Bastionhost provides the control policy feature. You can use this feature to configure command control, command approval, protocol control, and access control policies to manage the access of users to hosts. This topic describes how to create a control policy.

Procedure

  1. Log on to the Bastionhost system. For more information, see Log on to Bastionhost.
  2. In the left-side navigation pane, click Policies > Control Policies.
  3. On the Control Policies page, click Create Control Policy.
  4. In the Basic Properties step of the Create Control Policy page that appears, specify Name, Priority, and Remarks and click Next: Command Control.
    Configure basic properties
    Note
    • The priority ranges from 1 to 100. The default value is 1, which indicates the highest priority.
    • Different control policies can have the same priority. If multiple control policies have the same priority, Bastionhost determines the policy validation order based on specific rules defined in these policies. Command-related rules are prioritized in descending order: reject, allow, and approve. In access control policies, a blacklist has a higher priority than a whitelist.
  5. In the Command Control step that appears, specify Command Control Type and Commands and click Next: Command Approval.
    Command Control Type can be set to any of the following values:
    • (Whitelist) Only Listed Commands Are Allowed: If you select this option, the Commands field is required. Only the commands in a whitelist can be executed by the users and on the hosts to which the policy will apply.
    • (Blacklist) Listed Commands Are Not Allowed: If you select this option, the Commands field can be left empty. The commands in a blacklist cannot be executed by the users and on the hosts to which the policy will apply.
    Command Control step
  6. In the Command Approval step that appears, specify Commands and click Next: Protocol Control.
    A command approval policy is used to approve the commands that are excluded from a whitelist or blacklist specified in a command control policy. The command control policy takes precedence over the command approval policy in validation. If users run the commands specified by the Commands field in the Command Approval step, you can choose whether to approve the execution of the commands in the Bastionhost console. Only the commands that pass the approval can be executed. For more information, see Approve commands.Command Approval step
  7. In the Protocol Control step that appears, specify RDP Options and SSH Options and click Next: Access Control.
    After you select required options, the users to which the policy applies can perform corresponding operations. For example, if you select File Upload, the users can upload files.Protocol Control step
  8. In the Access Control step that appears, specify Source IP Address Limit and IP Addresses and click Create Control Policy.
    Source IP Address Limit can be set to any of the following values:
    • (Whitelist) Only Listed IP Addresses Are Allowed: If you select this option, the IP Addresses field is required. Users can use only the source IP addresses in a whitelist to access the hosts to which the policy applies.
    • (Blacklist) Listed IP Addresses Are Not Allowed: If you select this option, the IP Addresses field can be left empty. Users cannot use the source IP addresses in a blacklist to access the hosts to which the policy applies.
    Access Control step
  9. Optional:In the Result step that appears, click Associate Host/User.Click Associate Host/User
    You can associate the policy with one or more users or hosts to make the policy effective on these users or hosts. For more information, see Associate hosts or users.