This topic introduces the basic concepts related to Bastionhost.
Bastionhost administrator
A user who has full permissions on Bastionhost. The permissions of a Bastionhost administrator
include asset management, user management, authorization rule management, control
policy management, command approval, session auditing, host O&M, and system settings.
Note A RAM user must be created before you can grant the Bastionhost administrative rights
to the RAM user. For more information about how to configure the permissions of a
RAM user, see
Create a RAM user.
Bastionhost O&M administrator
A user who has the permissions to log on to a bastion host and perform O&M operations
on assets.
Bastionhost auditor
A user who has the permissions to view Bastionhost audit data. A Bastionhost auditor
can block real-time sessions.
Note A RAM user must be created before you can grant the Bastionhost auditor permissions
to the RAM user. For more information about how to configure the permissions of a
RAM user, see
Create a RAM user.
Bastionhost read-only permissions
The permissions to view all the features and configurations of Bastionhost. Users
who have read-only permissions can only view the features and configurations of Bastionhost
but cannot modify the features and configurations.
Note A RAM user must be created before you can grant the Bastionhost read-only permissions
to the RAM user. For more information about how to configure the permissions of a
RAM user, see
Create a RAM user.
number of assets
The number of assets managed by a bastion host.
concurrency
The number of O&M sessions that are established on Bastionhost at the same time. For
example, if 10 users simultaneously use Bastionhost to perform O&M operations on their
assets and each user establishes five connections on average by using protocols, such
as SSH and Remote Desktop Protocol (RDP), the concurrency is 50.
Client/Server O&M
A user uses an RDP or SSH client, such as Remote Desktop Connection (MSTSC) or Xshell,
and enters the required information to log on to a bastion host and perform O&M operations
on authorized assets. The information includes the username, password, O&M URL, and
port number of the bastion host.
web terminal-based O&M
A RAM user is used to perform O&M operations on the authorized assets on a web page.
real-time monitoring
Real-time video recording of O&M operations that happen during a session.
session audit
Video playback of O&M operations that happen during a session.
credential hosting
Credentials are the passwords or keys of the accounts that are created for hosts.
Credential hosting indicates that an administrator manages the passwords or keys of
host accounts in Bastionhost.
Note If a user wants to use Bastionhost to perform O&M operations on a host after the administrator
authorizes the hosted credentials to the user, the user can directly log on to the
host by using the credentials hosted on Bastionhost.
host fingerprint
A unique identifier that Bastionhost uses to identify a Linux host.
public key of a user
A public key in a key pair. Private and public keys are used for asymmetric encryption.
A public key and a private key compose a key pair. A public key is used to encrypt
data and is published by the owner of a key pair to users. Data that is encrypted
by using the public key can be decrypted only by using the private key. A private
key is used to decrypt the data that is encrypted by using the public key. It is owned
by the owner of a key pair and cannot be published.
Note A user can use a key pair to log on to a bastion host. After the public key is hosted
on Bastionhost, the user can use the private key to log on to the bastion host.
network domain
LANs and virtual private clouds (VPCs) are network domains. If a network domain cannot
communicate with the VPC in which your bastion host resides, you can specify a server
in the network domain as a proxy server. Then, you can connect your bastion host to
the proxy server to perform O&M operations on other servers in the network domain.