Help Center> Cloud Bastion Host> User Guide> Policy> ACL Rules> Creating an ACL Rule and Associating It with Users and Resource Accounts
Updated on 2023-04-11 GMT+08:00
View PDF

Creating an ACL Rule and Associating It with Users and Resource Accounts

ACL Rules are used to control users' permissions for accessing resources.

With ACL rules, you can:

  • Sort command rules by priority. The rule in the upper position has the higher priority than the ones in a lower position.
  • Control access to managed resources from a wide range of dimensions, including the validity period, login period, user IP address, file transfer permission, file management permission, RDP clipboard function, and operator watermark display function. ACL Rules are used to control users' permissions for resources.
    • Specify the validity period of the policy.
    • Restrict the time period during which the access is allowed or forbidden.
    • Restrict the users of certain source IP addresses to access managed resources.
    • Enable permissions for file transfer. This means you can enable or disable the function to upload files to managed resources or download files from managed resources.
    • Enable permissions for file management. This means you can enable or disable the function to view, delete, and edit files on the managed resources.
    • Grant permissions to use the RDP clipboard. This means you can enable or disable the RDP clipboard function.
    • Enable or disable watermarks on the web operation background. The watermark content is the login name of the current system user.

Constraints

To grant the file upload/download permission, enable File Transmission and File Manage.

Prerequisites

You have the operation permissions for the ACL Rules module.

Procedure

  1. Log in to the CBH system.
  2. Choose Policy > ACL Rules to enter the ACL rule list page.

    Figure 1 ACL Rules

  3. On the displayed page, click New in the upper right corner of the page.

    You can also select a rule and choose More > Insert to create an ACL rule. After the configuration is complete, a new rule is created.

  4. Configure the basic information.

    Figure 2 Creating an ACL Rule
    Table 1 Basic information about an ACL rule

    Parameter

    Description

    Rule Name

    Name of a user-defined ACL rule. The rule name must be unique in the CBH system.

    Period of validity

    Effective time and expiration time of an ACL rule

    File Transmission

    Permissions to upload and download files during O&M.

    • If Upload and/or Download are selected, files can be uploaded and/or downloaded.
    • If Upload and Download are deselected, files cannot be uploaded or downloaded.

    Options
    Permissions to manage files or file folders, use clipboards on hosts using the RDP protocol, and display watermarks during O&M.
    NOTE:
    • The file management function is available for managed hosts logged using SSH or RDP.
    • The file management function is unavailable for managed hosts using VNC. To manage files on such host resources, publish certain applications.
    • The file management function is unavailable for managed hosts using Telnet.

    Logon Time Limit

    Time period during which managed resources can or cannot be accessed.

    IP Limit

    Source IP addresses by which users are allowed or forbidden to access resources.

    • Select Blacklist and configure the IP addresses or IP address range to restrict users from these IP addresses from logging in to the resources.
    • Select Whitelist and configure the IP addresses or IP address range to allow users from these IP addresses to log in to the resources.
    • If no IP addresses are entered in the field, there is no login restriction on the managed host.

  5. Click Next and start to relate the command rule to one or more users or user groups.

    • You can relate the ACL rule to multiple users or user groups at a time.
    • After a user group is related to a command rule, users automatically obtain the permissions of the command rule the instant they are added to the user group.
    Figure 3 Relate User

  6. Click Next and start to relate the ACL rule to one or more accounts or account groups.

    • You can relate an ACL rule to multiple managed resource accounts or account groups at a time.
    • After an account group is related to an ACL rule, accounts automatically obtain the permissions of the ACL rule the instant they are added to the account group.
    Figure 4 Relate Accounts

  7. Click OK. The system switches to the ACL Rules list, and you can then view the new ACL rule.

    After you relate an ACL rule to users, the authorized users can view and access resources through the Host Operation and App Operation module.

    Users in the Relate User and Relate User Group must have been assigned a role that has the permissions for the Host Operation or App Operation module. Otherwise, the users cannot view the resource operation modules or access managed resources for O&M.

Follow-up Operations

CBH gives you the ability to manage all ACL rules on the rule list page, including managing related users or resources, deleting, enabling, or disabling one or more ACL rules, and sorting ACL rules by priority.

  • To quickly relate a command rule to more users, user groups, accounts, or account groups, select the rule and click Relate in the Operation column.
  • To delete a command rule, select the rule and click Delete in the Operation column.
  • To disable command rules, select the ones you want to disable and click Disable at the bottom of the list. When the status of those rules changes to Disabled, they become invalid.
  • To change the priority of a command rule, select the rule and drag and drop it to an upper or lower position.
  • To manage ACL rules offline, click Export to export the details about all ACL rules in CSV format.
Parent topic: ACL Rules