All Products
Search

This Product

    Bastionhost:Authorize a user to manage assets and asset accounts

    Document Center

    Bastionhost:Authorize a user to manage assets and asset accounts

    Last Updated:Mar 31, 2026

    After you add a user to Bastionhost, grant that user access to specific assets before they can log on and perform O&M operations. This topic explains how to grant a user access to assets (hosts, databases, or applications) and to the accounts of those assets, and how to revoke access when it is no longer needed.

    Prerequisites

    Before you begin, make sure that you have:

    Grant a user access to assets

    The following procedures cover all three asset types: hosts, databases, and applications. Each starts from the Users page of your Bastionhost instance.

    Grant access to hosts

    1. Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance resides.

    2. In the Bastionhost instance list, find the target instance and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. On the Users page, find the user and click Authorize Hosts in the Actions column.

    5. On the Managed Hosts tab, click Authorize Hosts.

    6. In the Authorize Hosts panel, select one or more hosts and click OK.

    The selected hosts appear on the Managed Hosts tab. To perform O&M operations on those hosts, you must also grant the user access to the corresponding host accounts.

    Grant access to databases

    1. Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance resides.

    2. In the Bastionhost instance list, find the target instance and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. On the Users page, find the user and click Authorize User to Manage Databases in the Actions column.

    5. On the Managed Databases tab, click Authorize User to Manage Databases.

    6. In the Authorize User to Manage Databases panel, select one or more databases and click OK.

    The selected databases appear on the Managed Databases tab. The user can now perform O&M operations on those databases.

    Grant access to applications

    1. Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance resides.

    2. In the Bastionhost instance list, find the target instance and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. On the Users page, find the user and click Authorize Application in the Authorize Application column.

    5. On the Authorized Applications tab, click Authorize Application. In the panel that appears, select one or more applications and click OK.

    The selected applications appear on the Authorized Applications tab. The user can now perform O&M operations on those applications.

    Grant a user access to asset accounts

    Asset access (granted above) determines which assets a user can see. Account access determines which accounts on those assets the user can use to connect. Grant account access after the user has been authorized for the corresponding assets.

    Grant access to an account of a single asset

    1. Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance resides.

    2. In the Bastionhost instance list, find the target instance and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. On the Users page, click the name of the user.

    image

    1. On the Managed Hosts, Managed Databases, or Authorized Applications tab, locate the asset. In the Authorized Accounts column, click No accounts found. Click here to authorize the user to manage the accounts of the asset group.

    image

    1. In the Select Account panel, select the account and click Update.

    If no accounts appear, click Create Host Account to create an asset account.

    The account is now listed under the asset in the Authorized Accounts column. The user can log on to the asset using that account.

    Grant access to accounts of multiple assets at once

    Use this procedure to bind the same account name to multiple assets in one operation.

    1. Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance resides.

    2. In the Bastionhost instance list, find the target instance and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. On the Users page, click the name of the user.

    image

    1. On the Managed Hosts, Managed Databases, or Authorized Applications tab, select the assets and choose Batch > Bind Accounts to Multiple Asset Groups below the list.

    image

    1. Enter the account name and click Update.

    You can specify only one account name per batch operation.

    The account is bound to all selected assets. The user can now log on to each of those assets using that account.

    Revoke access to assets

    To follow the principle of least privilege, remove assets from a user's authorized list when the user no longer needs to perform O&M operations on them.

    1. Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance resides.

    2. In the Bastionhost instance list, find the target instance and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. On the Users page, click the name of the user.

    image

    1. On the Managed Hosts, Managed Databases, or Authorized Applications tab, select the assets to remove and click Remove below the list.

    image

    1. In the dialog box, click Remove.

    The assets are removed from the user's authorized list. The user can no longer perform O&M operations on them.

    Revoke account access for multiple assets at once

    To apply the principle of least privilege at the account level, use this procedure to unbind the same account name from multiple assets in one operation.

    1. Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance resides.

    2. In the Bastionhost instance list, find the target instance and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. On the Users page, click the name of the user.

    image

    1. On the Managed Hosts, Managed Databases, or Authorized Applications tab, select the assets and choose Batch > Remove Accounts of Multiple Asset Groups below the list.

    2. Enter the account name and click Update.

    You can specify only one account name per batch operation.

    The account is unbound from all selected assets.