diff --git a/redfish-core/include/privileges.hpp b/redfish-core/include/privileges.hpp
index 08e554a..bb2c2f3 100644
--- a/redfish-core/include/privileges.hpp
+++ b/redfish-core/include/privileges.hpp
@@ -16,6 +16,7 @@
 #pragma once
 
 #include "logging.hpp"
+#include "sessions.hpp"
 
 #include <boost/beast/http/verb.hpp>
 #include <boost/container/flat_map.hpp>
@@ -53,10 +54,15 @@
 /** @brief Max number of privileges per type  */
 constexpr const size_t maxPrivilegeCount = 32;
 
-/** @brief A vector of all privilege names and their indexes */
+/**
+ * @brief A vector of all privilege names and their indexes
+ * The privilege "OpenBMCHostConsole" is added to users who are members of the
+ * "hostconsole" user group. This privilege is required to access the host
+ * console.
+ */
 static const std::array<std::string, maxPrivilegeCount> privilegeNames{
-    "Login", "ConfigureManager", "ConfigureComponents", "ConfigureSelf",
-    "ConfigureUsers"};
+    "Login",         "ConfigureManager", "ConfigureComponents",
+    "ConfigureSelf", "ConfigureUsers",   "OpenBMCHostConsole"};
 
 /**
  * @brief Redfish privileges
@@ -214,30 +220,46 @@
     std::bitset<maxPrivilegeCount> privilegeBitset = 0;
 };
 
-inline const Privileges& getUserPrivileges(const std::string& userRole)
+inline Privileges getUserPrivileges(const persistent_data::UserSession& session)
 {
-    // Redfish privilege : Administrator
-    if (userRole == "priv-admin")
+    // default to no access
+    Privileges privs;
+
+    // Check if user is member of hostconsole group
+    for (const auto& userGroup : session.userGroups)
     {
-        static Privileges admin{"Login", "ConfigureManager", "ConfigureSelf",
-                                "ConfigureUsers", "ConfigureComponents"};
-        return admin;
+        if (userGroup == "hostconsole")
+        {
+            // Redfish privilege : host console access
+            privs.setSinglePrivilege("OpenBMCHostConsole");
+            break;
+        }
     }
-    if (userRole == "priv-operator")
+
+    if (session.userRole == "priv-admin")
+    {
+        // Redfish privilege : Administrator
+        privs.setSinglePrivilege("Login");
+        privs.setSinglePrivilege("ConfigureManager");
+        privs.setSinglePrivilege("ConfigureSelf");
+        privs.setSinglePrivilege("ConfigureUsers");
+        privs.setSinglePrivilege("ConfigureComponents");
+    }
+    else if (session.userRole == "priv-operator")
     {
         // Redfish privilege : Operator
-        static Privileges op{"Login", "ConfigureSelf", "ConfigureComponents"};
-        return op;
+        privs.setSinglePrivilege("Login");
+        privs.setSinglePrivilege("ConfigureSelf");
+        privs.setSinglePrivilege("ConfigureComponents");
     }
-    if (userRole == "priv-user")
+    else if (session.userRole == "priv-user")
     {
         // Redfish privilege : Readonly
-        static Privileges readOnly{"Login", "ConfigureSelf"};
-        return readOnly;
+        privs.setSinglePrivilege("Login");
+        privs.setSinglePrivilege("ConfigureSelf");
     }
-    // Redfish privilege : NoAccess
-    static Privileges noaccess;
-    return noaccess;
+
+    return privs;
 }
 
 /**
diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp
index b4c9205..c8fd196 100644
--- a/redfish-core/lib/account_service.hpp
+++ b/redfish-core/lib/account_service.hpp
@@ -135,9 +135,14 @@
         }
         else if (userGroup == "ssh")
         {
-            accountTypes.emplace_back("HostConsole");
             accountTypes.emplace_back("ManagerConsole");
         }
+        else if (userGroup == "hostconsole")
+        {
+            // The hostconsole group controls who can access the host console
+            // port via ssh and websocket.
+            accountTypes.emplace_back("HostConsole");
+        }
         else if (userGroup == "web")
         {
             // 'web' is one of the valid groups in the UserGroups property of
@@ -1293,6 +1298,13 @@
     {
         return;
     }
+
+    if (req.session == nullptr)
+    {
+        messages::internalError(asyncResp->res);
+        return;
+    }
+
     asyncResp->res.addHeader(
         boost::beast::http::field::link,
         "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby");
@@ -1327,7 +1339,7 @@
     // ConfigureManager can access then only display when the user has
     // permissions ConfigureManager
     Privileges effectiveUserPrivileges =
-        redfish::getUserPrivileges(req.userRole);
+        redfish::getUserPrivileges(*req.session);
 
     if (isOperationAllowedWithPrivileges({{"ConfigureManager"}},
                                          effectiveUserPrivileges))
@@ -1526,6 +1538,13 @@
     {
         return;
     }
+
+    if (req.session == nullptr)
+    {
+        messages::internalError(asyncResp->res);
+        return;
+    }
+
     asyncResp->res.addHeader(
         boost::beast::http::field::link,
         "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby");
@@ -1538,7 +1557,7 @@
     asyncResp->res.jsonValue["Description"] = "BMC User Accounts";
 
     Privileges effectiveUserPrivileges =
-        redfish::getUserPrivileges(req.userRole);
+        redfish::getUserPrivileges(*req.session);
 
     std::string thisUser;
     if (req.session)
@@ -1646,14 +1665,26 @@
     const std::vector<std::string>& allGroupsList)
 
 {
+    std::vector<std::string> userGroups;
+    for (const auto& grp : allGroupsList)
+    {
+        // Console access is provided to the user who is a member of
+        // hostconsole group and has a administrator role. So, set
+        // hostconsole group only for the administrator.
+        if ((grp != "hostconsole") || (roleId == "priv-admin"))
+        {
+            userGroups.emplace_back(grp);
+        }
+    }
+
     crow::connections::systemBus->async_method_call(
         [asyncResp, username, password](const boost::system::error_code& ec2,
                                         sdbusplus::message_t& m) {
         processAfterCreateUser(asyncResp, username, password, ec2, m);
         },
         "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
-        "xyz.openbmc_project.User.Manager", "CreateUser", username,
-        allGroupsList, *roleId, *enabled);
+        "xyz.openbmc_project.User.Manager", "CreateUser", username, userGroups,
+        *roleId, *enabled);
 }
 
 inline void handleAccountCollectionPost(
@@ -1754,7 +1785,7 @@
         // have permissions to modify other users, so re-run the auth
         // check with the same permissions, minus ConfigureSelf.
         Privileges effectiveUserPrivileges =
-            redfish::getUserPrivileges(req.userRole);
+            redfish::getUserPrivileges(*req.session);
         Privileges requiredPermissionsToChangeNonSelf = {"ConfigureUsers",
                                                          "ConfigureManager"};
         if (!effectiveUserPrivileges.isSupersetOf(
@@ -1965,7 +1996,7 @@
     }
 
     Privileges effectiveUserPrivileges =
-        redfish::getUserPrivileges(req.userRole);
+        redfish::getUserPrivileges(*req.session);
     Privileges configureUsers = {"ConfigureUsers"};
     bool userHasConfigureUsers =
         effectiveUserPrivileges.isSupersetOf(configureUsers);
diff --git a/redfish-core/lib/certificate_service.hpp b/redfish-core/lib/certificate_service.hpp
index 027e05d..d4df6c8 100644
--- a/redfish-core/lib/certificate_service.hpp
+++ b/redfish-core/lib/certificate_service.hpp
@@ -404,6 +404,12 @@
         return;
     }
 
+    if (req.session == nullptr)
+    {
+        messages::internalError(asyncResp->res);
+        return;
+    }
+
     asyncResp->res.jsonValue["@odata.type"] =
         "#CertificateService.v1_0_0.CertificateService";
     asyncResp->res.jsonValue["@odata.id"] = "/redfish/v1/CertificateService";
@@ -415,7 +421,7 @@
     // only ConfigureManager can access then only display when the user
     // has permissions ConfigureManager
     Privileges effectiveUserPrivileges =
-        redfish::getUserPrivileges(req.userRole);
+        redfish::getUserPrivileges(*req.session);
     if (isOperationAllowedWithPrivileges({{"ConfigureManager"}},
                                          effectiveUserPrivileges))
     {
diff --git a/redfish-core/lib/network_protocol.hpp b/redfish-core/lib/network_protocol.hpp
index e4a4b56..be84246 100644
--- a/redfish-core/lib/network_protocol.hpp
+++ b/redfish-core/lib/network_protocol.hpp
@@ -154,6 +154,12 @@
 inline void getNetworkData(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
                            const crow::Request& req)
 {
+    if (req.session == nullptr)
+    {
+        messages::internalError(asyncResp->res);
+        return;
+    }
+
     asyncResp->res.addHeader(
         boost::beast::http::field::link,
         "</redfish/v1/JsonSchemas/ManagerNetworkProtocol/NetworkProtocol.json>; rel=describedby");
@@ -216,7 +222,7 @@
     });
 
     Privileges effectiveUserPrivileges =
-        redfish::getUserPrivileges(req.userRole);
+        redfish::getUserPrivileges(*req.session);
 
     // /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates is
     // something only ConfigureManager can access then only display when
diff --git a/redfish-core/lib/redfish_sessions.hpp b/redfish-core/lib/redfish_sessions.hpp
index c41b0df..0608333 100644
--- a/redfish-core/lib/redfish_sessions.hpp
+++ b/redfish-core/lib/redfish_sessions.hpp
@@ -112,7 +112,7 @@
         session->username != req.session->username)
     {
         Privileges effectiveUserPrivileges =
-            redfish::getUserPrivileges(req.userRole);
+            redfish::getUserPrivileges(*req.session);
 
         if (!effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"}))
         {