All Products
Search
Document Center

Elastic Desktop Service:Identity and access management

Last Updated:May 27, 2026

Identity and access management restricts Alibaba Cloud resource access to authorized users, preventing unauthorized operations and meeting audit requirements. Elastic Desktop Service (EDS) Enterprise provides the following IAM capabilities.

Account management

Use a RAM user as an administrator account

An Alibaba Cloud account has full access to all resources, creating security risks. Use a RAM user as an administrator to log on to the Elastic Desktop Service (EDS) Enterprise console and grant only the necessary permissions.

  • Default state: Off

  • Configuration responsibility: Customer

  • Feature cost: Free

  • Dependencies: RAM

  • Limitations: None

End user account lifecycle

Elastic Desktop Service (EDS) Enterprise administrators assign cloud resources such as cloud computers to end user accounts. To maintain security throughout the account lifecycle:

  • Promptly revoke cloud computer assignments from end user accounts.

  • Disable accounts as needed.

  • Promptly delete accounts that are no longer needed.

  • Configuration responsibility: Customer

  • Feature cost: Free

  • Dependencies: None

  • Limitations: None

How to configure or use

Revoke assignments

  1. Log on to the EDS enterprise console.

  2. In the left-side navigation pane, choose Resources > Cloud Computers.

  3. In the top navigation bar, select a region.

  4. Find the cloud computer to assign and click More in the Actions column. Then, click View/Add User.

  5. In the View/Add User panel, click Add User.

  6. In the Add User dialog box, select one or more users and click OK.

Disable accounts

If you need to temporarily disable a convenience account, you can lock it.

  • For administrator-activated accounts, you can set an automatic lock date during creation or lock them manually at any time. For user-activated accounts, you can only lock them manually.

  • After 10 consecutive incorrect password attempts on a WUYING Terminal, the system automatically locks the account for 20 minutes. The account is automatically unlocked after this period.

To manually lock a convenience account, follow these steps:

  1. In the left-side navigation pane, choose User Center > User Management.

  2. On the User tab of the User Management page, perform one of the following operations:

    • Single account: Find the target convenience account and click Lock in the Actions column.

    • Multiple accounts: Select the target convenience accounts and click Lock at the bottom of the list.

      Note

      Batch operations are supported only for convenience accounts of the same activation type.

  3. In the dialog box that appears, click OK.

    Important

    End users cannot use a locked convenience account to log on to a WUYING Terminal. Proceed with caution.

Delete accounts

  1. In the left-side navigation pane, choose User Center > User Management.

  2. On the User tab of the User Management page, perform one of the following operations:

    • Single account: Find the target convenience account, click the ⋮ icon in the Actions column, and choose Delete.

    • Multiple accounts: Select the target convenience accounts and choose More > Delete at the bottom of the list.

      Note

      Batch operations are supported only for convenience accounts of the same activation type.

  3. In the dialog box that appears, click OK.

Password validity period

By default, convenience account passwords never expire. You can set a validity period of 30 to 365 days. When a password expires, the end user must change it to log on again.

  • Default state: Passwords do not expire

  • Configuration responsibility: Customer

  • Feature cost: Free

  • Dependencies: None

How to configure or use

  1. Log on to the EDS enterprise console.

  2. In the left-side navigation pane, choose Users > User Management.

  3. On the User tab of the User Management page, find the target convenience account and click the icon in the Password Expiration in N Days column.

  4. In the panel that appears, enter a new password validity period and click OK.

Permission management

Administrator permissions with RAM

In Elastic Desktop Service (EDS) Enterprise, use Resource Access Management (RAM) for fine-grained permission control, allowing different RAM users to manage specific cloud computer resources.

  • Default state: Off

  • Configuration responsibility: Customer

  • Feature cost: Free

  • Dependencies: RAM

  • Limitations: None

Administrator permissions within EDS

When you log on to the Elastic Desktop Service (EDS) console with your Alibaba Cloud account, you have full permissions to access all features and manage all resources. For large organizations with complex structures and numerous cloud computers, relying on a single administrator can create an excessive workload and may violate internal permission isolation policies. To address this, you can create one or more sub-administrators to share management tasks. This approach typically involves the following requirements:

  • Feature-level permission isolation: For example, sub-administrator A can only create and manage users, but not cloud computers, while sub-administrator B can only view all data.

  • Data-level permission isolation: For example, sub-administrator C can only manage cloud computers for the R&D department, while sub-administrator D can only manage cloud computers for the design department.

The permission management module in Elastic Desktop Service (EDS) Enterprise addresses these requirements.

image
  • Default state: Off

  • Configuration responsibility: Customer

  • Feature cost: Free

  • Dependencies: None

  • Limitations: None

How to configure or use

Important

EDS Enterprise and WUYING Cloud Phone share the same hierarchical permission management module. Authorizations configured in one console apply to the corresponding features in both products.

  1. In the left-side navigation pane, choose Security Center > Administrator Permissions.

  2. On the Administrator Permissions page, click Create Administrator, configure the following parameters, and then click Create.

    • Associate with RAM User: Sub-administrators require a RAM user to log on to the console and perform management tasks. You can perform one of the following operations:

      • Select an existing RAM user under the current Alibaba Cloud account: Select Existing RAM Users and choose a user from the drop-down list.

      • Create a new RAM user: Select Create RAM User and click Confirm.

        Note

        The system sends the RAM user's username and initial password to the email address or mobile number you provide.

    • Nickname: Enter the display name for the sub-administrator.

    • Role: Select a built-in or a custom role for the sub-administrator. This determines the user's feature permissions.

    • Email: Enter the email address of the sub-administrator to receive notifications, such as RAM user logon credentials.

    • (Optional) Phone: Enter the mobile number of the sub-administrator to receive notifications, such as RAM user logon credentials.

  3. On the Administrator Permissions page, find the sub-administrator that you created, and click Actions in the Manage Authorization column.

  4. In the Manage Authorization panel, set the authorization scope for the sub-administrator and click OK. You can grant permissions by resource type and resource group. The sub-administrator's final authorization scope is the union of permissions granted by both methods.

    1. Resource Type: You can select Cloud Computer or User.

      Important

      If you select a resource type, the sub-administrator gains full management permissions for all existing and future resources of that type. For example, if you select Cloud Computer, the sub-administrator can manage all existing and future cloud computers under the current Alibaba Cloud account.

    2. Resource Group: In the Available Resource Group area, select the desired resource groups and click the icon to move them to the Authorized Resource Group area.

Identity authentication

Multi-factor authentication (MFA)

Multi-factor authentication (MFA) adds a second verification factor when administrators log on to the console or end users log on to a terminal, protecting accounts and cloud resources beyond password authentication. MFA does not affect API calls made with an AccessKey pair.

  • Default state: Off

  • Configuration responsibility: Customer

  • Feature cost: Free

  • Dependencies: None

  • Limitations: None

  • References: Configure MFA

How to configure or use

MFA for Alibaba Cloud account

  1. Log on to the Alibaba Cloud console by using your Alibaba Cloud account.

  2. Hover over your profile picture in the upper-right corner and click Security Settings.

  3. On the Security Settings page, in the Account Protection section, click View.

    Note

    Multi-factor authentication (MFA) has been renamed to TOTP.

  4. On the Enable Account Protection page, select the scenarios where protection is needed, choose TOTP as the verification method, and click OK.

  5. On the Verify Identity page, select a method and follow the on-screen instructions to verify your identity.

  6. On the Install App page, click Next.

  7. On your mobile device, add a virtual MFA device.

    Note

    The following steps use Google Authenticator on iOS as an example.

    1. Open the Google Authenticator app.

    2. Tap Get Started and select a method to add a virtual MFA device.

      • Scan a QR code (recommended): Tap Scan a QR code and scan the QR code displayed on the Bind MFA page in the Alibaba Cloud console.

      • Enter a setup key: Tap Enter a setup key, enter the account and key, and then tap Add.

        Note

        On the Bind MFA page in the Alibaba Cloud console, hover over Failed to scan the QR code? to view the account and key.

  8. In the Alibaba Cloud console, enter the dynamic verification code from your mobile device and click Next to complete the binding.

    Note

    The authenticator app on your mobile device displays a dynamic verification code for your account, which refreshes every 30 seconds.

MFA for end users (Organization)

  1. Log on to the EDS enterprise console.

  2. In the left-side navigation pane, choose User Management > Logon.

  3. On the Security tab of the Logon page, set MFA to Enabled.

  4. In the confirmation dialog box, select an authentication method.

    1. TOTP

      Uses a TOTP-compliant app, such as Google Authenticator, for second-factor authentication.

    2. email verification code

      This method is effective only for desktop clients V7.6 or later and mobile clients V7.3 or later. It applies to convenience accounts and AD accounts.

      Note

      If an email address is not configured for the account, the user cannot complete the verification.

MFA for end users (Office network)

  1. Log on to the EDS enterprise console.

  2. In the left-side navigation pane, choose Networks & Storage > Office Network.

  3. In the top navigation bar, select a region.

  4. On the Office Networks page, click the Office Network ID of the target office network.

  5. In the More Information section at the bottom of the page, turn on the MFA switch and click OK in the confirmation dialog box.

    Note

    Ensure that Client Logon Verification and SSO are disabled.

Specify logon terminals

Each terminal is identified by a universally unique identifier (UUID) — a trusted, tamper-proof, non-forgeable, globally unique identifier. Enable trusted device authentication to restrict each end user to specified terminals.

How to configure or use

  1. In the left-side navigation pane, choose User Center > User Management.

  2. On the User tab of the User Management page, find the target user, click the ⋮ icon in the Actions column, and choose View/Restrict Logon Terminals.

  3. On the View/Restrict Logon Terminals panel, click Add Terminal.

  4. In the Add Terminal dialog box, select the software clients (desktop and mobile) that you want to add as restricted logon terminals, and click OK.

    To remove a restricted logon terminal, find the target client, click Remove in the Actions column, and click OK in the confirmation dialog box.

Client logon verification

This feature is disabled by default. When enabled, users logging on to an Alibaba Cloud Workspace terminal from a new device must verify their identity with a code sent by email.

  • Default state: Off

  • Configuration responsibility: Customer

  • Feature cost: Free

  • Dependencies: None

  • Limitations:

    Note

    This takes effect only for convenience accounts that use a public network connection.

  • References: Client logon verification

How to configure or use

For an organization ID

  1. Log on to the EDS enterprise console.

  2. In the left-side navigation pane, choose User Management > Logon.

  3. On the Logon page, on the Security tab, turn on the Client Logon Verification switch.

  4. In the dialog box, confirm the information and click OK.

For an office network

  1. Log on to the EDS enterprise console.

  2. In the left-side navigation pane, choose Networks & Storage > Office Network.

  3. In the top navigation bar, select a region.

  4. On the Office Network page, find the target office network and click the office network ID.

  5. In the More Information section at the bottom of the office network details page, turn on the Client Logon Verification switch.

    Note

    SSO settings, multi-factor authentication, and client logon verification are mutually exclusive. You can enable only one of these logon verification methods for an office network at a time. However, for an organization ID, these features are not mutually exclusive and can be enabled simultaneously.

  6. In the dialog box, confirm the information and click OK.

Access control

Terminal access control

Cloud computer policies manage terminal access through logon method control and IP address whitelists. Configure these policies to restrict end users to specified terminal types and IP ranges.

  • The Logon Method Control rule restricts which types of Alibaba Cloud Workspace clients end users can use to connect to their cloud computers.

    Example: To enhance enterprise information security, an administrator sets the rule to allow connections only from the Windows client, macOS client.

  • The CIDR Block Whitelist rule restricts the IP address ranges from which Alibaba Cloud Workspace clients can connect to cloud computers.

    Example: To bolster security, an administrator adds the office network's IP address range to an allowlist. This ensures that employees can connect to their cloud computers only from the office, blocking access from other locations.

  • Default state: Off

  • Configuration responsibility: Customer

  • Feature cost: Free

  • Dependencies: None

  • Limitations: None

How to configure or use

  1. Log on to the EDS enterprise console.

  2. In the left-side navigation pane, choose O&M Management > Policy.

  3. On the Policy page, click Create Policy.

  4. On the Create Policy page, enter a Policy Name as prompted, configure the policy settings as needed, and then click OK.

Parameter

Description

Logon method control

Restricts the types of Alibaba Cloud Workspace clients that end users can use. The options include:

  • Windows client

  • macOS client

  • iOS client

  • Android client

  • Web client

By default, all options are selected. You can deselect client types as needed.

Cidr block allowlist

Specifies the IP address ranges from which Alibaba Cloud Workspace clients can connect to cloud computers.

Click Add CIDR Block. In the Add CIDR Block dialog box, enter an allowed Source CIDR Block and then click OK.

The IP address range must be a CIDR block. For example: 192.0.XX.XX/32 or 10.0.XX.XX/8.

Timeout-triggered automatic logout

When enabled, if an end user is logged on to a specified type of WUYING terminal but not connected to any cloud resources (cloud computers, cloud apps, cloud phones, or enterprise drives), the terminal automatically logs out after the specified timeout. This protects cloud resource data.

  • Default state: Off

  • Configuration responsibility: Customer

  • Feature cost: Free

  • Dependencies: None

  • Limitations: None

How to configure or use

  1. Log on to the EDS enterprise console.

  2. In the left-side navigation pane, choose User Management > Logon.

  3. On the Logon page, click the General tab. To the right of Logon Settings, click Modify Logon Configurations.

  4. In the Modify Logon Configurations panel, complete the following configurations and click OK.

    Parameter

    Description

    Timeout-triggered automatic logout

    You can enable or disable this.

    Timeout period

    The duration for which an end user is not connected to any cloud resources on the Alibaba Cloud Workspace terminal. This option is visible when Timeout-triggered Automatic Logout is enabled.

    Applicable terminals

    The Alibaba Cloud Workspace terminals to which this feature applies.

    Note

    If you select Alibaba Cloud Workspace Hardware Terminal, note that this feature only takes effect on hardware terminals of V7.5 and later. If the hardware terminal is configured for password-free logon, timeout-triggered automatic logout does not take effect.

    Note
    • After you configure timeout-triggered automatic logout for the client, the setting takes effect the next time the end user logs on.

    • Before the timeout period is reached, the end user receives a reminder. The user can choose to stop the process. If the user takes no action, the client automatically logs out.