Help Center/ Cloud Bastion Host/ Getting Started/ Step 4: Configure O&M Permissions
Updated on 2024-11-05 GMT+08:00

Step 4: Configure O&M Permissions

Scenarios

To use a bastion host for resource O&M, you still need to configure access control policies, associate users with resources, and assign resource permissions to system users.

Procedure

Table 1 Parameters for configuring ACL rules

Step

Description

New ACL Rule

You can configure the file transfer permission, user login IP address restrictions, user login time restrictions, and policy validity period.

Associate ACL rules with users or user groups.

  • Associate a user: Assign the permissions for the Host Operation and App Operation modules to a system user so that the user can have O&M permissions for resources.
  • Associate a user group: Assign permissions to all members in the user group in batches. Each user will inherit the permissions granted to the user group when the user is added to the group.

Associate an account or account group with an ACL rule.

  • Associate an account: Assign resource access permissions to an account.
  • Associate an account group: Assign resource access permissions to an account group. Each account will inherit the resource access permissions granted to the account group when the account is added to the group.

Configuration Description

Table 2 Basic information about access control policies

Parameter

Description

Rule Name

User-defined name of an ACL rule. The rule name must be unique in the CBH system.

Period of validity

(Optional) Effective time and expiration time of a policy.

File Transmission

(Optional) Permissions to upload and download host files during O&M.

  • If Upload and/or Download are selected, files can be uploaded and/or downloaded.
  • If Upload and Download are deselected, files cannot be uploaded or downloaded.

Options

(Optional) Permissions to manage host resource files, use RDP clipboards, and displays watermarks during O&M. You can select File Manage, Clipboard, or Watermark.
NOTE:

File management is available for the devices using SSH or Remote Desktop Protocol (RDP) protocols. For devices using the Virtual Network Computing (VNC) protocol, file management is available only after the application mapped to this device is released. File management is unavailable for the devices using the Telnet protocol.

Logon Time Limit

(Optional) Time period allowed or forbidden for the user to log in to the host.

IP Limit

(Optional) Restricts or allows users from specified IP addresses to access resources.

  • Select Blacklist and configure the IP addresses or IP address ranges to restrict users from these IP addresses from logging in to the resources.
  • Select Whitelist and configure the IP addresses or IP address ranges to allow users from these IP addresses to log in to the resources.
  • If no IP addresses are entered in the field, there is no login restriction on the resource.