When your organization has multiple teams with different access requirements — for example, developers who need access to staging servers but not production, or operations engineers who manage a specific set of databases — you can grant users access to specific asset groups in Bastionhost. Access is controlled in two layers:
Asset group access — grants the user permission to manage a given asset group.
Account authorization — specifies which accounts the user can use to log on to assets in that group.
Both layers must be configured before a user can connect to an asset.
Prerequisites
Before you begin, ensure that you have:
A user added to the bastion host (see Manage users)
Assets and asset accounts added to the bastion host. For hosts, see Add hosts and Manage a host account. For databases, see Use the database management feature
Asset groups created with assets added to them (see Manage asset groups)
Authorize a user to manage asset groups
Log on to the Bastionhost console. In the top navigation bar, select the region where your bastion host resides.
In the bastion host list, find your bastion host and click Manage.
In the left-side navigation pane, choose Users > Users.
On the Users page, find the user and click Authorize User to Manage Asset Groups in the Actions column.
On the Managed Asset Groups tab, click Authorize User to Manage Asset Groups.
In the Authorize User to Manage Asset Groups panel, select the asset groups to authorize and click OK.
Authorize a user to manage accounts in asset groups
After authorizing a user to manage asset groups, grant access to specific accounts within those groups. Choose the approach based on how many asset groups you need to update.
Authorize accounts in a single asset group
Log on to the Bastionhost console. In the top navigation bar, select the region where your bastion host resides.
In the bastion host list, find your bastion host and click Manage.
In the left-side navigation pane, choose Users > Users.
On the Users page, find the user and click Authorize User to Manage Asset Groups in the Actions column.
On the Managed Asset Groups tab, click No accounts found. Click here to authorize the user to manage the accounts of the asset group.
In the Select Account panel, select the accounts to authorize and click OK.
Bind accounts to multiple asset groups at once
Use this approach to assign the same account to assets across multiple asset groups simultaneously.
Log on to the Bastionhost console. In the top navigation bar, select the region where your bastion host resides.
In the bastion host list, find your bastion host and click Manage.
In the left-side navigation pane, choose Users > Users.
On the Users page, find the user and click Authorize User to Manage Asset Groups in the Actions column.
Select the asset groups to update, then choose Batch > Bind Accounts to Multiple Asset Groups below the list.
In the Accounts section, enter the account name and click Update.
Remove asset groups from a user's authorized list
To follow the principle of least privilege, remove asset groups when a user no longer needs O&M access to them.
Log on to the Bastionhost console. In the top navigation bar, select the region where your bastion host resides.
In the bastion host list, find your bastion host and click Manage.
In the left-side navigation pane, choose Users > Users.
On the Users page, find the user and click Authorize User to Manage Asset Groups in the Actions column.
On the Managed Asset Groups tab, select the asset groups to remove and click Remove below the list.
In the dialog box that appears, click Remove.
Remove accounts from multiple asset groups at once
To remove an account from assets across multiple asset groups simultaneously:
Log on to the Bastionhost console. In the top navigation bar, select the region where your bastion host resides.
In the bastion host list, find your bastion host and click Manage.
In the left-side navigation pane, choose Users > Users.
On the Users page, find the user and click Authorize User to Manage Asset Groups in the Actions column.
On the Managed Asset Groups tab, select the asset groups whose account you want to remove, then choose Batch > Remove Accounts of Multiple Asset Groups below the list.
In the Accounts section, specify the account to remove and click Update.