Bastionhost lets you centrally manage users from multiple identity authentication sources—RAM, Active Directory (AD), Lightweight Directory Access Protocol (LDAP), and Identity as a Service (IDaaS)—without maintaining a separate user database for each source. This topic shows you how to import users from each supported source.
How it works
When a user attempts to log in, Bastionhost delegates authentication to the configured identity source (for RAM, AD, LDAP, and IDaaS users). For local users, Bastionhost performs authentication directly. The identity source verifies credentials, and Bastionhost grants access based on the user record it holds. You add users to Bastionhost by importing them from an identity source (or creating them locally), then assign asset permissions separately.
The four supported identity sources map to four user management paths:
| Identity source | User type | When to use |
|---|---|---|
| RAM (Resource Access Management) | RAM users | Your team already uses RAM for Alibaba Cloud access |
| Local authentication | Local users | No external identity provider; full control over credentials and MFA |
| AD or LDAP | AD/LDAP users | Your organization runs an on-premises directory service |
| IDaaS (Identity as a Service) | IDaaS users | You need to aggregate users from multiple providers (DingTalk, Microsoft Entra ID, etc.) |
Import RAM users
Prerequisites
Before you begin, make sure you have:
A Bastionhost instance
At least one RAM user in Resource Access Management (RAM)
To enable two-factor authentication (MFA) for a RAM user, log on to the RAM console and enable multi-factor authentication. For details, see Bind an MFA device to an Alibaba Cloud account.
Steps
Log on to the Bastionhost console. In the top navigation bar, select the region where your bastion host resides.
In the bastion host list, find the target bastion host and click Manage.
In the left-side navigation pane, choose Users > Users.
On the Users page, click Import RAM Users.
(Optional) If no RAM user exists, click Create RAM User in the Import RAM Users dialog box and follow the prompts. For details, see Create a RAM user.
In the Import RAM Users dialog box, click Import in the Actions column next to the RAM user you want to import. To import multiple users at once, select them and click Import below the list.
Create local users
Local users authenticate directly against Bastionhost. Use this path when you do not have an external identity provider, or when you need accounts that operate independently of your directory service.
Create a single local user
Log on to the Bastionhost console. Select the region where your bastion host resides.
In the bastion host list, find the target bastion host and click Manage.
In the left-side navigation pane, choose Users > Users.
Choose Create User from the Import Other Users drop-down list.
In the Create User panel, set Authentication Method to Local Authentication.
Configure the user's credentials and optional settings:
Field Description Users must reset the password at next logon. Select this checkbox to force a password change on first login. Validity Period Set an expiration date. When the period elapses, the user's Status changes to Expired. Two-factor Authentication Methods See Two-factor authentication options. Two-factor Notification Sending Language Select Simplified Chinese or English for single-user override, or use For All Users to inherit the System Settings page default. Click Create.
Two-factor authentication options
Set Two-factor Authentication Methods to either For All Users or For Single User.
For All Users: Uses the global setting configured on the System Settings page. For details, see Enable two-factor authentication.
For Single User: Applies a method to this user only:
Method Requirement Disable None Text Message Mobile phone number required Email Email address required DingTalk Mobile phone number required; see DingTalk requirements OTP App User must bind an OTP token first; see OTP app setup
For countries and regions where SMS-based two-factor authentication is supported, see Supported countries and areas. Mobile phone numbers and email addresses are used only for verification codes and alert notifications.
DingTalk requirements
To use DingTalk two-factor authentication, complete all of the following before enabling it:
Specify the user's mobile phone number. For details, see Modify the basic information about a local user.
Have the DingTalk administrator create an internal enterprise application and activate the "obtain member information based on mobile phone numbers and names" permission.
Obtain the AppKey, AppSecret, and AgentId values from the DingTalk application.
OTP app setup
To use OTP app two-factor authentication:
Download a standard TOTP authenticator app (for example, the Alibaba Cloud app).
Log on to the Bastionhost O&M portal using a public endpoint. For endpoint details, see the Overview page.
In the left-side navigation pane, click Security Settings.
On the Enable OTP tab, click Bind OTP App and scan the QR code to bind the OTP token.
Import multiple local users from a file
Use this option to create many local users at once using a template file.
Log on to the Bastionhost console. Select the region where your bastion host resides.
In the bastion host list, find the target bastion host and click Manage.
In the left-side navigation pane, choose Users > Users.
Choose Import Users from File from the Import Other Users drop-down list.
Click Download User Template, extract the package, fill in the user information in the template file, and save it.
In the Import Local Users panel, click Upload to upload the completed template file.
In the Preview dialog box, select the users to import and click Import.
Review the user information and click Import Local Users. If you select Users must reset the password at next logon., all imported local users must reset their passwords upon the next logon.
(Optional) To notify users of the O&M address, specify their mobile phone number or email address and select Send O&M Addresses to User.
If multiple users in the file share the same username, only the last occurrence is imported. If an imported user's username matches an existing user in Bastionhost, that user is skipped. Click Details in the Import Local Users panel to view skipped users.
Import AD- or LDAP-authenticated users
Prerequisites
Before you begin, make sure that:
AD or LDAP authentication is configured in Bastionhost. For setup instructions, see Configure AD authentication or LDAP authentication.
Steps
Log on to the Bastionhost console. Select the region where your bastion host resides.
In the bastion host list, find the target bastion host and click Manage.
In the left-side navigation pane, choose Users > Users.
Choose Import Other Users > Import AD Users or Import LDAP Users.
In the dialog box, click Import in the Actions column next to the user you want to import. To import multiple users at once, select them and click Import below the list.
Import IDaaS-authenticated users
IDaaS lets you aggregate users from multiple external identity providers—such as DingTalk and Microsoft Entra ID (formerly Azure AD)—into an Employee Identity and Access Management (EIAM) instance and push them to Bastionhost. If your identity provider is not natively supported by IDaaS, enable Single Sign-On (SSO) after creating an IDaaS user. For supported identity providers, see IdPs. For SSO application setup, see Create applications.
IDaaS users cannot log in with a password through a client. They must use O&M token-based authentication on a client or access assets through the O&M portal. For details, see O&M manual.
Prerequisites
Before you begin, make sure that:
IDaaS authentication is configured in Bastionhost. For setup instructions, see Manage IDaaS authentication.
Steps
Log on to the Bastionhost console. Select the region where your bastion host resides.
In the bastion host list, find the target bastion host and click Manage.
In the left-side navigation pane, choose Users > Users.
Choose Import IDaaS User from the Import Other Users drop-down list.
In the Import IDaaS User dialog box, click Import in the Actions column next to the user you want to import. To import multiple users at once, select them and click Import below the list.
If no IDaaS-authenticated users appear in the Import IDaaS User dialog box, click Synchronize.