Account Baselines

Scenarios

In an enterprise IT environment, you need to periodically change the password of a host account to ensure the security of the host account. However, manually changing the account passwords of a large number of hosts is time-consuming, labor-intensive, and error-prone. To address this issue, account baselines are introduced to batch change the passwords of specified accounts of all hosts associated with the baseline.

Account baselines are classified into global baselines and component baselines.

• Global baseline: It is a built-in baseline of the system. It cannot be deleted for hosts that are not bound to components. To use the global baseline, you need to add a baseline account by referring to Modifying an Account Baseline. After the password change policy of the global baseline is enabled, the password will be changed periodically based on the account created in the baseline.
• Component baselines: are created instead when you create account baselines. You can create a component baseline as needed. You can add baseline accounts and components to component baselines. After the password change policy of a component baseline is enabled, the system will periodically change the passwords of the accounts created in the baseline for hosts associated with the component.

Access the application management module to organize your applications, components, and groups in a hierarchical tree structure, starting from the highest level down. You can add a batch of hosts to the same group. You can use the account baseline function to automatically manage and periodically change the passwords of host accounts. This function improves work efficiency, reduces human errors, and ensures system security.

Notes and Constraints

• For RDS for MySQL and GaussDB instance resources, the accounts to be managed must have been created on the host and have the login permission.
• The specified account for the ECS host that runs the Linux OS can be managed only if the following three conditions are met:
  • UniAgent 1.1.5 or later is installed and the UniAgent is running.
  • The host is in the running state.
  • The host account to be managed has been created and can be used to log in to the host.

Precautions

• Component baselines must be associated with components. If no proper component is available, create one. For details, see Creating a Component.
• To ensure that incremental host instances of a component can be automatically managed, you need to enable Password Change Policy for Component Baseline in Component Baseline Dimension on the Change Account Password > Password Change Policies tab page.

Creating an Account Baseline

1. Log in to COC.
2. In the navigation pane on the left, choose Resource O&M > Automated O&M.
3. In the Routine O&M area, and click Account Management.
4. Click Change Account Password in the upper left corner.
5. Click Create Account Baseline.
6. Set parameters for creating an account baseline.

   Table 1 Parameters for creating an account baseline

   Parameter		Description	Example Value
   Baseline Name		Specify a baseline name based on naming rules.	Test baseline
   Baseline Type		Account baseline type, which cannot be changed.	Component Baseline
   Baseline	Account Type	Account type. Currently, Linux, MySQL, and GaussDB accounts are supported.	Linux
   	Account	Enter an account name. The account name is the server account of the resource. This account is required for subsequent operations such as password change.	root
   	Account Class	Available options are Read-only account and Non-read-only account. This parameter is used only to distinguish accounts and does not affect actual functions.	Read-only account
   Associated Components		Select the required application or component. If you select an application, all components of the application are automatically selected. Associated components can be deleted.	-

7. Click OK.

   The account baseline is created.

Modifying an Account Baseline

1. Log in to COC.
2. In the navigation pane on the left, choose Resource O&M > Automated O&M.
3. In the Routine O&M area, and click Account Management.
4. Click Change Account Password.
5. Click Modify in the Operation column.
6. Set Modify.

   Table 2 Parameters for modifying an account baseline

   Parameter		Description	Example Value
   Baseline	Account Type	Account type. Currently, Linux, MySQL, and GaussDB accounts are supported.	Linux
   	Account	Enter an account name. The account name is the server account of the resource. This account is required for subsequent operations such as password change.	root
   	Account Class	Available options are Read-only account and Non-read-only account. This parameter is used only to distinguish accounts and does not affect actual functions.	Read-only account
   Associated Components		This parameter can be set only when Baseline Type is set to Component Baseline. Select the required application or component. If you select an application, all components of the application are automatically selected. Associated components can be deleted.	-

7. Click OK.

   The account baseline is modified.

Deleting an Account Baseline

Before deleting a baseline, you need to unbind all associated components.

1. Log in to COC.
2. In the navigation pane on the left, choose Resource O&M > Automated O&M.
3. In the Routine O&M area, and click Account Management.
4. Click Change Account Password.
5. Click Delete in the Operation column.

   The account baseline is deleted.