Grant and Revoke Direct Permissions

Overview

Administrators can directly grant or revoke server or server group access permissions (Permissions) to users or user groups. Once a Permission is granted, it cannot be modified—only revoked.

Granting a Direct Permission

1. Select the target user or group.

1. Navigate to the Administrator > Servers > Server Access Control > Access Control menu.

2. Select the user or user group to which you want to grant permissions.

2. STEP 1 : Select the server or server group accounts.

1. First, choose the server group from the left-hand list for which you want to grant access permissions.

2. The associated servers and accounts within that group will appear on the right-hand side. Select the server and accounts you wish to grant permissions to.

   1. On the right-hand side, select the server(s) you want to grant permissions for.

   2. At the bottom right, select the account(s) that can access the selected server(s).

3. Click the Next button.

3. STEP 2 : Configure access policies for the selected servers.

1. Review the accounts selected in STEP 1 to ensure no mistakes. If adjustments are needed, click the Previous button to return to the previous step.

2. Configure the following policy settings for the selected servers:

   1. 2 Server(s) selected : Displays the number of servers and accounts selected in STEP 1. Click to view a detailed list.

   2. Protocols: Specify the protocol(s) used for server access.

   3. Command Template: Set restricted command sets for server access. Click Command Template Details to review the specific restrictions.

   4. Configure Whitelist : Allows exceptions for specific commands restricted by the selected Command Template. When the Configure Whitelist checkbox is checked, the following settings appear:

      1. Commands : Enter the commands that need to be allowed.

         1. Keyword : Enter as a keyword (e.g., ls, cat).

         2. RegEx : Enter as a regular expression (e.g., ^sudo\b[^&|;\n]*$).

      2. Whitelist Expiration Date : Specify an expiration date for the exceptions granted to the above commands.

   5. Access Start Time: Set the start time for server access.

   6. Access End Time: Set the end time for server access.

   7. Access Weekday: Choose the days of the week when access is allowed.

   8. IP Addresses: Define the IP addresses from which access is allowed.

   9. Command Audit: Determine whether to log commands executed during the session.

   10. Proxy Usage: Set whether the QueryPie Agent allows server access under this Permission.

   11. Max Sessions: Limit the number of concurrent sessions a user can have on a server.

   12. Session Timeout (minutes): Set the duration (in minutes) after which an inactive session will be terminated.

   13. Expiration Date: Set an expiration date for the access permission (default is 1 year, max is 1 year).

3. Click the Grant button to finalize and apply the permissions.

Revoking a Direct Permission

1. Navigate to the Administrator > Servers > Server Access Control > Access Control menu.

2. Choose the user or user group from whom you want to revoke permissions.

3. Select the server/accounts you wish to revoke (multiple selections are allowed).

4. Click the Revoke button at the top left of the list.

5. In the confirmation popup, type Revoke and click the Revoke button to successfully revoke the permissions.

Q. Where can I check the history of granted or revoked permissions?

A. You can view the history in the Audit > Servers > Access Control Logs.

Granting a Command Whitelist Separately

This whitelist function is available only for Direct Permissions. If a whitelist is regranted to an entry that already has one, the existing whitelist will be revoked and regranted.

1. Navigate to the Administrator > Servers > Server Access Control > Access Control menu.

2. Select the user or user group to whom you want to grant specific command exceptions.

3. From the Servers tab list, select the target server/account to enter the detailed drawer page.

4. At the bottom of the detailed page, click the Configure button under Whitelisted Commands.

5. When the modal appears, configure the following settings, then click Grant to complete the exception process:

   1. Commands : Enter the commands that need to be allowed.

      1. Keyword : Enter as a keyword (e.g., ls, cat).

      2. RegEx : Enter as a regular expression (e.g., ^sudo\b[^&|;\n]*$).

   2. Whitelist Expiration Date : Specify an expiration date for the exceptions granted to the above commands.

Q. Is there a place to check the history of granted or revoked permissions?

A. You can view Whitelist Granted/Revoked events by selecting Servers > Access Control Logs in the Audit menu.