Edition Differences

Currently, CBH provides standard and professional editions. The standard edition provides the following asset specifications: 10, 20, 50, 100, 200, 500, 1,000, 2,000, 5,000, and 10,000. The professional edition provides the following asset specifications: 10, 20, 50, 100, 200, 500, 1,000, 2,000, 5,000, and 10,000.

For more details, see What Are Editions Available in CBH?

Differences on Specifications

CBH provides the following asset specifications: 10, 20, 50, 100, 200, 500, 1,000, 2,000, 5,000, and 10,0000. For details about specifications, see Table 1 Configuration of different specifications.

**Table 1** Configuration of different specifications
Asset Quantity	Max. Concurrent Connections	CPUs	Memory	System Disk	Data Disk
10	10	4 cores	8 GB	100 GB	200 GB
20	20	4 cores	8 GB	100 GB	200 GB
50	50	4 cores	8 GB	100 GB	500 GB
100	100	4 cores	8 GB	100 GB	1000 GB
200	200	4 cores	8 GB	100 GB	1000 GB
500	500	8 cores	16 GB	100 GB	2,000 GB
1,000	1,000	8 cores	16 GB	100 GB	2,000 GB
2,000	1,500	8 cores	16 GB	100 GB	2,000 GB
5,000	2,000	16 cores	32 GB	100 GB	3,000 GB
10,000	2,000	16 cores	32 GB	100 GB	4,000 GB

The number of concurrent connections in Table 1 includes only connections established by O&M clients that use character-based protocols (such as SSH or MySQL client). Connections established by O&M clients that use graphic-based protocols (such as H5 web and RDP client) is not included, which is only one-third of this number.

Function Details and Edition Differences

Both editions provide identity authentication, permission control, account management, and operation audit. Apart from those functions, the enhanced edition also provides automatic O&M and database O&M audit.

For details about functions supported by different editions, see Table 2.

**Table 2** Function details and edition differences
Function Module	Function	Description	Standard Edition	Professional Edition
Profile	Basic Info	You can view details about the current login user and change the name, phone number, email address, and password.	√	√
	Mobile OTP	You can get guidance for binding a mobile phone token and generating a dynamic password.	√	√
	SSH Pubkey	You can view information about all public keys, and add and manage SSH public keys.	√	√
	My Permission	You can view the permissions the logged-in user has.	√	√
	My Log	You can check logs of instance logins, operations, and resource logins by the logged-in user.	√	√
Basic system information	Dashboard	The dashboard displays the running status of the bastion host, including sessions, tickets, login status, operation status, host types, application types, and system status.	√	√
	Download Center	Some remote login tools and local player tools can be downloaded.	√	√
	Messages	After alarm rules are configured, an alarm is generated when an alarm rule is triggered.	√	√
	System	This area displays system details, such as the system ID, credential, version in use, and release date. You can also update credentials and HA keys and obtain service codes in this module.	√	√
Authentication management	MFA	You can log in to the bastion host using an account (username and password), mobile phone token, SMS message, USB key, or OTP token. Account (username and password): The username and password are generated when you apply for the bastion host. This method is valid only for the first login. Mobile phone token: You need to configure the mobile number on the bastion host first. Then, after the mobile device or applet is registered, the dynamic password generated is required for logins. SMS: You need to configure a mobile number for the account on the bastion host. Then, a random verification code is required for logins. USB key: You need to get a USB key and associate it with the account first. Then, the USB key and passwords it generates are required for logins. OTP token: You need to get an OTP token device and associate it with the account first. Then, the OTP token and passwords it generates are required for logins.	√	√
Authentication management	Remote authentication	You can configure remote authentification to use CBH centrally manage all accounts. CBH also allows you to authenticate user identities through AD, RADIUS, LDAP, Azure AD, and SAML remote authentication.	Supported	√
System accounts	User management	You can create, import, export, and delete accounts, configure user groups, and manage account login restrictions.	√	√
	User group management	Users can be managed by group. You can assign permissions to all users in a group at a time. You can create, delete, and edit a user group.	√	√
	Role management	You can associate users with roles and assign operation and access permissions to the roles, including department administrators, policy administrators, audit administrators, and operation engineers. Only the admin account can add roles and modify the permissions of the roles.	√	√
	Resource account management	A resource account is used to log in to a resource managed by a bastion host instance. Multiple resource accounts can be created for a resource. The username and password of a resource account in CBH must be the same as those of the original account that the resource belongs to. Otherwise, the logins to the resource may fail, and no operations can be done for the resource through the bastion host.	√	√
	Resource account group management	You can manage resource accounts by group. You can authorize and verify resource accounts in batches by authorizing account groups. You can create, delete, and maintain account groups and manage account group information.	√	√
Resource	Host resource management	You can add host resources to a bastion host by creating, automatically discovering, importing, or cloning host resources. You can view details about all host resources and manage them through the bastion host centrally.	√	√
	Application resource management	You can import and create application resources through an application server. Then, you can view details about all application resources and manage them through the bastion host centrally. Note that you need to create the application server first.	√	√
	Cloud resource management	You can import and create application resources through a Kubernetes server. Then, you can view details about all container resources and manage them through the bastion host centrally. Note that you need to create the Kubernetes server first.	×	√
	Resource OS type management	You can add tags to OS types and then group and manage resources by those tags. With OS type tags, you can change server passwords, store password change parameters, and run password change policies for resources of a certain OS type at the same time.	√	√
System policies	ACL rules	This type of rule controls who can access which resources. ACL rules are associated with users or user groups. An ACL rule can restrict file transfer, file management, and login time. ACL rules can also be associated with resource accounts.	√	√
	Command rules	This type of rule controls who can execute what commands for which resources. Command rules are associated with users or user groups. If a user attempts to execute a command that is restricted by a rule, the rule is triggered and takes preconfigured actions immediately. Command rules can also be associated with resource accounts. You can create custom command sets.	√	√
	Database control rules	This type of rule controls who can execute what database rules or rule sets. Database control rules are associated with users or user groups. If a user attempts to execute a database rule or rule set that is restricted by a database control rule, the control rule is triggered and takes preconfigured actions immediately. Database control rules can also be associated with resource accounts. You can create custom rule sets.	×	√
	Password rules	This type of rule is associated with resource accounts of hosts, so that a user can change passwords of resource accounts associated with a policy at the same time.	√	√
	Account synchronization rules	This type of rule helps synchronize host resource account details. Synchronization rules are associated with resource accounts. You can execute a synchronization rule to synchronize details of all resource accounts the rule is associated with at the same time.	×	√
Resource operation	Host resource operation	You can log in to host resources through browsers and clients and perform operations such as operation session sharing, file transfer, file management, and preset commands.	√	√
	Application resource operation	You can log in to application resources using a browser and perform operations such as operation session sharing, file transfer, and file management.	√	√
	Cloud service resource operation	You can log in to container resources using a browser and perform operations, including operation session sharing.	×	√
	Operation script management	You can import and edit scripts to be executed on the bastion host to complete complex or repetitive tasks, improving efficiency.	×	√
	Fast operation	You can directly run preset commands and scripts and transfer files on the bastion host for quick resource operation. Logs of all operations are provided.	×	√
	Operation task management	You can customize manual, scheduled, or scheduled operation tasks for commands, scripts, and file transfer. All task operation logs are provided.	×	√
System audit	Live session audit	All on-going sessions are logged. You can view the resource, type, account, and source IP address of any session.	√	√
	Historical session audit	All closed historical sessions are logged. You can view the resource, type, account, and source IP address of any session.	√	√
	System log audit	All logins to and operations on the bastion host are logged in detail. You can check who logged in to the system over which IP address at which time, as well as what specific functions and operations are performed after each login.	√	√
	Operation report audit	An operation report collects statistics on the operation time, the number of resource access times, how long the session lasts, source IP address access status, session collaboration, two-person authorization, command interception, number of character commands, and number of transferred files by time, user, and resource.	√	√
	System report audit	A system report collects statistics on system operation control, resource operation, source IP addresses, login mode, abnormal logins, sessions, and status.	√	√
Ticket	ACL tickets	If you do not have the permission to access a resource, you can submit a ticket to apply for the permissions. Such permissions include file transfer, file management, keyboard audit. This type of permission is valid to a specific resource account in a fixed time range.	√	√
	Command control ticket management	If you do not have the permission to run commands to operate a certain resource, you can submit a ticket to apply for the permission for the resource. This type of permission is valid to a specific resource account in a fixed time range.	√	√
	Database ticket management	If you do not have the permission to perform operations on a database resource, you can submit a ticket to apply for the permission. This type of permission is valid to a specific resource account in a fixed time range.	×	√
	Ticket approval management	This page displays details about all tickets. You can review tickets on this page.	√	√
	Ticket configuration	You can customize the scope, submission method, effective time, and approval process of a ticket.	√	√
System configuration	Security	You can configure the maximum incorrect password attempts, zombie users, password change period, login timeout, certificate, proxy security layer, mobile phone token, USB key, SM series cryptographic algorithm, inspection, expiration notification, and session restriction.	√	√
	Network	You can view the network interface list, DNS, and default gateway details of the bastion host, and configure static routes.	√	√
	HA	If the bastion host is deployed in primary/standby mode, you can enable or disable HA.	√	√
	Port	You can check operation, web console, and SSH console ports in use. You can also change the port if needed, which is not recommended.	√	√
	Outgoing	You can configure the way to send alarms. Currently, email, SMS, and LTS are supported. After the LTS agent is installed, LTS can send bastion host logs to the server.	√	√
	Alarm	You can configure the alarm mode and level for different message types, including the login status, user operations, resource operation events, and operation activities.	√	√
	Theme	The default logo of the bastion host can be customized.	√	√
Bastion host system maintenance	Data storage maintenance	You can view the usage of the system and data disks, modify the web disk space, customize the log storage period, and delete logs automatically or manually.	√	√
	Log backup	You can back up logs to the local host, syslog server, FTP/SFTP server, or OBS server.	√	√
	System maintenance	You can view the status of the system, customize the system address and time, back up and restore the operating system, view the authorization information, and diagnose the network and system.	√	√

Previous topic: Features

Next topic: Security

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot