To meet the requirement of allowing ping from the IT management VLAN to the user VLAN while denying ping from the user VLAN to the IT management VLAN on Aruba CX 6300s, which ACL approach is correct?

The essence is using a directional ACL to block traffic in the undesired direction while leaving the allowed direction open. In this scenario, you want to stop hosts in the user VLAN from pinging hosts in the IT management VLAN, but you still want IT management hosts to be able to ping user-hosts. Apply an inbound ACL on the user VLAN that denies ICMP echo traffic toward the IT management VLAN. This blocks the path for user-originated ICMP echo requests as they enter the switch from the user VLAN heading to IT management, satisfying the requirement. The ping traffic originating from IT management travels in the opposite direction and is not blocked by this ACL, so IT management can still ping user hosts. Why the other approaches aren’t as suitable: placing an outbound ACL on the user VLAN would affect traffic leaving toward IT management (and could block the replies or the opposite direction), which doesn’t isolate the denial to only user-to-IT management pings. Allowing ICMP echo-reply traffic or denying ICMP echo traffic in the other direction would not precisely enforce the one-way ping rule you need.