Help Center/ Cloud Bastion Host/ User Guide/ Policy/ ACL Rules/ Creating an ACL Rule and Associating It with Users and Resource Accounts
Updated on 2025-09-04 GMT+08:00

Creating an ACL Rule and Associating It with Users and Resource Accounts

ACL Rules are used to control users' permissions for accessing resources.

With ACL rules, you can:

  • Batch import and export rules.
  • Sort command rules by priority. The rule in the upper position has the higher priority than the ones in a lower position.
  • Control access to managed resources from a wide range of dimensions, including the validity period, login period, user IP address, file transfer permission, file management permission, RDP clipboard function, keyboard audit, and operator watermark display function. ACL Rules are used to control users' permissions for resources.
    • Specify the validity period of the policy.
    • Restrict the time period during which the access is allowed or forbidden.
    • IP limit: The policy allows or forbids users with specified IP addresses to access resources. You can configure the IP address whitelist or blacklist.
      • Whitelist: This policy allows only specified IP addresses to access resources.
      • Blacklist: This policy does not allow specified IP addresses to access resources.
    • Enable permissions for file transfer. This means you can enable or disable the function to upload files to managed resources or download files from managed resources.
    • Enable permissions for file management. This means you can enable or disable the function to view, delete, and edit files on the managed resources.
    • Grant permissions to use the RDP clipboard. This means you can enable or disable the RDP clipboard function.
    • Keyboard audit: You can enable this function to let the bastion host record all keyboard input information.
    • Enable or disable watermarks on the web operation background. The watermark content is the login name of the current system user.

Constraints

  • To grant the file upload/download permission, enable File Transmission and File Manage.
  • Keyboard audit supports only RDP and VNC protocols.

Prerequisites

You have the operation permissions for the ACL Rules module.

Access Control Policy Description

For some types of managed resources, some O&M operations may not be supported in some O&M channels.

For Linux application O&M, version 3.3.40.0 and later support file upload, file download, uplink clipboard, and downlink clipboard.

Feature

Validity Period

File Transmission

Options

Logon Time Limit

IP Limit

Two-person Authorization

Effective/Expiration Time

Upload/Download

File management

Uplink/Downlink clipboard

Watermarking

Permit

Forbid

Blacklist

Whitelist

SSH H5 O&M

SSH client O&M

×

×

×

×

×

RDP H5 O&M

RDP client O&M

×

×

×

×

×

Telnet H5 O&M

Telnet client O&M

×

×

×

×

×

VNC

×

×

×

FTP

×

×

SFTP

×

×

SCP

×

×

×

×

PostgreSQL

×

×

×

×

GaussDB

×

×

×

×

DB2

×

×

×

×

MySQL

×

×

×

×

SQL Server

×

×

×

×

Oracle

×

×

×

×

Rlogin H5 O&M

Rlogin client O&M

×

×

×

×

×

Windows application O&M

Linux application O&M

Creating an ACL Rule

  1. Log in to your bastion host.
  2. Choose Policy > ACL Rules to enter the ACL rule list page.
  3. On the displayed page, click New in the upper right corner of the page.

    You can also select a rule and choose More > Insert to create an ACL rule. After the configuration is complete, a new rule is created.

  4. Configure the basic information.

    Table 1 Basic information about an ACL rule

    Parameter

    Description

    Rule Name

    Name of a user-defined ACL rule. The rule name must be unique in a bastion host.

    Period of validity

    Effective time and expiration time of an ACL rule

    File Transmission

    Permission to upload and download files during O&M. If Upload or Download is selected, File Manage must be selected in Options for the permission to take effect.

    • If Upload and/or Download are selected, files can be uploaded and/or downloaded.
    • If Upload and Download are deselected, files cannot be uploaded or downloaded.

    Options

    Options of the session window function during O&M. After selecting a function, you also need to select the same function for the associated resources to let the selected function work.

    • File Manage: This function allows you to manage file or folder permissions, including the permissions to view, delete, and edit files and folders.
      NOTE:
      • The file management function is available for managed hosts logged using SSH or RDP.
      • The file management function is unavailable for managed hosts using VNC. To manage files on such host resources, publish certain applications.
      • The file management function is unavailable for managed hosts using Telnet.
    • Uplink clipboard: This function allows you to copy text through the O&M session RDP clipboard.
    • Downlink clipboard: This function allows you to paste text through the O&M session RDP clipboard.
    • Watermark: This function displays the user login name watermark in the operation session window.
    • Keyboard Audit: This function records the information entered through the keyboard.

    Logon Time Limit

    Time period during which managed resources can or cannot be accessed.

    IP Limit

    Source IP addresses by which users are allowed or forbidden to access resources.

    • Select Blacklist and configure the IP addresses or IP address range to restrict users from these IP addresses from logging in to the resources.
    • Select Whitelist and configure the IP addresses or IP address range to allow users from these IP addresses to log in to the resources.
    • If no IP addresses are entered in the field, there is no login restriction on the managed host.

  5. Click Next and start to relate the command rule to one or more users or user groups.

    • You can relate the ACL rule to multiple users or user groups at a time.
    • After a user group is related to a command rule, users automatically obtain the permissions of the command rule the instant they are added to the user group.

  6. Click Next and start to relate the ACL rule to one or more accounts or account groups.

    • You can relate an ACL rule to multiple managed resource accounts or account groups at a time.
    • After an account group is related to an ACL rule, accounts automatically obtain the permissions of the ACL rule the instant they are added to the account group.

  7. Click OK. The system switches to the ACL Rules list, and you can then view the new ACL rule.

    After you relate an ACL rule to users, the authorized users can view and access resources through the Host Operations and App Operations module.

    Users in the Relate User and Relate User Group must have been assigned a role that has the permissions for the Host Operations or App Operations module. Otherwise, the users cannot view the resource operation modules or access managed resources for operations.

Batch Importing ACL Rules

You can take the following steps to batch import ACL rules:

  1. Click in the upper right corner to download the batch import template and enter the access control policy information.
  2. In the dialog box displayed, click Upload to upload the completed access control list.

    To overwrite the existing rules, select Overwrite the existing opsStragegy.

    Only XLS, XLSX, and CSV files can be uploaded.

  3. Click OK.

Batch Exporting ACL Rules

Click in the upper right corner of the list to export all data in the list.

Follow-up Operations

In your bastion host, you can manage all ACL rules on the rule list page. For example, you can manage related users and resources, delete, enable, and disable ACL rules, and sort ACL rules by priority.

  • To quickly relate a command rule to more users, user groups, accounts, or account groups, select the rule and click Relate in the Operation column.
  • To delete a command rule, select the rule and click Delete in the Operation column.
  • To disable command rules, select the target rules that have been enabled and click Disable at the bottom of the list. When the status of those rules changes to Disabled, they become invalid.
  • To change the priority of a command rule, select the rule and drag and drop it to an upper or lower position.