Updated on 2024-09-30 GMT+08:00

Creating a Synchronization Rule

Synchronization rules are used to automatically synchronize managed host accounts, making it easier for you to manage accounts of managed hosts, delete zombie accounts, and discover accounts that are not managed in a timely manner. This further strengthens management of resources.

With synchronization rules, you can:

  • Synchronize accounts from managed hosts manually, periodically, or at a scheduled time.
  • Pull accounts from managed hosts, check the validity of pulled accounts, and update the managed resource account status.
  • Update the password of a host account, create a host account, or delete invalid host accounts by pushing managed resource account information to the corresponding hosts.

Constraints

  • The account synchronization is supported only in professional editions.
  • Account synchronization rules apply only to hosts using the SSH protocol.
  • Only one managed resource account is allowed to log in to a managed host and pull its account information.

Prerequisites

You have the operation permissions for the Sync Rules module.

Creating a Synchronization Rule

  1. Log in to your bastion host.
  2. Choose Policy > Sync Rules > Sync Rules.
  3. Click New in the upper right corner of the Sync Rule area to switch to the New rule dialog box.

    Figure 1 New rule

  4. Configure the basic information.

    Table 1 Parameters for configuring an account synchronization rule

    Parameter

    Description

    Rule Name

    Name of an account synchronization rule. The rule name must be unique in a bastion host.

    Timing

    The options are Manual, Fixed-Time, and Cycle.

    You need to configure the execution time if Fixed-Time or Cycle is selected.

    • Manual: Manually trigger the rule to change the password of the managed resource accounts.
    • Fixed-Time: The rule is triggered by the bastion host to change the password of the managed resource account at a fixed time. This type of rule is executed only once.
    • Cycle: The rule is periodically triggered by the bastion host to change the password of the managed resource account. This type of rule is triggered periodically.

    Execute Time

    Date when a policy is periodically executed. The default execution time is at 00:00 every day.

    Cycle Frequency

    Account synchronization frequency.

    • The options are every minute, every hour, every day, every week, and every month.
    • You need to set the End Time for this type of synchronization rules. Otherwise, the rule will be executed indefinitely.

    Action

    Synchronization mode. By default, Pull Account is selected.

    • Pull Account: Scans all accounts of a host and collects statistics on all normal and abnormal accounts.
    • Push Account: Pushes accounts to a host to automatically update account passwords, create accounts, or delete invalid accounts of the host.
      NOTE:

      When the synchronization mode is set to push account, the following three options are available:

      • If the account and password are inconsistent, the password can be updated.
      • If the account does not exist, the account can be created.
      • If a non-managed account exists on the host, the account can be deleted.

    Connect Timeout

    Timeout interval for connecting to a managed host. If the connection times out, the account synchronization task is interrupted.

    • The default value is 10 seconds.

  5. Click Next and start to relate the synchronization rule to one or more accounts or account groups.

    • Only one account can be configured for each host to execute synchronization tasks.

  6. Click OK. You can then view the new synchronization rule in the rule list.

    To obtain the account synchronization details, download the synchronization logs after the synchronization.

Follow-up Operations

You can manage all synchronization rules on the rule list page, including managing related resources, deleting, enabling, or disabling one or more synchronization rules, and immediately executing a synchronization rule.

  • To quickly relate a synchronization rule to more accounts or account groups, select the rule and click Relate in the Operation column.
  • To delete a command rule, select the rule and click Delete in the Operation column.
  • To disable synchronization rules, select the ones you want to disable and click Disable at the bottom of the list. When the status of those rules changes to Disabled, they become invalid.
  • To execute a synchronization rule immediately, click Execute in the Operation column.