This topic describes how to modify or delete existing control policies to meet your business requirements. This topic also describes how to associate a control policy with hosts and users.

Modify a control policy

To modify an existing control policy, perform the following steps:

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Policies > Control Policies.
  3. In the control policy list, find the control policy that you want to modify and click Edit in the Actions column. Modify a control policy
    Alternatively, you can click the name of the control policy that you want to modify to go to the Control Policy Details page.
  4. On the Control Policy Details page, modify settings on the following tabs: Control Policy Settings, Command Control, Command Approval, Protocol Control, Access Control, and Host/User. Control Policy Details page
    For more information about how to modify settings on the Control Policy Settings, Command Control, Command Approval, Protocol Control, and Access Control tabs, see Create a control policy. For more information about how to associate a control policy with hosts or users on the Host/User tab, see Associate hosts or users.
  5. Click Update Control Policy in the lower-left corner.

Delete a control policy

To delete a control policy that you no longer use, perform the following steps:

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Policies > Control Policies.
  3. Find the control policy that you want to delete and click Delete in the Actions column. Delete a control policy
    To delete multiple control policies at a time, select the control policies and click Delete in the lower-left corner.
  4. In the message that appears, click Delete.

Associate hosts or users

To associate a control policy with users or hosts or modify the existing association of a control policy, perform the following steps:

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Policies > Control Policies.
  3. Find a control policy and click the number in the Users, User Groups, Hosts, or Host Groups column. Associate hosts or users
    Alternatively, you can click the name of the control policy or click Edit in the Actions column, and click the Host/User tab.
  4. Select the validation mode for the control policy.
    Note The selected validation mode for a control policy immediately takes effect. We recommend that you confirm the policy validation mode before you proceed with relevant operations.
    You can select a policy validation mode based on the following information:
    • Select a policy validation mode for hosts.

      You can select Apply to All Hosts or Apply to Selected Hosts. If you select Apply to Selected Hosts, you must select the hosts or host groups with which you want to associate the control policy. The control policy applies only to the associated hosts or host groups.

      Associate hosts or host groups
      Note If multiple control policies with the same priority are validated on the same host at the same time, Bastionhost determines the validation order of the policies based on specific rules defined in these policies. Command-related rules are prioritized in descending order: reject, allow, and approve. In access control policies, a blacklist has a higher priority than a whitelist.
    • Select a policy validation mode for users.

      You can select Apply to All Users or Apply to Selected Users. If you select Apply to Selected Users, you must select the users or user groups with which you want to associate the control policy. The control policy applies only to the associated users or user groups.

      Associated users or user groups

    If some hosts or users no longer need the control policy, you can select these hosts or users and click Remove to remove them from the policy validation list.