O&M configuration - Bastionhost - Alibaba Cloud Documentation Center

Configure O&M settings on your Bastionhost instance to control session durations, token validity, approval workflows, and host access behavior.

Prerequisites

Before you begin, ensure that you have:

A Bastionhost instance
Administrator access to the Bastionhost console

Configure O&M settings

Log on to the Bastionhost console. In the top navigation bar, select the region where your instance is located.
In the instance list, find the target instance and click Manage.
In the left navigation pane, click System Settings.
On the O&M Configuration tab, configure the parameters described in the following sections, then click Save.

O&M token

Parameter	Description
Validity period of O&M token	How long an O&M token remains valid for repeated use after it takes effect. Valid values: 1–480 minutes or 1–8 hours. If you change this value, O&M engineers must apply for new tokens for the change to take effect. When O&M Approval is enabled, the validity period set by the administrator during approval takes precedence over this value. For information about enabling or disabling O&M Approval, see Configure a control policy.
O&M token renewal	Whether O&M engineers can renew their tokens, and how many times. Each renewal extends the validity period by 1 hour. Valid values: 1–20 renewals. When O&M Approval is enabled, token renewal is not available. If you change this value, O&M engineers must apply for new tokens for the change to take effect.

Parameter

Description

Validity period of O&M token

How long an O&M token remains valid for repeated use after it takes effect. Valid values: 1–480 minutes or 1–8 hours. If you change this value, O&M engineers must apply for new tokens for the change to take effect. When O&M Approval is enabled, the validity period set by the administrator during approval takes precedence over this value. For information about enabling or disabling O&M Approval, see Configure a control policy.

O&M token renewal

Whether O&M engineers can renew their tokens, and how many times. Each renewal extends the validity period by 1 hour. Valid values: 1–20 renewals. When O&M Approval is enabled, token renewal is not available. If you change this value, O&M engineers must apply for new tokens for the change to take effect.

Approval settings

Parameter	Description
Automatic approval of O&M tasks	When enabled, O&M tasks created by O&M engineers are automatically approved without requiring administrator review. For more information, see Automatic O&M.
Timeout period for O&M approval	How long an O&M application can remain pending before it is automatically rejected. Set to 0 to disable automatic rejection.

Special asset accounts

Parameter	Description
Allow access to hosts by using Bastionhost account and password	When enabled, users can access hosts using their Bastionhost account credentials. Use this option when both users and hosts authenticate through Active Directory (AD) or Lightweight Directory Access Protocol (LDAP).
Unauthorized asset accounts are allowed	When enabled (default), users can access hosts where they have no authorized account by using the Empty account and entering the password manually. When disabled, users cannot access any host whose account is not managed in Bastionhost.

Special host configuration

Parameter	Description
Enable host fingerprinting	Enabled by default. A host fingerprint uniquely identifies a Linux host and prevents unauthorized access through traffic redirection. Keep this option enabled.
Enable personalized desktop	Disabled by default. Applies to Windows hosts only. When enabled, users can use personalized desktops on Windows. Personalized desktops consume significant bandwidth — enable with caution.
Enable bitmap caching during RDP-based O&M	Enable this option if you experience screen flicker during Remote Desktop Protocol (RDP)-based O&M on assets running Windows 11 v24H2. Warning Enabling this option increases resource usage and reduces the maximum number of concurrent RDP sessions by 50% for Windows 11 v24H2. For assets running Windows 10 or earlier, the maximum number of concurrent RDP-based O&M sessions is not affected.

Session limits

The following parameters control when sessions are automatically disconnected. The idle timeout interval and duration limit do not apply to database O&M sessions.

Parameter	Description
Idle timeout interval	The maximum time a session can remain idle before it is automatically disconnected. An idle session is one where the user is logged on but not performing any O&M operations. Valid values: 0–60 minutes. Set to 0 for no limit.
Duration limit	The maximum total duration of an O&M session. When a session reaches this limit, it is automatically disconnected regardless of activity. Default: 7 days. Valid values: 1–168 hours or 1–7 days.
Duration to lock users upon session blocking (Unit: Minutes)	How long users are locked out of all hosts after an administrator blocks their session. During this period, users cannot perform O&M operations on any host. Valid values: 0–60 minutes. Set to 0 for no limit.

What's next

Configure a control policy to manage O&M approval settings and token behavior
Automatic O&M to set up automatic task approval workflows