Creating an ACL Rule
ACL Rules are used to control users' permissions for accessing resources.
With ACL rules, you can:
- Sort ACL rules by priority. The rule in the upper position has the higher priority than the ones in a lower position.
- Control access to managed resources from a wide range of dimensions, including the validity period, login period, user IP address, file transfer permission, file management permission, RDP clipboard function, and operator watermark display function. Relate ACL rules to user groups or account groups so that you can grant access permissions in batches. Using an ACL rule, you can:
- Specify the validity period of the policy.
- Restrict the time period during which the access is allowed or forbidden.
- Restrict the users of certain source IP addresses to access managed resources.
- Enable permissions for file transfer. This means you can enable or disable the function to upload files to managed resources or download files from managed resources.
- Enable permissions for file management. This means you can enable or disable the function to view, delete, and edit files on the managed resources.
- Grant permissions to use the RDP clipboard. This means you can enable or disable the RDP clipboard function.
- Show watermarks on the web operation background. The watermark content is the login name of the current system user.
Constraints
To grant the file upload/download permission, enable File Transmission and File Manage.
Prerequisites
You have obtained the permissions to manage the ACL Rules module.
Procedure
- Log in to the CBH system.
- Choose Policy > ACL Rules to enter the ACL rule list page.
Figure 1 ACL Rules
- On the displayed page, click New in the upper right corner of the page.
You can also select a rule and choose More > Insert to create an ACL rule. After the configuration is complete, a new rule is created.
- Configure the basic information.
Figure 2 New ACL Rule
Table 1 Basic information about an ACL rule Parameter
Description
Rule Name
Name of a user-defined ACL rule. The rule name must be unique in the CBH system.
Period of validity
Effective time and expiration time of an ACL rule
File Transmission
Permissions to upload and download files during O&M.
- If Upload and/or Download are selected, files can be uploaded and/or downloaded.
- If Upload and Download are deselected, files cannot be uploaded or downloaded.
Options
Permissions to manage files or file folders, use clipboards on hosts using the RDP protocol, and display watermarks during O&M.NOTE:- The file management function is available for managed hosts logged using SSH or RDP.
- The file management function is unavailable for managed hosts using VNC. To manage files on such host resources, publish certain applications.
- The file management function is unavailable for managed hosts using Telnet.
Logon Time Limit
Time period during which managed resources can or cannot be accessed.
IP Limit
Source IP addresses by which users are allowed or forbidden to access resources.
- Select Blacklist and configure the IP addresses or IP address range to restrict users from these IP addresses from logging in to the resources.
- Select Whitelist and configure the IP addresses or IP address range to allow users from these IP addresses to log in to the resources.
- If no IP addresses are entered in the field, there is no login restriction on the managed host.
- Click Next and start to relate the ACL rule to one or more users or user groups.
- You can relate the ACL rule to multiple users or user groups at a time.
- After a user group is related to an ACL rule, users automatically obtain the permissions of the ACL rule the instant they are added to the user group.
Figure 3 Relating an ACL rule to a user
- Click Next and start to relate the ACL rule to one or more accounts or account groups.
- You can relate an ACL rule to multiple managed resource accounts or account groups at a time.
- After an account group is related to an ACL rule, accounts automatically obtain the permissions of the ACL rule the instant they are added to the account group.
Figure 4 Relating an ACL rule to an account
- Click OK. The system switches to the ACL Rules list, and you can then view the new ACL rule.
After you relate an ACL rule to users, the authorized users can view and access resources through the Host Ops and App Ops module.
Users in the Relate User and Relate User Group must have been assigned a role that has the permissions for the Host Ops or App Ops module. Otherwise, the users cannot view the resource operation modules or access managed resources for O&M.
Follow-up Operations
CBH gives you the ability to manage all ACL rules on the rule list page, including managing related users or resources, deleting, enabling, or disabling one or more ACL rules, and sorting ACL rules by priority.
- To quickly relate an ACL rule to more users, user groups, accounts, or account groups, select the rule and click Relate in the Operation column.
- To delete an ACL rule, select the rule and click Delete in the Operation column.
- To disable ACL rules, select the ones you want to disable and click Disable at the bottom of the list. When the status of those ACL rules changes to Disabled, they become invalid.
- To change the priority of an ACL rule, select the ACL rule and drag and drop it to an upper or lower position.
- To manage ACL rules offline, click Export to export the details about all ACL rules in CSV format.
Last Article: ACL Rules
Next Article: Setting Two-person Authorization
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.