All Products
Search

This Product

    Bastionhost:Manage users

    Document Center

    Bastionhost:Manage users

    Last Updated:Mar 31, 2026

    Add users to Bastionhost so that O&M engineers can log on and perform operations on the assets they are authorized to access.

    User types

    Bastionhost supports the following user types. Each type has a different source and import method.

    Important

    An Identity as a Service (IDaaS)-authenticated user cannot log on to Bastionhost for asset O&M using password-based authentication on a client. To use Bastionhost, an IDaaS-authenticated user must pass O&M token-based authentication on a client or use the O&M portal. For more information, see O&M manual.

    User typeDescription
    RAM userCreated in the RAM console, then imported into Bastionhost via Import RAM Users.
    Local userCreated directly in Bastionhost (single user) or imported in bulk from a file.
    AD-authenticated userSynced from an Active Directory (AD) server. Requires AD authentication to be configured first. For more information, see Configure AD authentication or LDAP authentication.
    LDAP-authenticated userSynced from a Lightweight Directory Access Protocol (LDAP) server. Requires LDAP authentication to be configured first. For more information, see Configure AD authentication or LDAP authentication.
    IDaaS-authenticated userSynced from Alibaba Cloud Identity as a Service (IDaaS) Enterprise Identity Access Management (EIAM). Requires IDaaS authentication to be configured first. Only Enterprise and SM Edition support IDaaS integration. If your instance is Basic Edition, upgrade it before proceeding. For more information, see Upgrade instance type.

    User list columns

    ColumnDescription
    UsernameThe logon name for the user. The source and mutability vary by user type: RAM users use the logon name from the RAM console (changeable via RAM); local users use the name set at creation (cannot be changed); AD- and LDAP-authenticated users use the name synced from the server (change on the server); IDaaS-authenticated users use the name synced from IDaaS EIAM (cannot be changed).
    Authentication sourceThe user type. For example, Local Authentication for local users.
    Two-factor authentication methodsThe two-factor authentication (2FA) method applied when the user logs on with a username and password. Methods include SMS, email, and DingTalk verification codes. RAM users use RAM-based Authentication (configured via the RAM console). IDaaS-authenticated users use IDaaS-based Authentication (configured via the IDaaS console).
    OTP AppWhether the user has a time-based one-time password (TOTP) bound. Not applicable to RAM users or IDaaS-authenticated users.
    StatusThe current user status. Possible values: Inactive (user has not logged on within the configured period), Password Expired (password validity has elapsed), Locked (too many failed attempts, manually locked by an admin, or auto-locked due to inactivity), The source from which the user is imported is deleted (user not found in the authentication source — applies to AD-, LDAP-, and IDaaS-authenticated users only), Update Available (base distinguished name (DN) on the AD or LDAP server differs from the configuration on Bastionhost).
    ActionsOperations for granting permissions. For more information, see Authorize users or user groups to manage assets and asset accounts or Grant permissions on asset groups.

    Create users

    You can create user accounts for O&M engineers to log on to Bastionhost.

    Import RAM users

    Import RAM users into Bastionhost so that O&M engineers can log on using their existing Alibaba Cloud Resource Access Management (RAM) identities.

    1. Log on to the Bastionhost console and select the region where your instance is deployed.

    2. In the instance list, find the target instance and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. On the Users page, click Import RAM Users.

    5. (Optional) If no RAM users exist yet, click Create RAM User in the Import RAM Users dialog box and follow the prompts. For more information, see Create a RAM user.

    6. In the Import RAM Users dialog box, click Import in the Actions column for the user you want to import. To import multiple users at once, select them and click Import below the list.

    To enable two-factor authentication for a RAM user, log on to the RAM console and enable multi-factor authentication (MFA). For more information, see Bind an MFA device to an Alibaba Cloud account.

    Create local users

    Create local users directly in Bastionhost when you need accounts that are not tied to an external authentication source. You can create users one at a time or import them in bulk from a file.

    Create a single local user

    1. Log on to the Bastionhost console and select the region where your instance is deployed.

    2. In the instance list, find the target instance and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. Choose Import Other Users > Create User.

    5. In the Create User panel, set Authentication Method to Local Authentication and configure the following parameters, then click Create.

      Required fields

      ParameterDescription
      UsernameThe logon name for the user. Cannot be changed after creation.
      Mobile phone number and email addressUsed only for receiving verification codes and alert notifications. Required if you enable SMS or email two-factor authentication.

      Optional settings

      ParameterDescription
      Users must reset the password at next logon.If selected, the user must set a new password on first logon.
      Validity PeriodAfter the validity period elapses, the user's status changes to Password Expired and they can no longer log on.
      Two-factor authentication methodsControls 2FA for this user. Select For All Users to apply the global setting from System Settings, or select For Single User to configure a specific method. See the table below for available methods.
      Two-factor notification sending languageThe language for verification code messages. If For All Users is selected, the global language from System Settings is used. If For Single User is selected, choose Simplified Chinese or English.

      Two-factor authentication methods (For Single User)

      MethodDescription
      DisableTwo-factor authentication is disabled for this user.
      Text MessageSends a verification code via SMS. Requires the user's mobile phone number. For supported countries and regions, see Supported countries and regions.
      EmailSends a verification code via email. Requires the user's email address.
      DingTalkSends a verification code via DingTalk. Requires the user's mobile phone number. Before using this method, the DingTalk administrator must create an internal enterprise application with the Permission To Access The API For Obtaining Member Information Based On Mobile Phone Numbers And Names and provide the AppKey, AppSecret, and AgentId.
      OTP AppUses a TOTP mobile authenticator. The user must bind an OTP app first by logging on to the O&M portal, navigating to Security Settings > Enable OTP, and clicking Bind OTP App to scan the QR code. For the O&M portal address, see Overview page.

    6. (Optional) To notify the user of the O&M address, enter the user's mobile phone number or email address and select Send O&M Addresses to User.

    Import multiple local users from a file

    1. Log on to the Bastionhost console and select the region where your instance is deployed.

    2. In the instance list, find the target instance and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. Choose Import Other Users > Import Users from File.

    5. Click Download User Template, decompress the package, fill in the user information in the template file, and save it.

    6. In the Import Local Users panel, click Upload to upload the completed template.

    7. In the Preview dialog box, select the users to import and click Import.

    8. In the Import Local Users panel, confirm the user information and click Import Local Users. If you select Users must reset the password at next logon., all imported local users must reset their passwords upon the next logon.

    9. (Optional) To notify users of the O&M address, specify the mobile phone number or email address of the local users and select Send O&M Addresses to User.

    If multiple users in the file share the same username, only the last entry is imported. If an imported username already exists in Bastionhost, that user is skipped. Click Details in the Import Local Users panel to review any skipped users.

    Import AD- or LDAP-authenticated users

    Import AD- or LDAP-authenticated users after you configure the corresponding authentication source. For more information, see Configure AD authentication or LDAP authentication.

    1. Log on to the Bastionhost console and select the region where your instance is deployed.

    2. In the instance list, find the target instance and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. Choose Import Other Users > Import AD Users or Import LDAP Users.

    5. In the dialog box, click Import in the Actions column for the user you want to import. To import multiple users at once, select them and click Import.

    Import IDaaS-authenticated users

    Import IDaaS-authenticated users after you configure IDaaS authentication. For more information, see Manage IDaaS authentication.

    Important

    An IDaaS-authenticated user cannot log on to Bastionhost for asset O&M using password-based authentication on a client. To use Bastionhost, an IDaaS-authenticated user must pass O&M token-based authentication on a client or use the O&M portal. For more information, see O&M manual.

    1. Log on to the Bastionhost console and select the region where your instance is deployed.

    2. In the instance list, find the target instance and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. Choose Import Other Users > Import IDaaS User.

    5. In the Import IDaaS User dialog box, click Import in the Actions column for the user you want to import. To import multiple users at once, select them and click Import. If no users appear in the dialog box, click Synchronize.

    Set logon restrictions

    Restrict which IP addresses and time periods a user can use to log on to Bastionhost.

    1. Log on to the Bastionhost console and select the region where your instance is deployed.

    2. In the instance list, find the target instance and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. Click the username of the user you want to configure.

    5. On the User Logon Restrictions tab, configure the IP address and time period restrictions, then click Update.

      ModeDescription
      (Whitelist) Only Listed IP Addresses Are AllowedOnly the IP addresses you specify can be used to log on, within the configured time periods.
      (Blacklist) Listed IP Addresses Are Not AllowedThe IP addresses you specify cannot log on. All other IP addresses can log on only within the configured time periods.

    Modify local user information

    For RAM users, AD-authenticated users, LDAP-authenticated users, and IDaaS-authenticated users, update user information in the respective authentication source console, not in Bastionhost. After changing a user's mobile phone number or email address in the authentication source, update it in Bastionhost immediately. If the contact information is out of date, the user will not receive verification codes and cannot log on.

    1. Log on to the Bastionhost console and select the region where your instance is deployed.

    2. In the instance list, find the target instance and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. Click the username of the user whose information you want to modify.

    5. On the Basic Info tab, update the information and click Update.

    Lock a user

    Lock a user to prevent them from logging on to Bastionhost. Use this when a user no longer needs access temporarily or when abnormal activity is detected.

    Bastionhost automatically locks a user after five consecutive invalid password attempts. Administrators can configure the Account Lockout Threshold in the user settings. For more information, see Configure the parameters on the User Settings tab.

    Important

    Manual locking takes effect immediately. The locked user cannot log on to perform O&M operations.

    1. Log on to the Bastionhost console and select the region where your instance is deployed.

    2. In the instance list, find the target instance and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. Select the users you want to lock and choose Batch > Locked below the user list. After the operation, the system displays The user is locked. and the user's status changes from Normal to Locked. You can still modify the locked user's information and update their asset authorization.

    Unlock a user

    Unlock a user to restore their ability to log on to Bastionhost.

    Important

    Unlocking takes effect immediately.

    1. Log on to the Bastionhost console and select the region where your instance is deployed.

    2. In the instance list, find the target instance and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. Select the users you want to unlock and choose Batch > Unlock below the user list. After the operation, the system displays The user is unlocked. The user can log on again and perform O&M operations on authorized assets.

    Add an SSH public key

    Configure an SSH public key so that the user can log on to Bastionhost from an O&M client using their private key. For more information, see Perform SSH-based O&M.

    1. Log on to the Bastionhost console and select the region where your instance is deployed.

    2. In the instance list, find the target instance and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. Click the username of the user you want to configure. On the user details page, click the User Public Key tab, then click Add SSH Public Key.

    5. In the Add SSH Public Key panel, enter the key name and content, then click Add SSH Public Key. The public key is hosted on Bastionhost and appears in the public key list.

    Export users

    Export the user list as a CSV file to your local machine.

    1. Log on to the Bastionhost console and select the region where your instance is deployed.

    2. In the instance list, find the target instance and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. On the Users page, click Export Users in the upper-right corner.

    Delete a user

    Delete a user when they no longer need O&M access via Bastionhost.

    1. Log on to the Bastionhost console and select the region where your instance is deployed.

    2. In the instance list, find the target instance and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. In the user list, select the user to delete and click Delete below the list.

    Configure password reset at next logon

    Enable or disable Users must reset the password at next logon. for local users after they are created.

    1. Log on to the Bastionhost console and select the region where your instance is deployed.

    2. In the instance list, find the target instance and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. Select the local users you want to configure and choose Batch > Change Configuration of Local Users Must Reset Passwords at Next Logons below the user list.

    5. In the dialog box, select Enable or Disable from the drop-down list, then click OK.