Configure the global security preferences for a RAM user.
Try it now
Test
RAM authorization
|
Action |
Access level |
Resource type |
Condition key |
Dependent action |
|
ram:SetSecurityPreference |
update |
*All Resource
|
|
None |
Request parameters
|
Parameter |
Type |
Required |
Description |
Example |
| EnableSaveMFATicket |
boolean |
No |
Specifies whether a RAM user who logs on with multi-factor authentication (MFA) can skip MFA for the next seven days. Valid values:
|
false |
| AllowUserToChangePassword |
boolean |
No |
Specifies whether RAM users can change their own passwords. Valid values:
|
true |
| AllowUserToManageAccessKeys |
boolean |
No |
Specifies whether RAM users can manage their own AccessKeys. Valid values:
|
false |
| AllowUserToManageMFADevices |
boolean |
No |
Specifies whether RAM users can manage their own MFA devices. Valid values:
|
true |
| LoginSessionDuration |
integer |
No |
The session duration of a RAM user who logs on to the console. Unit: hours. Valid values: 1 to 24. Default value: 6. |
6 |
| LoginNetworkMasks |
string |
No |
The IP address mask that is used to log on to the console. This mask applies to password-based logons and single sign-on (SSO) logons, but does not affect API calls that are initiated by using an AccessKey pair.
If you need to specify multiple masks, separate them with semicolons ( You can specify up to 40 masks. The total length cannot exceed 512 characters. |
10.0.0.0/8 |
| VerificationTypes |
array |
No |
The MFA methods. |
|
|
string |
No |
The MFA method. Valid values:
|
["sms", "email"] |
|
| AllowUserToManagePersonalDingTalk |
boolean |
No |
Specifies whether RAM users can link or unlink their personal DingTalk accounts. Valid values:
|
true |
OperationForRiskLogin
deprecated
|
string |
No |
This parameter is deprecated. |
autonomous |
| MFAOperationForLogin |
string |
No |
Specifies the MFA policy for user logon. This parameter replaces
|
adaptive |
| MaxIdleDaysForAccessKeys |
integer |
No |
The maximum idle period of the AccessKey pairs of RAM users. An AccessKey pair that is not used for the specified period of time is automatically disabled on the next day. You can set the value to one of the following numbers:
|
365 |
| MaxIdleDaysForUsers |
integer |
No |
The maximum idle period of RAM users. If a RAM user who can log on to the console does not log on to the console for the specified period of time (SSO logons are not included), the console logon feature of the RAM user is disabled on the next day. You can set the value to one of the following numbers:
|
365 |
| AllowUserToLoginWithPasskey |
boolean |
No |
Specifies whether RAM users can use passkeys to log on to the console. Valid values:
|
true |
| AllowUserToManageServiceCredentials |
boolean |
No |
Specifies whether RAM users can manage their own API keys. Valid values:
|
false |
Response elements
|
Element |
Type |
Description |
Example |
|
object |
The data returned. |
||
| SecurityPreference |
object |
The security preferences. |
|
| AccessKeyPreference |
object |
The AccessKey preferences. |
|
| AllowUserToManageAccessKeys |
boolean |
Specifies whether RAM users can manage their own AccessKeys. |
false |
| AllowUserToManageServiceCredentials |
boolean |
Specifies whether RAM users can manage their own API keys. Valid values:
|
false |
| LoginProfilePreference |
object |
The login preferences. |
|
| EnableSaveMFATicket |
boolean |
Specifies whether to save the verification status for seven days after a RAM user completes multi-factor authentication (MFA) during sign-in. |
false |
| LoginSessionDuration |
integer |
The duration of the login session for a RAM user, in hours. |
6 |
| LoginNetworkMasks |
string |
The login network mask. |
10.0.0.0/8 |
| AllowUserToChangePassword |
boolean |
Specifies whether RAM users can manage their own passwords. |
true |
OperationForRiskLogin
deprecated
|
string |
This parameter is deprecated. |
autonomous |
| MFAOperationForLogin |
string |
The MFA policy for user sign-in. This parameter is the recommended replacement for |
adaptive |
| AllowUserToLoginWithPasskey |
boolean |
Specifies whether RAM users can sign in with a passkey. |
false |
| MFAPreference |
object |
The MFA (multi-factor authentication) preferences. |
|
| AllowUserToManageMFADevices |
boolean |
Specifies whether RAM users can manage their own MFA devices. |
false |
| VerificationPreference |
object |
The preferences for MFA methods. |
|
| VerificationTypes |
array |
The allowed MFA methods. |
|
|
string |
The MFA method. |
["sms", "email"] |
|
| PersonalInfoPreference |
object |
The personal information preferences. |
|
| AllowUserToManagePersonalDingTalk |
boolean |
Specifies whether RAM users can attach or detach their personal DingTalk accounts. |
true |
| MaxIdleDays |
object |
Settings for the maximum idle period in days. |
|
| MaxIdleDaysForUsers |
integer |
The maximum idle period, in days, for a RAM user. If a RAM user with console sign-in enabled does not sign in within this period, the system automatically disables their console sign-in the next day. This setting does not apply to single sign-on (SSO). Default value: 730. |
730 |
| MaxIdleDaysForAccessKeys |
integer |
The maximum idle period, in days, for an AccessKey of a RAM user. If an AccessKey is not used within the specified period, the system automatically disables it the next day. Default value: 730. |
730 |
| RequestId |
string |
The request ID. |
17494710-B4BA-4185-BBBB-C1A6ABDE1639 |
Examples
Success response
JSON format
{
"SecurityPreference": {
"AccessKeyPreference": {
"AllowUserToManageAccessKeys": false,
"AllowUserToManageServiceCredentials": false
},
"LoginProfilePreference": {
"EnableSaveMFATicket": false,
"LoginSessionDuration": 6,
"LoginNetworkMasks": "10.0.0.0/8",
"AllowUserToChangePassword": true,
"OperationForRiskLogin": "autonomous",
"MFAOperationForLogin": "adaptive",
"AllowUserToLoginWithPasskey": false
},
"MFAPreference": {
"AllowUserToManageMFADevices": false
},
"VerificationPreference": {
"VerificationTypes": [
"[\"sms\", \"email\"]"
]
},
"PersonalInfoPreference": {
"AllowUserToManagePersonalDingTalk": true
},
"MaxIdleDays": {
"MaxIdleDaysForUsers": 730,
"MaxIdleDaysForAccessKeys": 730
}
},
"RequestId": "17494710-B4BA-4185-BBBB-C1A6ABDE1639"
}
Error codes
See Error Codes for a complete list.
Release notes
See Release Notes for a complete list.