Help Center/ Cloud Bastion Host/ User Guide/ Policy/ ACL Rules/ Creating an ACL Rule and Associating It with Users and Resource Accounts
Updated on 2024-12-03 GMT+08:00

Creating an ACL Rule and Associating It with Users and Resource Accounts

ACL Rules are used to control users' permissions for accessing resources.

With ACL rules, you can:

  • Import rules in batches.
  • Sort command rules by priority. The rule in the upper position has the higher priority than the ones in a lower position.
  • Control access to managed resources from a wide range of dimensions, including the validity period, login period, user IP address, file transfer permission, file management permission, RDP clipboard function, keyboard audit, and operator watermark display function. ACL Rules are used to control users' permissions for resources.
    • Specify the validity period of the policy.
    • Restrict the time period during which the access is allowed or forbidden.
    • IP limit: The policy allows or forbids users with specified IP addresses to access resources. You can configure the IP address whitelist or blacklist.
      • Whitelist: This policy allows only specified IP addresses to access resources.
      • Blacklist: This policy does not allow specified IP addresses to access resources.
    • Enable permissions for file transfer. This means you can enable or disable the function to upload files to managed resources or download files from managed resources.
    • Enable permissions for file management. This means you can enable or disable the function to view, delete, and edit files on the managed resources.
    • Grant permissions to use the RDP clipboard. This means you can enable or disable the RDP clipboard function.
    • Keyboard audit: You can enable this function to let the bastion host record all keyboard input information.
    • Enable or disable watermarks on the web operation background. The watermark content is the login name of the current system user.

Constraints

  • To grant the file upload/download permission, enable File Transmission and File Manage.
  • Keyboard audit supports only RDP and VNC protocols.

Prerequisites

You have the operation permissions for the ACL Rules module.

Procedure

  1. Log in to your bastion host.
  2. Choose Policy > ACL Rules to enter the ACL rule list page.
  3. On the displayed page, click New in the upper right corner of the page.

    You can also select a rule and choose More > Insert to create an ACL rule. After the configuration is complete, a new rule is created.

  4. Configure the basic information.

    Table 1 Basic information about an ACL rule

    Parameter

    Description

    Rule Name

    Name of a user-defined ACL rule. The rule name must be unique in a bastion host.

    Period of validity

    Effective time and expiration time of an ACL rule

    File Transmission

    Permission to upload and download files during O&M. If Upload or Download is selected, File Manage must be selected in Options for the permission to take effect.

    • If Upload and/or Download are selected, files can be uploaded and/or downloaded.
    • If Upload and Download are deselected, files cannot be uploaded or downloaded.

    Options

    Permissions to manage files or file folders, use clipboards on hosts using the RDP protocol, audit keyboard inputs, and display watermarks of operators during O&M.
    NOTE:
    • The file management function is available for managed hosts logged using SSH or RDP.
    • The file management function is unavailable for managed hosts using VNC. To manage files on such host resources, publish certain applications.
    • The file management function is unavailable for managed hosts using Telnet.

    Logon Time Limit

    Time period during which managed resources can or cannot be accessed.

    IP Limit

    Source IP addresses by which users are allowed or forbidden to access resources.

    • Select Blacklist and configure the IP addresses or IP address range to restrict users from these IP addresses from logging in to the resources.
    • Select Whitelist and configure the IP addresses or IP address range to allow users from these IP addresses to log in to the resources.
    • If no IP addresses are entered in the field, there is no login restriction on the managed host.

  5. Click Next and start to relate the command rule to one or more users or user groups.

    • You can relate the ACL rule to multiple users or user groups at a time.
    • After a user group is related to a command rule, users automatically obtain the permissions of the command rule the instant they are added to the user group.

  6. Click Next and start to relate the ACL rule to one or more accounts or account groups.

    • You can relate an ACL rule to multiple managed resource accounts or account groups at a time.
    • After an account group is related to an ACL rule, accounts automatically obtain the permissions of the ACL rule the instant they are added to the account group.

  7. Click OK. The system switches to the ACL Rules list, and you can then view the new ACL rule.

    After you relate an ACL rule to users, the authorized users can view and access resources through the Host Operations and App Operations module.

    Users in the Relate User and Relate User Group must have been assigned a role that has the permissions for the Host Operations or App Operations module. Otherwise, the users cannot view the resource operation modules or access managed resources for operations.

Importing ACL Rules in Batches

You can take the following steps to batch import ACL rules:

  1. Click in the upper right corner to download the batch import template and enter the access control policy information.
  2. In the dialog box displayed, click Upload to upload the completed access control list.

    To overwrite the existing rules, select Overwrite the existing opsStragegy.

    Only XLS, XLSX, and CSV files can be uploaded.

  3. Click OK.

Batch Importing ACL Rules

Click in the upper right corner of the list to export all data in the list.

Follow-up Operations

In your bastion host, you can manage all ACL rules on the rule list page, including managing related users or resources, deleting, enabling, or disabling one or more ACL rules, and sorting ACL rules by priority.

  • To quickly relate a command rule to more users, user groups, accounts, or account groups, select the rule and click Relate in the Operation column.
  • To delete a command rule, select the rule and click Delete in the Operation column.
  • To disable command rules, select the ones you want to disable and click Disable at the bottom of the list. When the status of those rules changes to Disabled, they become invalid.
  • To change the priority of a command rule, select the rule and drag and drop it to an upper or lower position.
  • To manage ACL rules offline, click Export to export the details about all ACL rules in CSV format.