Manage automatic access rules by using blacklists, whitelists, and full access policies to gain fine-grained control over the protection scope of server processes. This is suitable for security operations scenarios. - Security Center

Access rules control which server processes connect to Application Protection in automatic access mode. Use a blocklist to exclude specific processes from protection, or an allowlist to protect only a defined set of processes. This topic explains the rule priority model, configuration procedures, and the automatic full access option for Java processes.

How rules work

Access rules follow a fixed priority model:

Blocklist takes precedence over allowlist. If a process matches both a blocklist rule and an allowlist rule, the process is not connected.
Rules apply only to automatic access mode. Manual access mode is not affected.
When a rule takes effect depends on whether the process is already connected:
- Rules configured before a process connects take effect immediately.
- Rules configured after a process has connected take effect when the process restarts or during the next automatic access cycle.
- Deleting a blocklist rule takes effect immediately, regardless of process state.

Choose a policy type

Policy	What it does	Use when
Blocklist	Excludes specific processes from protection. Processes matching a blocklist rule are not connected to Application Protection. Requires RASP agent version 1.0.5 or later.	Most processes need protection, but a few should be excluded — for example, databases, trusted system processes, processes with compatibility issues, or test environment processes.
Allowlist	Protects only processes in a specified scope. Only processes matching an allowlist rule are connected. If no rules are configured, all processes on the asset connect automatically. Requires RASP agent version 0.9.4 or later.	Only critical processes need protection — for example, payment gateways, user authentication services, or specific container workloads in multi-tenancy environments.
Automatic full access	Connects all Java processes on your assets automatically using the slow access method. Available when Application Protection is enabled on a pay-as-you-go basis without custom binding.	Initial setup or when no processes have connected yet.

Add a blocklist or allowlist rule

The following steps use adding a blocklist as an example. Adding an allowlist follows the same procedure.

Prerequisites

Before you begin, ensure that the RASP agent version meets the minimum requirement: version 1.0.5 or later for a blocklist, or version 0.9.4 or later for an allowlist.

Steps

Log on to the Security Center console.
In the left navigation pane, choose Protection Configuration > Application Protection. In the upper-left corner, select the region where your asset is located: Chinese Mainland or Outside Chinese Mainland.
On the Application Configurations tab, click Management Settings in the upper-right corner.
On the Manage Access Rule tab of the Management Settings panel, click the Blacklist tab, and then click Add Blacklist.

In the Add Blacklist dialog box, configure the following parameters and click OK.

Parameter	Description
Rule Name	Enter a name for the blocklist rule.
Rule Switch	Enabled by default.
Effective Application Type	Select Java or PHP.
Match Condition	Select a matching dimension. See Match conditions for details. Click Add Condition to add multiple conditions. Multiple conditions use AND logic — all conditions must be met.
Match Mode	Select the matching method for the selected condition.
Match Field	Enter the field to match. Required only when Match Condition is set to Environment Variables or -D parameter.
Content to Match	Enter the matching content.
Destination Application Groups	Select the application groups to which this rule applies. The application type of the selected groups must match the Effective Application Type.

Rules configured after a process has connected take effect only after the process restarts or during the next automatic access cycle.

Match conditions

Condition	Matches on	Supported match modes	Availability
cmdline	Command-line parameters at process startup	Contains, does not contain, contains one of multiple values, does not contain any of the values	Java and PHP
Environment Variables	Environment variables accessed by the process	Equals	Java and PHP
-D parameter	System properties set at Java startup via `-D` flags	Equals	Java only
Container Name	Name of the container the process belongs to	Contains, does not contain, contains one of multiple values, does not contain any of the values	PHP only

Configuration examples:

Exclude processes whose startup parameters contain tomcat:

Match Condition: cmdline
Match Mode: Contains
Content to Match: tomcat

Exclude processes whose startup parameters do not contain apache or test:

Match Condition: cmdline
Match Mode: Does not contain any of the values
Content to Match: apache,test

Edit or delete a blocklist or allowlist rule

Log on to the Security Center console.
In the left navigation pane, choose Protection Configuration > Application Protection. In the upper-left corner, select the region where your asset is located: Chinese Mainland or Outside Chinese Mainland.
On the Application Configurations tab, click Management Settings in the upper-right corner.
On the Manage Access Rule tab, click the Blacklist or Application Access Whitelist sub-tab. In the Actions column for the target rule, click Edit or Delete.

Important

Delete only rules that are not applied to any application group. Before deleting a rule, detach all associated application groups from it.

Automatic full access (Java processes only)

If you enable Application Protection on a pay-as-you-go basis without custom binding, all Java processes on your assets connect to Application Protection automatically. The slow access method is used by default.

If Application Protection is enabled but no processes have connected, a dialog box appears with two options: Automatic Full Access and Custom Access. Selecting Automatic Full Access uses the slow access method by default. Click Configure Now to switch to a different access method.

Access methods

Access method	Suitable for	Installation time
Fast Access	Few processes, low stability requirements	Short
Regular Access	Moderate number of processes, low stability requirements	Medium
Slow Access	Many processes, high stability requirements	Long

Stop automatic full access

To stop the accessing process, go to Protection Configuration > Application Protection > Application Analysis and click Stop Accessing in the prompt.

Important

After stopping, full access cannot be triggered again.

Servers with a status of Queuing will not be connected to Application Protection.
Servers with a status of In Progress will complete the current installation.

After stopping, click View Details in the prompt to check the access status of Java processes on your assets.