All Products
Search
Document Center

Bastionhost:Manage control policies

Last Updated:Dec 01, 2023

This topic describes how to modify or delete existing control policies to meet your business requirements. This topic also describes how to associate a control policy with hosts and users.

Modify a control policy

To modify an existing control policy, perform the following steps:

  1. Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.

  2. In the left-side navigation pane, click Control Policies.

  3. In the control policy list, find the control policy that you want to modify and click Edit in the Actions column.

    Alternatively, you can click the name of the control policy that you want to modify to go to the Control Policy Details page.

  4. On the Control Policy Details page, modify settings on the following tabs: Control Policy Settings, Command Control, Command Approval, Protocol Control, Access Control, and Asset/User.

    For more information about how to modify settings on the Control Policy Settings, Command Control, Command Approval, Protocol Control, and Access Control tabs, see Create a control policy. For more information about how to associate a control policy with hosts or users on the Asset/User tab, see Associate hosts or users.

  5. Click Update Control Policy in the lower-left corner.

Delete a control policy

To delete a control policy that you no longer use, perform the following steps:

  1. Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.

  2. In the left-side navigation pane, click Control Policies.

  3. Find the control policy that you want to delete and click Delete in the Actions column.

    To delete multiple control policies at a time, select the control policies and click Delete in the lower-left corner.

  4. In the message that appears, click Delete.

Associate assets or users

To associate a control policy with users or assets or modify the existing association of a control policy, perform the following steps:

  1. Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.

  2. In the left-side navigation pane, click Control Policies.

  3. Find a control policy and click the number in the Users, User Groups, Hosts, Database, or Asset Group column.

    Alternatively, you can click the name of the control policy or click Edit in the Actions column, and click the Asset/User tab.

  4. Select the validation mode for the control policy.

    Important

    The selected validation mode for a control policy immediately takes effect. We recommend that you confirm the policy validation mode before you proceed with relevant operations.

    You can select a policy validation mode based on the following information:

    • Select a policy validation mode for assets.

      You can select Takes Effect on All Assets or Takes Effect on Selected All Assets. If you select Takes Effect on All Assets, you must select the assets or asset groups with which you want to associate the control policy. The control policy takes effect only on the associated assets or asset groups.

      Note

      If multiple control policies with the same priority take effect on the same host at the same time, Bastionhost determines the validation order of the policies based on specific rules defined in these policies. Command-related rules are prioritized in descending order: reject, allow, and approve. In access control policies, a blacklist has a higher priority than a whitelist.

    • Select a policy validation mode for users.

      You can select Apply to All Users or Apply to Selected Users. If you select Apply to All Users, you must select the users or user groups with which you want to associate the control policy. The control policy applies only to the associated users or user groups.

    If some assets or users no longer need the control policy, you can select the assets or users and click Remove to remove them from the policy validation list.