize Host Groups.
  5. In the Authorize Host Groups panel, select one or more host groups that you want to authorize for the user to manage and click OK. Authorize a user to manage host groups

Remove the host groups that a user is authorized to manage

If a user is no longer required to manage specific host groups, perform the following steps to remove the host groups that the user is authorized to manage to achieve the principle of least privilege:

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. Find the user and click Authorize Host Groups in the Actions column.
    Authorize a user to manage host groups
  4. Select the host groups that you want to remove and click Remove.
    Remove the host groups that a user is authorized to manage
  5. In the message that appears, click Remove.

Authorize the accounts of a single host group for a user

To authorize the accounts of a single host group for a user group, perform the following steps:

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. Find the user group that you want to authorize to manage host groups and click Authorize Host Groups in the Actions column.
    Authorize a user to manage host groups
  4. On the Authorized Host Groups tab, click None. Authorize accounts.
    Authorize the accounts of a single host group for a user
    Note If you want to modify the accounts that are authorized for the user, you can click the account name in the Authorized Accounts column and specify the Accounts parameter.
  5. In the Select Accounts panel, specify Accounts. Select Accounts
  6. Click Update.

Authorize the accounts of multiple host groups for a user

To authorize the accounts of multiple host groups for a user at a time, perform the following steps:

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. Find the user group that you want to authorize to manage host groups and click Authorize Host Groups in the Actions column.
    Authorize a user to manage host groups
  4. On the Authorized Host Groups tab, select the host groups whose accounts you want to authorize for the user and choose Batch > Batch Authorize Accounts.
    Authorize the accounts of multiple host groups for a user
  5. In the Batch Authorize Accounts panel, specify Accounts.
    Update accounts of multiple host groups
  6. Click Update.

Remove the accounts of multiple host groups that are authorized for a user

To remove the accounts of multiple host groups that are authorized for a user at a time, perform the following steps:

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. Find the user from whom you want to remove the accounts of multiple host groups and click Authorize Host Groups in the Actions column.
    Authorize a user to manage host groups
  4. On the Authorized Host Groups tab, select the host groups and choose Batch > Batch Remove Authorized Accounts.
    Remove the accounts of multiple host groups that are authorized for a user
  5. In the Batch Remove Authorized Accounts panel, specify Accounts.
    Batch Remove Authorized Accounts
  6. Click Update.