Bootstrap Administrators
Bootstrap administrators are created automatically when RAMP starts for the first time. This ensures you have immediate administrator access without needing to manually create users in the database.
Features
Section titled “Features”- Auto-created on first startup
- Supports all authentication providers (RAMP, OIDC, LDAP, Windows, ADFS)
- Automatically assigned Administrator role
- Multiple admins supported
- Safe re-runs (won’t duplicate existing users)
When to Use Bootstrap Admins
Section titled “When to Use Bootstrap Admins”Use Bootstrap Admins For:
Section titled “Use Bootstrap Admins For:”- Initial RAMP deployment
- Disaster recovery scenarios
- Automated deployments (Docker, Kubernetes)
- Development/testing environments
- Ensuring admin access after database restore
Don’t Use Bootstrap Admins For:
Section titled “Don’t Use Bootstrap Admins For:”- Adding users after initial setup (use web UI instead)
- Production password management (change after first login)
- Long-term credential storage (rotate immediately)
Quick Start — RAMP Native Auth
Section titled “Quick Start — RAMP Native Auth”Edit appsettings.json
Section titled “Edit appsettings.json”{ "Bootstrap": { "Administrators": [ { "IdentityProvider": "RAMP", "Username": "admin", "Email": "admin@yourcompany.com", "Password": "Passw0rd" } ] }}Start RAMP
Section titled “Start RAMP”cd src/RAMP.APIdotnet runCheck Logs
Section titled “Check Logs”Look for bootstrap confirmation:
[INFO] Checking bootstrap administrators...[INFO] Bootstrap administrator created: admin[INFO] Assigned Administrator role to: adminFirst Login
Section titled “First Login”- Navigate to RAMP login page
- Username:
admin - Password:
Passw0rd - Immediately change password after first login
Configuration by Authentication Provider
Section titled “Configuration by Authentication Provider”{ "Bootstrap": { "Administrators": [ { "IdentityProvider": "RAMP", "Username": "admin", "Email": "admin@yourcompany.com", "Password": "SecurePassword123!" } ] }}Requirements:
- Password must meet complexity requirements:
- Minimum 8 characters
- At least 1 uppercase letter
- At least 1 lowercase letter
- At least 1 digit
- At least 1 special character
{ "Bootstrap": { "Administrators": [ { "IdentityProvider": "OIDC", "Username": "john.doe@yourcompany.com", "Email": "john.doe@yourcompany.com" } ] }}How it works:
- User specified in bootstrap config
- When user first logs in via OIDC
- RAMP auto-provisions user account
- Administrator role is automatically assigned
{ "Bootstrap": { "Administrators": [ { "IdentityProvider": "LDAP", "Username": "jdoe", "Email": "jdoe@contoso.com" } ] }}{ "Bootstrap": { "Administrators": [ { "IdentityProvider": "Windows", "Username": "CONTOSO\\jdoe", "Email": "jdoe@contoso.com" } ] }}{ "Bootstrap": { "Administrators": [ { "IdentityProvider": "ADFS", "Username": "john.doe@contoso.com", "Email": "john.doe@contoso.com" } ] }}Multiple Bootstrap Administrators
Section titled “Multiple Bootstrap Administrators”You can configure multiple administrators across different identity providers:
{ "Bootstrap": { "Administrators": [ { "IdentityProvider": "RAMP", "Username": "localadmin", "Email": "localadmin@yourcompany.com", "Password": "LocalAdmin@123" }, { "IdentityProvider": "OIDC", "Username": "john.doe@yourcompany.com", "Email": "john.doe@yourcompany.com" }, { "IdentityProvider": "LDAP", "Username": "jsmith", "Email": "jsmith@contoso.com" } ] }}Use Case:
- Local admin for emergency access
- OIDC/LDAP admins for regular use
- Multiple team members as admins
Secure Configuration
Section titled “Secure Configuration”Store passwords securely during development:
cd src/RAMP.API
# Store bootstrap passworddotnet user-secrets set "Bootstrap:Administrators:0:Password" "DevAdmin@123"Or use appsettings.Development.json:
{ "Bootstrap": { "Administrators": [ { "IdentityProvider": "RAMP", "Username": "devadmin", "Email": "devadmin@localhost", "Password": "DevAdmin@123" } ] }}# Linux/Macexport Bootstrap__Administrators__0__Username="admin"export Bootstrap__Administrators__0__Email="admin@yourcompany.com"export Bootstrap__Administrators__0__Password="ProductionAdmin@123"export Bootstrap__Administrators__0__IdentityProvider="RAMP"
# Windowsset Bootstrap__Administrators__0__Username=adminset Bootstrap__Administrators__0__Email=admin@yourcompany.comset Bootstrap__Administrators__0__Password=ProductionAdmin@123set Bootstrap__Administrators__0__IdentityProvider=RAMP{ "AzureKeyVault": { "Enabled": true, "VaultUri": "https://your-ramp-vault.vault.azure.net/" }}Store secrets:
Bootstrap--Administrators--0--PasswordBootstrap--Administrators--0--UsernameBootstrap--Administrators--0--Email
Docker Deployment
Section titled “Docker Deployment”docker-compose.yml
Section titled “docker-compose.yml”version: '3.8'services: ramp-api: image: ramp-api:latest environment: - Bootstrap__Administrators__0__IdentityProvider=RAMP - Bootstrap__Administrators__0__Username=admin - Bootstrap__Administrators__0__Email=admin@yourcompany.com - Bootstrap__Administrators__0__Password=${RAMP_ADMIN_PASSWORD} ports: - "5165:8080".env file
Section titled “.env file”RAMP_ADMIN_PASSWORD=SecureAdminPassword123!docker-compose up -dKubernetes Deployment
Section titled “Kubernetes Deployment”secret.yaml
Section titled “secret.yaml”apiVersion: v1kind: Secretmetadata: name: ramp-bootstrap-secrettype: OpaquestringData: admin-password: "SecureAdminPassword123!"deployment.yaml
Section titled “deployment.yaml”apiVersion: apps/v1kind: Deploymentmetadata: name: ramp-apispec: template: spec: containers: - name: ramp-api image: ramp-api:latest env: - name: Bootstrap__Administrators__0__IdentityProvider value: "RAMP" - name: Bootstrap__Administrators__0__Username value: "admin" - name: Bootstrap__Administrators__0__Email value: "admin@yourcompany.com" - name: Bootstrap__Administrators__0__Password valueFrom: secretKeyRef: name: ramp-bootstrap-secret key: admin-passwordHow Bootstrap Works
Section titled “How Bootstrap Works”Startup Process
Section titled “Startup Process”- RAMP API starts
- Reads
Bootstrap:Administratorsconfiguration - For each administrator:
- Checks if user already exists (by username)
- If user doesn’t exist:
- Creates new user account
- Sets identity provider
- For RAMP users: hashes and stores password
- Assigns Administrator role
- If user exists:
- Skips creation (no duplicate)
- Ensures Administrator role is assigned
- Logs results
Re-run Safety
Section titled “Re-run Safety”Bootstrap is safe to run multiple times:
- Existing users are not modified
- No duplicate users created
- Administrator role is ensured
- Passwords are NOT updated on re-run
Troubleshooting
Section titled “Troubleshooting”Bootstrap admin not created
Section titled “Bootstrap admin not created”Check 1: Verify configuration syntax
{ "Bootstrap": { "Administrators": [ { "IdentityProvider": "RAMP", "Username": "admin", "Email": "admin@example.com", "Password": "Passw0rd" } ] }}Check 2: Check application logs for bootstrap messages
Check 3: Verify password requirements (RAMP users only)
- Minimum 8 characters
- Uppercase + lowercase + digit + special character
Cannot log in with bootstrap admin
Section titled “Cannot log in with bootstrap admin”Check 1: Verify username/password — usernames are case-sensitive, no extra spaces
Check 2: Check database
SELECT * FROM Users WHERE Username = 'admin';Check 3: Verify role assignment
SELECT u.Username, ur.RoleIdFROM Users uJOIN UserRoles ur ON u.Id = ur.UserIdWHERE u.Username = 'admin';Password doesn’t meet requirements
Section titled “Password doesn’t meet requirements”Error: “Password must have at least one uppercase letter”
Ensure password contains:
- Uppercase: A-Z
- Lowercase: a-z
- Digit: 0-9
- Special:
!@#$%^&*() - Length: 8+ characters
Example valid passwords:
Passw0rdSecurePassword1!Bootstrap#2024
Security Best Practices
Section titled “Security Best Practices”1. Change Default Password Immediately
Section titled “1. Change Default Password Immediately”- Log in with bootstrap credentials
- Navigate to Settings -> Change Password
- Set a strong, unique password
- Store securely (password manager)
2. Remove Bootstrap Config After Initial Setup
Section titled “2. Remove Bootstrap Config After Initial Setup”{ "Bootstrap": { "Administrators": [] }}Or delete the entire Bootstrap section after first deployment.
3. Use Strong Passwords
Section titled “3. Use Strong Passwords”- Minimum 12 characters (not just 8)
- Mix of character types
- Avoid common words/patterns
- Use password generator
4. Secure Credential Storage
Section titled “4. Secure Credential Storage”- Never commit passwords to source control
- Use environment variables or secrets management
- Rotate credentials after initial setup
5. Limit Bootstrap Admins
Section titled “5. Limit Bootstrap Admins”- Create only the minimum number needed
- Prefer external IdP accounts over RAMP native
- Use individual accounts (not shared)
6. Audit Bootstrap Actions
Section titled “6. Audit Bootstrap Actions”Check audit logs after deployment:
SELECT * FROM AuditLogsWHERE Action LIKE '%Bootstrap%'ORDER BY Timestamp DESC;Common Scenarios
Section titled “Common Scenarios”Scenario 1: Initial Deployment
Section titled “Scenario 1: Initial Deployment”{ "Bootstrap": { "Administrators": [ { "IdentityProvider": "RAMP", "Username": "admin", "Email": "admin@yourcompany.com", "Password": "ChangeMe@123" } ] }}After deployment:
- Log in as admin
- Change password
- Create individual user accounts
- Remove bootstrap config
Scenario 2: OIDC + Emergency Access
Section titled “Scenario 2: OIDC + Emergency Access”{ "Bootstrap": { "Administrators": [ { "IdentityProvider": "OIDC", "Username": "john.doe@yourcompany.com", "Email": "john.doe@yourcompany.com" }, { "IdentityProvider": "RAMP", "Username": "emergency", "Email": "emergency@yourcompany.com", "Password": "EmergencyAccess@123" } ] }}Use case: Primary access via OIDC, local admin for IdP outages.
Scenario 3: Multi-Environment
Section titled “Scenario 3: Multi-Environment”appsettings.Development.json:
{ "Bootstrap": { "Administrators": [ { "IdentityProvider": "RAMP", "Username": "devadmin", "Email": "devadmin@localhost", "Password": "DevAdmin@123" } ] }}appsettings.Production.json:
{ "Bootstrap": { "Administrators": [ { "IdentityProvider": "OIDC", "Username": "admin@yourcompany.com", "Email": "admin@yourcompany.com" } ] }}Frequently Asked Questions
Section titled “Frequently Asked Questions”Can I add users after initial setup?
Section titled “Can I add users after initial setup?”Yes, but use the web UI (Admin -> Users) instead of bootstrap config. Bootstrap is only for initial setup.
What if I forget the bootstrap password?
Section titled “What if I forget the bootstrap password?”Reset it in configuration and restart RAMP. Existing password will NOT be updated automatically — you’ll need to reset via database.
Can I remove bootstrap admins later?
Section titled “Can I remove bootstrap admins later?”Yes. Bootstrap-created users are regular users. Delete via Admin -> Users in the web UI.
Do bootstrap admins count toward license limits?
Section titled “Do bootstrap admins count toward license limits?”Yes. Bootstrap admins are regular user accounts and count toward any license limits (if applicable).
Next Steps
Section titled “Next Steps”- RAMP Native Authentication — Configure username/password login
- MFA Setup — Enable multi-factor authentication
- Authentication Overview — Compare all authentication providers
Related topics
Section titled “Related topics” Authentication Overview Compare all authentication methods and choose the right one
Application Settings Reference Complete reference for RAMP's appsettings.json configuration
Roles Configure and manage application roles and permissions