After a Bastionhost administrator adds a user for an O&M administrator, the O&M administrator can log on to the required bastion host as a user. This topic describes how to add users to Bastionhost.

Background information

In Bastionhost, you can import Alibaba Cloud Resource Access Management (RAM) users, create local users, and import Active Directory (AD) or Lightweight Directory Access Protocol (LDAP)-authenticated users. The following table describes how to add different types of users.
How to add a user Description
Import a RAM user
  • If a RAM user is created for an O&M administrator, you can click Import RAM Users to import the RAM user with a few clicks. Then, the O&M administrator can use the RAM user to log on to the required bastion host. For more information, see Import a RAM user.
  • If you want to create a RAM user for an O&M administrator and allow the O&M administrator to use the RAM user to log on to the required bastion host, you can create a RAM user and click Import RAM Users to import the RAM user with a few clicks. Then, the O&M administrator can use the RAM user to log on to the bastion host. For more information, see Create a RAM user and import the RAM user.
Create a local user You can choose Import Other Users > Create User to create an account for a single O&M administrator. For more information, see Add a local user.
Import users from a file If you want to create logon accounts for multiple O&M administrators, you can click Import Users from File. For more information, see Import users from a file.
Import an AD user You can configure AD authentication on a bastion host and import an AD-authenticated user to the bastion host. To import an AD-authenticated user to a bastion host, choose Import Other Users > Import AD Users. Then, an O&M administrator can use the AD-authenticated user to log on to the bastion host. For more information, see Configure AD authentication and Import an AD-authenticated user.
Import an LDAP user You can configure LDAP authentication on a bastion host and import an LDAP-authenticated user to the bastion host. To import an LDAP-authenticated user to a bastion host, choose Import Other Users > Import LDAP Users. Then, an O&M administrator can use the LDAP-authenticated user to log on to the bastion host. For more information, see Configure LDAP authentication and Import an LDAP-authenticated user.

Import a RAM user

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. On the Users page, click Import RAM Users.
  4. In the Import RAM Users dialog box, select the RAM user that you want to import.
    Note To import a single RAM user, click Import in the Actions column. In the message that appears, click Import.
  5. Click Import.
    After the RAM user is imported, an O&M administrator can use the RAM user to log on to the bastion host.

Create a RAM user and import the RAM user

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. On the Users page, click Import RAM Users.
  4. In the Import RAM Users dialog box, click Create RAM User.
  5. In the Create RAM User dialog box, click the RAM console to create a RAM user in the RAM console.

  6. On the Create User page, create a RAM user and click OK.
    You can configure the following parameters to create a RAM user:
    • Configure Logon Name and Display Name.
    • In the Access Mode section, select Console Access.
    • In the Multi-factor Authentication section, select Required to Enable MFA. We recommend that you enable multi-factor authentication (MFA).
      Note MFA is an easy-to-use and effective authentication method. MFA adds an extra layer of protection beyond your username and password. If Required to Enable MFA is selected, the created RAM user is required to bind an MFA device when the RAM user logs on to the Alibaba Cloud Management Console. For more information, see Enable an MFA device for a RAM user.
    Configure RAM user information
  7. After you create the RAM user, go back to the Create RAM User dialog box and click Finish.
    The created RAM user is displayed in the Import RAM Users dialog box.
  8. Select the created RAM user.
    Note To import a single RAM user, click Import in the Actions column. In the message that appears, click Import.
  9. Click Import.
    After the RAM user is imported, an O&M administrator can use the RAM user to log on to the bastion host.

Add a local user

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. Choose Import Other Users > Create User.
  4. In the Create User panel, configure the parameters.
    The following table describes the parameters.
    Parameter Description
    Username Enter the username of the local user that is used to perform O&M operations. The username can be a maximum of 128 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
    Authentication Method Select an authentication method for the local user. Valid values:
    • Local Authentication
    • AD Authentication
    • LDAP Authentication
    Password Enter a password for the local user. Then, enter the password again in the Confirm Password field.
    Name Enter the name of the local user.
    Users must reset the password at next logon Specify whether the local user is required to reset the password upon the next logon. After you select this parameter, the local user must reset the password upon the next logon.
    User Source ID If you select AD Authentication or LDAP Authentication for Authentication Method, enter the distinguished name (DN) of the AD-authenticated or LDAP-authenticated user.
    • If you select AD Authentication, enter the DN of the AD-authenticated user.
    • If you select LDAP Authentication, enter the DN of the LDAP-authenticated user.
    Validity Period Specify a validity period for the local user. An O&M administrator can use the created local user to log on to the bastion host within the specified validity period. After the validity period, the status of the local user is Expired, and an O&M administrator cannot use the created local user to log on to the bastion host.
    Mobile Number Enter the mobile phone number of the local user. For more information about the locations from which mobile phone numbers are supported by Bastionhost, see Which countries and regions support the text message-based two-factor authentication feature of Bastionhost?.
    Note The mobile phone number and email address you enter are used only to receive verification codes or alert notifications.
    Email Enter the email address of the local user.
    User Group Select a user group for the local user.
  5. Click Create.
    The created local user is displayed in the user list. An O&M administrator can use the local user to log on to the bastion host.

Import users from a file

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. Select Import Users from File from the Import Other Users drop-down list.
  4. In the Import Local Users panel, perform the following operations:
    1. Click Download User Template.
    2. In the template file, enter the information about the users that you want to import and click Upload.
    3. Optional:Click Details to the right of Users to Import to view the information about the users that you want to import.
    4. Optional:If you want the users to reset passwords upon the next logon, select Users must reset the password at next logon.
  5. Click Import Local Users.
    After the local users are imported, an O&M administrator can use the local users to log on to the bastion host.l

Import an AD-authenticated user

Before you can import AD-authenticated users, you must configure AD authentication. For more information, see Configure AD authentication.

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. Select Import AD Users from the Import Other Users drop-down list. Import AD Users
  4. In the Import AD Users dialog box, select the AD-authenticated user that you want to import and click Import.
    To import an AD-authenticated user, you can enter the username to search for the AD-authenticated user. You can also click Import in the Actions column of the AD-authenticated user. Import AD Users
    After the AD-authenticated user is imported, an O&M administrator can use the AD-authenticated user to log on to the bastion host.

Import an LDAP-authenticated user

Before you can import an LDAP-authenticated user, you must configure LDAP authentication. For more information, see Configure LDAP authentication.

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. Select Import LDAP Users from the Import Other Users drop-down list. Import LDAP Users
  4. In the Import LDAP Users dialog box, select the LDAP-authenticated user that you want to import and click Import.
    To import an LDAP-authenticated user, you can enter the username to search for the LDAP-authenticated user. You can also click Import in the Actions column of the LDAP-authenticated user. Import LDAP Users
    After the LDAP-authenticated user is imported, an O&M administrator can use the LDAP-authenticated user to log on to the bastion host.