Authorize a user group to manage assets and asset accounts - Bastionhost

After you create a user group in the console of a bastion host, you can authorize the user group to manage assets. This way, the users in the user group can log on to the bastion host to perform O&M operations on the assets. This topic describes how to authorize a user group to manage assets and asset accounts.

Prerequisites

A user group is created and users are added to the user group. For more information, see Create a user group and Add members to or remove members from a user group.
The assets and asset accounts that you want to authorize the user group to manage are added to the bastion host. For more information, see Add hosts, Manage a host account, and Use the database management feature.

Authorize a user group to manage assets

Authorize a user group to manage hosts

Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, choose Users > User Groups.
On the User Groups page, find the user group that you want to authorize to manage hosts and click Authorize Hosts in the Actions column.
On the Managed Hosts tab, click Authorize Hosts.
In the Authorize Hosts panel, select one or more hosts that you want to authorize the user group to manage and click OK.

Authorize a user group to manage databases

Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, choose Users > User Groups.
On the User Groups page, find the user group that you want to authorize to manage databases and click Authorize User to Manage Databases in the Actions column.
On the Managed Databases tab, click Authorize User to Manage Databases.
In the Authorize User to Manage Databases panel, select one or more databases that you want to authorize the user group to manage and click OK.

Authorize a user group to manage applications

Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, choose Users > User Groups.
On the User Groups page, find the user group that you want to authorize to manage applications and click Authorize Application in the Actions column.
On the Authorized Applications tab, click Authorize Application. In the panel that appears, select one or more applications that you want to authorize the user group to manage and click OK.

Authorize a user group to manage the accounts of one or more assets

Authorize a user group to manage an account of a single asset

Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, choose Users > User Groups.
On the User Groups page, click the name of the user group that you want to authorize.
On the Managed Hosts, Managed Databases, or Authorized Applications tab, click No accounts found. Click here to authorize the user to manage the accounts of the asset group. in the Authorized Accounts column.
In the Select Account panel, select the asset account that you want to authorize the user group to manage and click Update.
Note
If no account is displayed, click Create Host Account to create an asset account.

Authorize a user group to manage an account of multiple assets at a time

Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, choose Users > User Groups.
On the User Groups page, click the name of the user group that you want to authorize.
On the Managed Hosts, Managed Databases, or Authorized Applications tab, select the assets whose account you want to authorize the user group to manage and choose Batch > Bind Accounts to Multiple Asset Groups below the list.
Enter the name of the account and click Update.
Note
You can specify only one account.

Remove assets from the list of assets that a user group is authorized to manage

If a user group no longer needs to manage some assets, follow the principle of least privilege to remove these assets from the list of assets that the user group is authorized to manage.

Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, choose Users > User Groups.
On the User Groups page, click the name of the user group that you want to authorize.
On the Managed Hosts, Managed Databases, or Authorized Applications tab, select the assets that you want to remove and click Remove below the list.
In the dialog box that appears, click Remove.

Remove the account of multiple assets from the list of asset accounts that a user group is authorized to manage

Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, choose Users > User Groups.
On the User Groups page, click the name of the user group that you want to authorize.
On the Managed Hosts, Managed Databases, or Authorized Applications tab, select the assets whose account you want to remove and choose Batch > Remove Accounts of Multiple Asset Groups below the list.
Enter the name of the account and click Update.
Note
You can specify only one account.