Control policies in Bastionhost define which commands users can run, which protocols they can use, and which assets they can access. This topic covers how to modify, delete, and associate control policies with assets and users.
Prerequisites
Before you begin, ensure that you have:
A deployed Bastionhost instance
Admin access to the Bastionhost console
At least one control policy created
Modify a control policy
A control policy has six configurable areas: Control Policy Settings, Command Control, Command Approval, Protocol Control, Access Control, and Asset/User. For details on the first five tabs, see Create a control policy.
Log on to the Bastionhost console. For details, see Log on to the console of a bastion host.
In the left-side navigation pane, click Control Policies.
Find the control policy and click Edit in the Actions column. Alternatively, click the policy name to open the Control Policy Details page.
On the Control Policy Details page, update settings across the relevant tabs.
Click Update Control Policy in the lower-left corner.
Delete a control policy
Delete a single policy
Log on to the Bastionhost console.
In the left-side navigation pane, click Control Policies.
Find the control policy and click Delete in the Actions column.
In the confirmation dialog, click Delete.
Delete multiple policies at once
Log on to the Bastionhost console.
In the left-side navigation pane, click Control Policies.
Select the control policies to delete, then click Delete in the lower-left corner.
In the confirmation dialog, click Delete.
Associate assets or users
Use this procedure to attach a control policy to specific assets or users, or to update an existing association.
Log on to the Bastionhost console.
In the left-side navigation pane, click Control Policies.
Open the association view using one of these methods:
Click the number in the Users, User Groups, Hosts, Database, or Asset Group column.
Click the policy name or click Edit in the Actions column, then click the Asset/User tab.
Select the validation mode for the control policy. For assets, choose one of the following: For users, choose one of the following:
ImportantThe validation mode takes effect immediately. Confirm your selection before proceeding.
Option Behavior Takes Effect on All Assets The policy applies to every asset in the system Takes Effect on Selected All Assets The policy applies only to the assets or asset groups you select Option Behavior Apply to All Users The policy applies to every user Apply to Selected Users The policy applies only to the users or user groups you select Select the specific assets, asset groups, users, or user groups to associate with the policy. To remove an association, select the assets or users and click Remove.
How policy priority works
When multiple control policies with the same priority apply to the same host simultaneously, Bastionhost resolves conflicts using the following rules:
Command rules (evaluated in this order):
Reject
Allow
Approve
Access control rules: A blacklist takes priority over a whitelist.