Help Center/ Cloud Bastion Host/ User Guide/ User and Resource Account/ Overview of Login Users, Roles, and Resource Accounts
Updated on 2025-02-17 GMT+08:00
View PDF
Share

Overview of Login Users, Roles, and Resource Accounts

You can manage instances by login users, roles, and resource account types to support your needs for different scenarios.

Login Users

You can centrally manage all system users. A system user you create for a bastion host is an account you can use for logging in to the bastion host.

The system administrator admin is the first account for users to log in to a bastion host for the first time. The admin user has the highest operation permissions and such permissions cannot be deleted or changed.

  • System operation permissions of different users vary depending on their roles.
  • Resource operation permissions can be assigned to users by user group.

Only admin or users with permissions for the User module can manage system users, including creating users, batch importing and exporting users, resetting user accounts and passwords, moving users to another department, changing user roles, adding users to user groups, configuring user login permissions, enabling and disabling users, and batch managing users.

User Groups

A user group includes multiple users. You can authorize users in batches by authorizing the corresponding user group. For details, see Creating an ACL Rule and Associating It with Users and Resource Accounts.

Only system administrator admin or the users with the permissions for the User module can manage user groups, including creating a user group, maintaining members in the user group, managing user group information, and deleting the user group.

A user group is associated with a department and does not belong to an individual user. By default, a user group created by the current login user belongs to the department of the user. The department cannot be changed. Users who have the user group permissions can only view the information about all the user groups of their departments and lower-level departments.

  • The administrator of a superior department can add a user in the superior department to a user group in a lower-level department.
  • If you have the permissions for the User module, you can view user group details. However, for the user groups in the superior department, you can view only the user list of the user group.
  • If you have the permissions for the User module, you can remove a user of a superior department out of a user group. However, as a user in a lower-level department, you have no permissions to add those removed users back to the user group.
  • A user can be added to multiple user groups.

User Roles

There are some preconfigured roles in CBH. You can use these roles to allocate permissions to view and use different module in a CBH system.

In a bastion host, only admin has the permission to customize roles and modify permissions for roles.

After a user is created, you can associate a role with the user to implement access control. A user can be associated with only one role.

By default, each instance has the following default roles: the department manager, policy manager, audit manager, and operation user. The default roles cannot be deleted, but their permissions can be modified.

You can also customize roles to configure the permission scope. However, only the admin user has the permission to create custom roles and edit the permission scope of default roles.
Table 1 Default roles

Parameter

Description

DepartmentManager

This role is the department operation manager and manages the bastion host system. This role has the configuration permissions for all other modules except User and Role modules.

PolicyManager

Specifies the user permission policy administrator. This role manages host operation permissions. It has the permissions for configuration of the user management, resource group management, and access policy management modules.

AuditManager

Specifies the O&M result audit administrator. This role queries and manages system audit data. This role has the configuration permissions for real-time session, historical session, and system logs modules.

User

This role specifies common users and operators who can access the system. This role has the permissions for O&M of resources, such as host and application resources, and service ticket authorization management.

Resource Accounts

A resource account is used to log in to resources managed in a bastion host instance. After logging in to a resource, you can perform operations.

A host or application resource may have multiple resource accounts configured. Each managed host or application account is considered as a resource account. You do not need to enter the username or password when you log in to a managed host using its managed resource accounts.

If no accounts are added for a host or application resource, the Empty account is generated by default. In this situation, when you log in to the host or application resource through your bastion host, a username and password is required.

Resource Account Groups

After you add multiple managed resource accounts to an account group, you can then authorize and authenticate accounts in batches by authorizing the corresponding account group.

Only system administrator admin or the user who has the account group management permission can manage account groups, including creating an account group, maintaining resources related to an account group, managing account group information, and deleting an account group.

An account group is associated with a department and does not belong to an individual. The account group created by the current login user belongs to the user's department by default. The department cannot be modified.

A user with the account group management permission can view information about all account groups of the same or lower-level departments.

  • The administrator of a superior department can add accounts of the superior department to the account group of a lower-level department. If you are a user in the lower-level department and have permissions for the Account Group module, you can view only the list but not the details of the accounts added from the superior department.
  • You can also remove an account of superior department out of the account group. However, as a user in a low-level department, you have no permissions to add those removed accounts back to your current account group.
  • A resource account can be added to multiple account groups.