Creating an ACL Rule and Associating It with Users and Resource Accounts
ACL Rules are used to control users' permissions for accessing resources.
With ACL rules, you can:
- Batch import and export rules.
- Sort command rules by priority. The rule in the upper position has the higher priority than the ones in a lower position.
- Control access to managed resources from a wide range of dimensions, including the validity period, login period, user IP address, file transfer permission, file management permission, RDP clipboard function, keyboard audit, and operator watermark display function. ACL Rules are used to control users' permissions for resources.
- Specify the validity period of the policy.
- Restrict the time period during which the access is allowed or forbidden.
- IP limit: The policy allows or forbids users with specified IP addresses to access resources. You can configure the IP address whitelist or blacklist.
- Whitelist: This policy allows only specified IP addresses to access resources.
- Blacklist: This policy does not allow specified IP addresses to access resources.
- Enable permissions for file transfer. This means you can enable or disable the function to upload files to managed resources or download files from managed resources.
- Enable permissions for file management. This means you can enable or disable the function to view, delete, and edit files on the managed resources.
- Grant permissions to use the RDP clipboard. This means you can enable or disable the RDP clipboard function.
- Keyboard audit: You can enable this function to let the bastion host record all keyboard input information.
- Enable or disable watermarks on the web operation background. The watermark content is the login name of the current system user.
Constraints
- To grant the file upload/download permission, enable File Transmission and File Manage.
- Keyboard audit supports only RDP and VNC protocols.
Prerequisites
You have the operation permissions for the ACL Rules module.
Access Control Policy Description
For some types of managed resources, some O&M operations may not be supported in some O&M channels.
For Linux application O&M, version 3.3.40.0 and later support file upload, file download, uplink clipboard, and downlink clipboard.
|
Feature |
Validity Period |
File Transmission |
Options |
Logon Time Limit |
IP Limit |
Two-person Authorization |
||||
|---|---|---|---|---|---|---|---|---|---|---|
|
Effective/Expiration Time |
Upload/Download |
File management |
Uplink/Downlink clipboard |
Watermarking |
Permit |
Forbid |
Blacklist |
Whitelist |
||
|
SSH H5 O&M |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
SSH client O&M |
√ |
× |
× |
× |
× |
√ |
√ |
√ |
√ |
× |
|
RDP H5 O&M |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
RDP client O&M |
√ |
× |
× |
× |
× |
√ |
√ |
√ |
√ |
× |
|
Telnet H5 O&M |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Telnet client O&M |
√ |
× |
× |
× |
× |
√ |
√ |
√ |
√ |
× |
|
VNC |
√ |
× |
× |
× |
√ |
√ |
√ |
√ |
√ |
√ |
|
FTP |
√ |
√ |
√ |
× |
× |
√ |
√ |
√ |
√ |
√ |
|
SFTP |
√ |
√ |
√ |
× |
× |
√ |
√ |
√ |
√ |
√ |
|
SCP |
√ |
× |
× |
× |
× |
√ |
√ |
√ |
√ |
√ |
|
PostgreSQL |
√ |
× |
× |
× |
× |
√ |
√ |
√ |
√ |
√ |
|
GaussDB |
√ |
× |
× |
× |
× |
√ |
√ |
√ |
√ |
√ |
|
DB2 |
√ |
× |
× |
× |
× |
√ |
√ |
√ |
√ |
√ |
|
MySQL |
√ |
× |
× |
× |
× |
√ |
√ |
√ |
√ |
√ |
|
SQL Server |
√ |
× |
× |
× |
× |
√ |
√ |
√ |
√ |
√ |
|
Oracle |
√ |
× |
× |
× |
× |
√ |
√ |
√ |
√ |
√ |
|
Rlogin H5 O&M |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Rlogin client O&M |
√ |
× |
× |
× |
× |
√ |
√ |
√ |
√ |
× |
|
Windows application O&M |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Linux application O&M |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
Creating an ACL Rule
- Log in to your bastion host.
- Choose Policy > ACL Rules to enter the ACL rule list page.
- On the displayed page, click New in the upper right corner of the page.
You can also select a rule and choose More > Insert to create an ACL rule. After the configuration is complete, a new rule is created.
- Configure the basic information.
Table 1 Basic information about an ACL rule Parameter
Description
Rule Name
Name of a user-defined ACL rule. The rule name must be unique in a bastion host.
Period of validity
Effective time and expiration time of an ACL rule
File Transmission
Permission to upload and download files during O&M. If Upload or Download is selected, File Manage must be selected in Options for the permission to take effect.
- If Upload and/or Download are selected, files can be uploaded and/or downloaded.
- If Upload and Download are deselected, files cannot be uploaded or downloaded.
Options
Options of the session window function during O&M. After selecting a function, you also need to select the same function for the associated resources to let the selected function work.
- File Manage: This function allows you to manage file or folder permissions, including the permissions to view, delete, and edit files and folders.
NOTE:
- The file management function is available for managed hosts logged using SSH or RDP.
- The file management function is unavailable for managed hosts using VNC. To manage files on such host resources, publish certain applications.
- The file management function is unavailable for managed hosts using Telnet.
- Uplink clipboard: This function allows you to copy text through the O&M session RDP clipboard.
- Downlink clipboard: This function allows you to paste text through the O&M session RDP clipboard.
- Watermark: This function displays the user login name watermark in the operation session window.
- Keyboard Audit: This function records the information entered through the keyboard.
Logon Time Limit
Time period during which managed resources can or cannot be accessed.
IP Limit
Source IP addresses by which users are allowed or forbidden to access resources.
- Select Blacklist and configure the IP addresses or IP address range to restrict users from these IP addresses from logging in to the resources.
- Select Whitelist and configure the IP addresses or IP address range to allow users from these IP addresses to log in to the resources.
- If no IP addresses are entered in the field, there is no login restriction on the managed host.
- Click Next and start to relate the command rule to one or more users or user groups.
- You can relate the ACL rule to multiple users or user groups at a time.
- After a user group is related to a command rule, users automatically obtain the permissions of the command rule the instant they are added to the user group.
- Click Next and start to relate the ACL rule to one or more accounts or account groups.
- You can relate an ACL rule to multiple managed resource accounts or account groups at a time.
- After an account group is related to an ACL rule, accounts automatically obtain the permissions of the ACL rule the instant they are added to the account group.
- Click OK. The system switches to the ACL Rules list, and you can then view the new ACL rule.
After you relate an ACL rule to users, the authorized users can view and access resources through the Host Operations and App Operations module.
Users in the Relate User and Relate User Group must have been assigned a role that has the permissions for the Host Operations or App Operations module. Otherwise, the users cannot view the resource operation modules or access managed resources for operations.
Batch Importing ACL Rules
You can take the following steps to batch import ACL rules:
- Click
in the upper right corner to download the batch import template and enter the access control policy information. - In the dialog box displayed, click Upload to upload the completed access control list.
To overwrite the existing rules, select Overwrite the existing opsStragegy.
Only XLS, XLSX, and CSV files can be uploaded.
- Click OK.
Batch Exporting ACL Rules
Click 
in the upper right corner of the list to export all data in the list.
Follow-up Operations
In your bastion host, you can manage all ACL rules on the rule list page. For example, you can manage related users and resources, delete, enable, and disable ACL rules, and sort ACL rules by priority.
- To quickly relate a command rule to more users, user groups, accounts, or account groups, select the rule and click Relate in the Operation column.
- To delete a command rule, select the rule and click Delete in the Operation column.
- To disable command rules, select the target rules that have been enabled and click Disable at the bottom of the list. When the status of those rules changes to Disabled, they become invalid.
- To change the priority of a command rule, select the rule and drag and drop it to an upper or lower position.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
