DocsICP FilingConsole
官方文档
首页

Manage users

更新时间:
复制 MD 格式
产品详情
我的收藏

After an administrator creates a user in the Bastionhost console, an O&M engineer can use the account to log on to the bastion host and access authorized hosts or database assets.

User types

A bastion host allows you to import RAM users, create local users, or import AD/LDAP and IDaaS users. These users can then act as O&M engineers.

Important

IDaaS users cannot use password-based authentication to log on to a bastion host from a client tool to perform asset O&M. They can use O&M token-based authentication with a client tool, or log on through the O&M portal. For more information, see O&M manual.

User type

Description

RAM user

After you create a RAM user in the Resource Access Management (RAM) console, you can import the user into the Bastionhost console with a single click.

Local user

You can create local users one by one or import them in batches from a file.

AD/LDAP user

You can configure AD or LDAP authentication on the bastion host and then synchronize AD or LDAP users.

Note

Before you import AD or LDAP users, ensure that you have configured AD or LDAP authentication. For more information, see Configure AD or LDAP authentication.

IDaaS user

You can configure IDaaS authentication on the bastion host and synchronize IDaaS users to the bastion host. Only Enterprise Edition and SM Edition instances support IDaaS users. If your bastion host is a Basic Edition instance, upgrade it to a supported edition. For more information, see Upgrade instance type.

Note

Before you import IDaaS users, ensure that you have configured IDaaS authentication. For more information, see Manage IDaaS authentication.

User list

After creating users, refer to the following table for a description of the columns in the user list.

Parameter

Description

Logon Name

The username for logging on to the bastion host.

  • RAM user: The logon name specified when the RAM user was created. If the username is modified in the RAM console, you can configure User Sync Settings settings in System Settings > User Settings. For more information, see User configuration.

  • local user: The username specified by the administrator when the user was created. This username cannot be changed. The password complexity is based on the user password security settings. For more information, see User configuration.

  • AD/LDAP user: The username synchronized from the AD or LDAP server. To change the username, you must modify it on the corresponding AD or LDAP server.

  • IDaaS user: The account synchronized from Alibaba Cloud IDaaS (EIAM). This username cannot be changed.

Authentication Source

The user type. For example, for a local user, Local Authentication is displayed.

Two-factor Authentication Methods

When logging on to the bastion host, users must first authenticate with their password and then provide a dynamic code for secondary authentication. This code is sent by text message, email, or DingTalk notification to help reduce security risks.

OTP App

Indicates whether the user has bound an OTP token. For instructions, see Create users.

Note

This does not apply to RAM users and IDaaS users.

Status

The current status of the user. For more information about user status configuration, see User configuration.

  • Inactive: If a user has not logged in for longer than the specified period, the user status is marked as Inactive.

  • Password Expired: The user status is marked as Password Expired after the configured password validity period expires.

  • Locked:

    • The user status changes to Locked if the user exceeds the allowed number of incorrect password attempts or is manually locked by an administrator.

    • If you enable Automatically Lock Inactive User Accounts in System Settings, the system automatically locks users who have been inactive for a long time, changing their status to Locked.

  • Remote Deleted: A user is marked as Remote Deleted when the user cannot be found in the corresponding authentication source by using their source ID.

  • Remote DN Changed: When a user's BaseDN on the AD/LDAP server is inconsistent with the configuration on the bastion host, the user is marked as Remote DN Changed.

Actions

Authorization operations that an administrator can perform for a user. For more information, see Authorize users to manage assets and asset accounts or Authorize users to manage asset groups.

Create users

You can create user accounts for O&M engineers to log on to the bastion host based on your business needs.

Import RAM users

  1. Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.

  2. In the list of Bastionhost instances, find the target instance and click Manage.

  3. In the navigation pane on the left, choose Users > Users.

  4. On the Users page, click Import RAM Users.

  5. Optional: If you have not created any RAM users, click Create RAM User on the Import RAM Users page and follow the prompts to create a RAM user.

    For more information, see Create a RAM user.

  6. On the Import RAM Users page, find the RAM user that you want to import and click Import in the Actions column. To import multiple RAM users at once, select the users and click Import.

    Note

    To set up two-factor authentication for a RAM user, log on to the RAM console and enable multi-factor authentication (MFA). For more information, see Bind an MFA device to an Alibaba Cloud account.

Create local users

  1. Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.

  2. In the list of Bastionhost instances, find the target instance and click Manage.

  3. In the navigation pane on the left, choose Users > Users.

  4. On the Users page, create a single user or import multiple users from a file by following the instructions in the table below.

    Use case

    Procedure

    Create a single local user

    1. Choose Import Other Users > Create User.

    2. In the Create User panel, configure the user information and click Create.

      When you configure user information, you must set Authentication Method to Local Authentication. In addition to basic information, you can configure the following options.

      • Enable Users must reset the password at next logon.: If enabled, this option forces the user to change their password upon their next logon. This feature is available only for local users.

      • Set Validity Period: After the validity period is set, the user's status in the Status column changes to Expired once the validity period ends, and they can no longer log on to the bastion host for O&M operations.

      • Configure Two-factor Authentication Methods: When enabled, the user must provide a dynamic verification code sent via text message, email, or DingTalk notification for secondary authentication after authenticating with their password. This reduces security risks.

        Note

        • After you enable two-factor authentication, the user must use a mobile number or email address to receive a verification code for authentication during logon. Ensure that the mobile number or email address is correct. For a list of countries and regions that support two-factor authentication via text message, see Countries and regions that support two-factor authentication by text message.

        • The mobile number and email address you provide are used only for receiving verification codes or alert notifications and not for any other purposes.

        The Two-factor Authentication Methods includes the following configuration types:

        • Select For All Users to apply the global two-factor authentication method configured in System Settings. For more information, see Enable two-factor authentication.

        • Select For Single User to configure a separate two-factor authentication method for the current user. Bastionhost supports the following methods:

          • Disable: Disables the two-factor authentication feature.

          • Text Message: Sends a verification code by text message for secondary authentication. You must set a mobile number for the user.

          • Email: Sends a verification code by email for secondary authentication. You must set an email address for the user.

          • DingTalk: Uses DingTalk for secondary authentication. You must set a mobile number for the user.

            Note

            To enable DingTalk authentication, ensure that the following requirements are met:

            • A mobile phone number is associated with the user account that is used for O&M. For more information about how to add a mobile phone number for a user, see Modify the basic information of a local user.

            • The DingTalk administrator has created an internal enterprise application and granted it the API Access Permission To Get Member Information By Phone Number And Name.

            • You have obtained the AppKey, AppSecret, and AgentId of the internal enterprise application.

          • OTP App: Uses the user's OTP token for authentication. The user must first bind an OTP token.

            Note

            To use this method, first download a standard TOTP authentication application, such as the Alibaba Cloud app. Then, log on to the Bastionhost O&M portal using a public endpoint. In the left-side navigation pane, click Security Settings. On the Enable OTP tab, click Bind OTP App and scan the QR code to bind the OTP token. For more information about obtaining the O&M address of a bastion host, see Bastionhost console overview.

          • SM-based USB Key: Uses an SM-based USB key for logon authentication. The user must first bind a USB key certificate. For more information, see Bind a USB key certificate.

            Note

            • Only SM Edition instances support logon authentication using an SM-based USB key. If your bastion host is not an SM Edition instance, upgrade it. For more information, see Upgrade instance type.

            • CS-based O&M does not support two-factor authentication with an SM-based USB key.

        • Configure Two-factor Notification Sending Language:

          • Select For All Users to use the language configured in System Settings for two-factor authentication notifications. For more information, see Enable two-factor authentication.

          • Select For Single User to send two-factor authentication notifications in Simplified Chinese or English.

    Import multiple users from a file

    1. Choose Import Other Users > Import Users from File.

    2. Click Download User Template to download the template file to your computer. Enter the user information in the template file and save it.

    3. In the Import Local Users panel, click Upload to upload the user template file.

    4. In the Preview dialog box, select the users to import and click Import.

    5. In the Import Local Users panel, confirm the user information and click Import Local Users.

      Select Users must reset the password at next logon. to require all imported users to reset their passwords at their next logon.

    Note

    If a user's username in the import file already exists in the system or is duplicated within the file, that user will not be imported. You can click Details in the Import Local Users panel to view the users that were not imported.

  5. Optional: To have the bastion host send notifications with the O&M address to users, you must set a mobile number or email address (at least one) for the local users and select Send O&M Addresses to User.

Import AD/LDAP users

Before you import AD or LDAP users, make sure that you have configured AD or LDAP authentication. For more information, see Configure AD or LDAP authentication.

  1. Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.

  2. In the list of Bastionhost instances, find the target instance and click Manage.

  3. In the navigation pane on the left, choose Users > Users.

  4. Choose Import Other Users>Import AD Users or Import LDAP Users.

  5. On the Import AD Users or Import LDAP Users page, find the target user and click Import in the Actions column.

    You can also select and import multiple users at once.

Import IDaaS users

Before you import IDaaS users, make sure that you have configured IDaaS authentication. For more information, see Manage IDaaS authentication.

Important

IDaaS users cannot use password-based authentication to log on to a bastion host from a client tool to perform asset O&M. They can use O&M token-based authentication with a client tool, or log on through the O&M portal. For more information, see O&M manual.

  1. Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.

  2. In the list of Bastionhost instances, find the target instance and click Manage.

  3. In the navigation pane on the left, choose Users > Users.

  4. Choose Import Other Users>Import IDaaS User.

  5. On the Import IDaaS User page, find the target user and click Import in the Actions column.

    You can also select and import multiple users at once. If no IDaaS users are displayed, click Synchronize.

User logon restrictions

You can set source IP and time-based restrictions for user logons based on your business requirements.

  1. Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.

  2. In the list of Bastionhost instances, find the target instance and click Manage.

  3. In the navigation pane on the left, choose Users > Users.

  4. In the user list, click the username of the user for whom you want to set restrictions.

  5. On the User Logon Restrictions tab, set the source IP and time restrictions for user logons, and then click Update.

    • (Whitelist) Only Listed IP Addresses Are Allowed: Allows logons only from IP addresses in the whitelist within the specified time periods.

    • (Blacklist) Listed IP Addresses Are Not Allowed: Blocks logons from IP addresses in the blacklist. Source IP addresses not in the blacklist can be used to log on only within the specified time periods.

Export users

After exporting the users, you can view the user list in the downloaded CSV file.

  1. Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.

  2. In the list of Bastionhost instances, find the target instance and click Manage.

  3. In the navigation pane on the left, choose Users > Users.

  4. On the Users page, click Export Users in the upper-right corner of the user list.

Modify local user information

Note

To modify the basic information of an AD/LDAP user, RAM user, or IDaaS user, go to the corresponding authentication source.

If a user's information, such as their mobile number or email address, changes, you must update it in the console promptly. Otherwise, the user may not receive verification information, which can prevent them from logging on to the console. For example, if a user changes their mobile number but does not update it on the bastion host, verification codes are sent to the old number, and the user will be unable to log on.

  1. Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.

  2. In the list of Bastionhost instances, find the target instance and click Manage.

  3. In the navigation pane on the left, choose Users > Users.

  4. Find the user whose information you want to modify and click their username.

  5. On the user's Basic Info tab, modify the user information and click Update.

Lock or unlock a user

If a user temporarily does not require O&M access, an administrator can lock their account manually or configure automatic locking. When a locked user needs to perform O&M operations again, an administrator can unlock the account.

Automatically lock a user

By default, the bastion host automatically locks a user's account after more than five consecutive incorrect password attempts. You can manually set the Account Lockout Threshold. For more information, see user configuration.

Manually lock or unlock a user

Important

The manual lock or unlock operation takes effect immediately. A locked user cannot log on to the bastion host to perform O&M operations. Proceed with caution.

  1. Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.

  2. In the list of Bastionhost instances, find the target instance and click Manage.

  3. In the navigation pane on the left, choose Users > Users.

  4. On the Users page, select the user or users you want to lock or unlock. At the bottom of the user list, choose Batch > Locked or Batch > Unlock.

    • Locked: After locking a user, you receive a The user is locked. message. The Status of the locked user changes from Normal to Locked. Even when a user account is locked, an administrator can still modify its basic information and grant host and asset group permissions.

    • Unlock: After unlocking a user, you will receive a The user is unlocked. message. The user can then log on to the bastion host and perform O&M operations on authorized hosts normally.

Manage user public keys

If you need the bastion host to manage a user's public key, you can configure the public key and host it on the bastion host. The O&M engineer can then use the corresponding private key to log on to the bastion host from a client tool. For more information about the O&M process, see Perform SSH-based O&M.

  1. Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.

  2. In the list of Bastionhost instances, find the target instance and click Manage.

  3. In the navigation pane on the left, choose Users > Users.

  4. In the user list, click the username of the user for whom you want to configure a public key. On the user details page, click the User Public Key tab, and then click Add SSH Public Key.

  5. In the Add SSH Public Key panel, enter a name and the content for the public key, and then click Add SSH Public Key.

    After the configuration is complete, you can view and export the hosted user public keys in the user public key list.

Delete a user

If an O&M engineer no longer needs to use the bastion host to manage hosts, you can delete the corresponding user to reduce security risks.

  1. Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.

  2. In the list of Bastionhost instances, find the target instance and click Manage.

  3. In the navigation pane on the left, choose Users > Users.

  4. In the user list, select the user or users that you want to delete and click Delete at the bottom of the list.

Modify password reset at next logon

To enable or disable the Users must reset the password at next logon. setting for a local user after creation, follow these steps.

  1. Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.

  2. In the list of Bastionhost instances, find the target instance and click Manage.

  3. In the navigation pane on the left, choose Users > Users.

  4. In the user list, select the target user or users. At the bottom of the list, choose Batch > Change Configuration of Local Users Must Reset Passwords at Next Logons.

  5. In the dialog box that appears, select Enable or Disable from the drop-down list as needed, and then click OK.

Previous:Manage usersNext:Manage user groups