Manage Servers in Groups

Overview

You can group multiple servers to apply accessible accounts and policies at once. By creating server groups according to specific purposes, you can conveniently manage policies in bulk and grant the permissions for these grouped servers to individual users or user groups all at once.

It is recommended to pre-register the necessary resources for creating server groups.

1. Administrator > Servers > Connection Management > Server Account Templates

2. Administrator > Servers > Connection Management > SSH Key Configurations

Creating a Server Group

1. Navigate to the Administrator > Servers > Connection Management > Server Groups menu.

2. Click the + Create Group button in the upper right corner.

3. Enter the following information to create the group:

   1. Name: Enter a name to distinguish the server group on the screen.

   2. Description: Enter additional information about the server group.

   3. Server Tags: Filter and add servers to be included in the server group using Server Tags.

4. Click the Save button to save the group.

Server groups can be managed based on tags. By specifying a specific tag in the Server Tags of the server group, all servers with that tag can be dynamically included in the server group.

Creating/Editing a Server Group

You can create a server group by entering the information below. Some items can be edited after creation.

1. Entering Basic Information and Add Servers Using Tags

• Name: Enter the name of the server group.

• Description: Enter a description that explains the server group. When multiple administrators are involved, it is recommended to enter the name and description in detail according to the purpose for easy identification of server groups.

• Server Tags: Specify the tags of the servers you want to group to dynamically manage the targets in the server group. Servers added through tags cannot be manually deleted from the server table; you must modify the tags in Server Tags.

2. Adding Servers Manually

• In the Servers, you can check the servers belonging to the server group or manually add servers to the group.

  • Click the Add Server button at the top right to display a popup with a list of servers.

  • In the popup, select the individual servers you want to add to the server group, then click the Add button.

    • You can use the filter(:필터:) function in the popup to filter servers based on various conditions.

    • Finally, you can view the servers that have been added to the server group.

• In Information's Server Tags, even if you delete the tags related to manually added servers, the manually added servers will not be excluded from the server group. Manual removal can only be done by selecting the checkbox in the Servers table and clicking the Delete button.

• Test Connection allows you to check the account information for the servers and accounts added to the server group.

  • To use Test Connection, you must add at least one server and account to the server group.

Test Connection can only be used after saving the server group.

3. Registering Accounts

1. Enter the account information required to access the connection. There are two ways to add accounts:

   1. Click the Copy button to import already registered accounts from the Server Account Templates menu.

      1. Refer to Server Account Templates for instructions on how to register a server account template.

   2. Or, use the Add Account to manually add an account.

2. The following information must be entered or configured for each account:

   1. Account: Enter a name to distinguish the individual account.

   2. Auto Login: You can set auto-login. If set to Off, only password authentication can be used.

   3. Provisioning : Allows you to designate server accounts for automated password changes.

      1. This option is available only when Password Provisioning is enabled under Administrator > General > Company Management > Security > Server Connection Security.

      2. It will only appear when Secret Store is set to QueryPie.

   4. Auth Type: Select the authentication method for the individual account. You can choose between Password and SSH Key methods. If you want to select the SSH Key method, first change the Auto Login setting to On.

   5. Authority: If the authentication method is Password, enter the password for authentication. If it is an SSH Key, select a key already registered in SSH Key Configurations.

   6. Protocols: Set whether to allow SSH or SFTP access with the account.

3-1. Configuring Authentication via Secret Store (HashiCorp Vault) in a Server Group

When registering account information in a server group, you can use Secret Store integration to connect to the connection using pre-configured Secret Store authentication information. Pre-stored server authentication information in the Secret Store enhances security by allowing users to connect to remote servers using stored server credentials. Servers defined in Server Groups are forced to use the same Secret Store as the Server Groups.

1. Navigate to the Administrator > Servers > Connection Management > Server Groups menu and click the Create Group button to create a new server group.

   1. This method is the same as the configuration in the Administrator > Servers > Connection Management > Server Account Templates menu.

2. In the Secret Store field, select a previously registered Secret Store.

3. Only K/V items from the Secret Engine types stored in the Secret Store are supported.

4. Click the Add Account button.

   1. In the Alias field, enter the server account name to be displayed to users.

   2. Enter the Vault Path in the Account / Authority field.

   3. The Path format can be entered as prod_os/data/linux?account.

   4. In the example, the actual path in Vault is prod_os > linux where the key is account.

   5. The /data path in the middle must be added.

5. Click the Save button to save the server group information.

3-2. Setting Up Authentication Using Secret Store in Server Groups (Based on HashiCorp Vault SSH OTP Engine)

By using HashiCorp Vault's SSH OTP engine, server accounts can be managed in a passwordless manner. However, the Vault server agent, vault-ssh-helper, must be installed on the server. Please refer to the official HashiCorp Vault guide for detailed instructions.

1. Navigate to Administrator > Servers > Connection Management > Server Groups menu and create a new server group by clicking the Create Group button.

   1. This is the same setup method as in Administrator > Servers > Server Account Management > Server Account Templates menu.

2. In the input fields, select the previously registered Secret Store entry in the Secret Store field.

3. Choose the SSH OTP entry from the available Secret Engine types stored in the Secret Store settings.

4. Click the Add Account button.

   1. Enter the account you want to access. This account must be included in the Allowed users when creating the Vault OTP role.

   2. In the Authority field, enter the Vault Path.

      1. The path should be entered in the format of engine/creds/role.

4. Assigning a Server Group Owner

You can assign a server group owner and designate them as the approver for workflows.

1. Click the Assign Owners button in the upper right corner to open a pop-up displaying Users and User Groups.

2. In the pop-up window, select the User or User Group to designate as the server group owner and click the Save button.

3. You can confirm the User or User Group designated as the owner in the server group.

4. Click the Save Changes button to save.