All Products
Search

This Product

    Resource Access Management:Manage RAM user login settings

    Document Center

    Resource Access Management:Manage RAM user login settings

    Last Updated:Mar 27, 2026

    This topic describes how to manage console login settings for a RAM user. You can configure settings such as console access, login passwords, and multi-factor authentication (MFA) to meet various security and compliance requirements.

    Overview

    The console login settings for a RAM user determine the method and security level for accessing the Alibaba Cloud console. These settings affect only the console login behavior of RAM users and do not affect programmatic access that uses AccessKeys.

    Parameter

    Description

    Console Access

    Controls whether a RAM user can log on to the Alibaba Cloud console.

    Set Logon Password

    Sets or resets the console login password for a RAM user.

    Password Reset

    Requires a user to change their password upon their next login.

    Enable MFA

    Requires a user to use multi-factor authentication to log on.

    Note

    If single sign-on (SSO) is enabled for RAM users, the login settings described above, such as console access and MFA requirements, do not apply.

    Enable console login

    By default, console login is disabled when you create a RAM user. Before a RAM user can log on to the Alibaba Cloud console with a password, you must enable console login and set a password. You can perform this action in the console or by using the OpenAPI.

    Console

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Users.

    3. In the user list, click the name of the target RAM user.

    4. On the Authentication tab, in the Login Profile section, click Enable Console Logon.

    5. In the Enable Console Logon dialog, configure the following parameters:

      • Console Access: Click Enabled to enable console login for the RAM user.

      • Set Logon Password: Select Automatically Regenerate Default Password or Reset Custom Password.

      • Password Reset: Choose whether the user must reset their password upon their next login. When you set an initial password, we recommend that you select Required at Next Logon to avoid sharing the password between the administrator and the user.

      • Enable MFA: Specify whether to require the RAM user to enable multi-factor authentication. If you select Required, the user must bind an MFA device upon their next login. We recommend that you keep the default selection and require MFA.

    6. Click OK.

    API

    Permissions required: ram:CreateLoginProfile

    Call the CreateLoginProfile operation to enable console login for a specific RAM user and set an initial password for them.

    View console logon settings of a RAM user

    Administrators can view a RAM user's login configuration, including whether console access is enabled, password status, and MFA settings.

    Console

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Users.

    3. In the user list, click the name of the target RAM user.

    4. On the Authentication tab, in the Login Profile section, view the status of the following login settings:

      • Console Access: Shows whether console access is enabled. The status can be:

        • Unset. Console access has not been enabled.

        • Inactive. An administrator has disabled console access.

        • Active. An administrator has enabled console access.

      • Last Logined Time: The last time the user successfully logged on to the console. You can use this information to audit idle accounts.

      • Enable MFA: Indicates whether the user is required to complete multi-factor authentication when they log on to the console.

        Note

        Multiple factors determine whether a user must use MFA, evaluated in the following order of precedence:

        • The global MFA policy in RAM is set to Enforce MFA for all users (default). For more information about the settings, see MFA settings.

        • The login settings for the individual RAM user require MFA.

        • The user has already bound an MFA device, such as a security phone or virtual MFA device.

        If none of these conditions are met, Alibaba Cloud still prompts the user to bind an MFA device at each login, but binding is optional.

      • Reset Password at Next Logon: Indicates whether the user is required to reset their password upon their next login.

      • Password: Displays the user's current password status. For more information, see What are initial passwords and their validity period?

        • Initial Password Available. The user's current password is an initial password and has not expired. In this case, the user can log on to the console with the initial password.

        • Initial Password Expired. The user's current password is an initial password and has expired. In this case, the user cannot log on to the console with the initial password.

        • Not Initial Password. The user's current password is not an initial password. It is subject only to the password validity period, not the initial password validity period.

      • Console Sign-in: After console access is enabled, you can copy the dedicated logon link for the RAM user from here.

    API

    Permissions required: ram:GetLoginProfile

    Call the GetLoginProfile operation to view the console login settings of a RAM user.

    Modify console logon settings for a RAM user

    After you enable console login, a RAM administrator can modify the login settings as needed, such as disabling console access or resetting the login password.

    Console

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Users.

    3. In the user list, click the name of the target RAM user.

    4. On the Authentication tab, in the Login Profile section, click Modify Logon Settings.

    5. In the Modify Logon Settings dialog box, modify the console login parameters.

      • Console Access: Click Disabled to disable console login for the RAM user.

        Important

        • If you disable console access, the RAM user and any RAM roles currently assumed by that user are forcibly logged out.

        • Disabling console login also prevents the user from logging on by using a passkey.

      • For descriptions of the other settings, see Enable console login.

    6. Click OK.

    API

    Permissions required: ram:UpdateLoginProfile

    Call the UpdateLoginProfile operation to modify the console login settings of a user.

    Clear console logon settings for a RAM user

    Clearing the login settings permanently deletes all console login information for the RAM user, including the password. This operation cannot be undone.

    Warning

    • You cannot restore a RAM user's console login information after clearing it. Proceed with caution.

    • After you clear the console login settings for a RAM user, the user and any RAM roles currently assumed by that user are forcibly logged out.

    Console

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Users.

    3. In the user list, click the name of the target RAM user.

    4. On the Authentication tab, in the Login Profile section, click Remove Logon Settings.

    5. In the Clear Login Settings confirmation dialog box, click OK.

    API

    Permissions required: ram:DeleteLoginProfile

    Call the DeleteLoginProfile operation to clear the console login settings for a user.

    Note

    Clearing the console login settings does not affect the user's passkeys, MFA bindings, or AccessKeys.

    Security best practices

    • Enforce MFA: Enable MFA for all users who need to log on to the console. This is one of the most effective measures to protect account security.

    • Require password reset for initial passwords: When you set an initial password, make sure to select the Reset Password at Next Logon option to avoid sharing the password between the administrator and the user.

    • Use separate accounts for console and API access: For programmatic accounts that require only API access, such as those for CI/CD or applications, disable console login to reduce the attack surface.

    • Regularly audit and clean up accounts: Periodically check the Last Console Logon time and promptly disable or clear the login settings for idle accounts.

    FAQ

    What is the difference between disabling console access and clearing login settings?

    Disabling is a reversible action that preserves the password and other login settings. Clearing is an irreversible action that deletes all login information.

    Does disabling console login affect AccessKey access?

    No. Console login and API access are independent. To prevent a user from using an AccessKey, you must disable the AccessKey.

    What is the effect of changing a password or disabling login on an active session?

    This action immediately terminates the user's current console session and any active RAM role sessions assumed by that user. The user must log on again. This may interrupt ongoing operations.

    What should I do if a user forgets their password? Can they reset it themselves?

    RAM users cannot reset their own console login passwords. An administrator must reset the password for them. For instructions, see Change the password for a RAM user as a RAM administrator.

    How can an administrator find a user's last login time?

    You can find the last login time in two ways:

    • Console: On the user details page, go to the Authentication tab and find the Last Console Logon time in the Login Profile section.

    • API: Call the GetLoginProfile operation. The response contains the LastLoginTime field.

    What are initial passwords and their validity period?

    To mitigate security risks from long-inactive RAM users, such as password theft that leads to resource threats, unexpected fees, or malicious extortion, RAM introduces the "initial password" mechanism starting from January 26, 2026. Console login passwords that meet specific conditions are marked as "initial passwords" and have a default validity period of 14 days. If a user does not successfully log on for the first time within this period, the password automatically expires and must be reset by an administrator. For more information, see the announcement.

    A password is considered an initial password if any of the following conditions are met:

    • First creation: The console login password that is set for a RAM user for the first time, including both auto-generated and custom passwords.

    • Re-enablement: The password that is set for a RAM user after their console login settings have been cleared and then re-enabled.

    • Reset before login: If an administrator resets an initial password before the user's first successful login, the new password is also considered an "initial password". Its validity period is recalculated from the time of the reset.

    The initial password validity period and the regular password expiration period from the account's password policy are both in effect. The system enforces whichever period is shorter. Administrators can change the default initial password validity period in the global password policy of RAM. However, to avoid increasing management complexity, we recommend setting the initial password validity period to be no longer than the regular password expiration period.

    How do I check the status of a user's initial password?

    On the user details page, on the Authentication tab, view the Login password status in the Login Profile section. If the status is Initial password expired, the user cannot log on with the current password, and an administrator must reset it.