All Products
Search
Document Center

Resource Access Management:SetSecurityPreference

Last Updated:May 25, 2026

Configure the global security preferences for a RAM user.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

ram:SetSecurityPreference

update

*All Resource

*

  • ram:MFAOperationForLogin
None

Request parameters

Parameter

Type

Required

Description

Example

EnableSaveMFATicket

boolean

No

Specifies whether a RAM user who logs on with multi-factor authentication (MFA) can skip MFA for the next seven days. Valid values:

  • true: Allowed.

  • false (default): Not allowed.

false

AllowUserToChangePassword

boolean

No

Specifies whether RAM users can change their own passwords. Valid values:

  • true (default): Allowed.

  • false: Not allowed.

true

AllowUserToManageAccessKeys

boolean

No

Specifies whether RAM users can manage their own AccessKeys. Valid values:

  • true: Allowed.

  • false (default): Not allowed.

false

AllowUserToManageMFADevices

boolean

No

Specifies whether RAM users can manage their own MFA devices. Valid values:

  • true (default): Allowed.

  • false: Not allowed.

true

LoginSessionDuration

integer

No

The session duration of a RAM user who logs on to the console. Unit: hours.

Valid values: 1 to 24.

Default value: 6.

6

LoginNetworkMasks

string

No

The IP address mask that is used to log on to the console. This mask applies to password-based logons and single sign-on (SSO) logons, but does not affect API calls that are initiated by using an AccessKey pair.

  • If you specify a mask, RAM users can log on to the console only from the specified IP addresses.

  • If you do not specify a mask, RAM users can log on to the console from all IP addresses.

If you need to specify multiple masks, separate them with semicolons (;). Example: 192.168.0.0/16;10.0.0.0/8.

You can specify up to 40 masks. The total length cannot exceed 512 characters.

10.0.0.0/8

VerificationTypes

array

No

The MFA methods.

string

No

The MFA method. Valid values:

  • sms: text message

  • email: email

["sms", "email"]

AllowUserToManagePersonalDingTalk

boolean

No

Specifies whether RAM users can link or unlink their personal DingTalk accounts. Valid values:

  • true (default): Allowed.

  • false: Not allowed.

true

OperationForRiskLogin deprecated

string

No

This parameter is deprecated.

autonomous

MFAOperationForLogin

string

No

Specifies the MFA policy for user logon. This parameter replaces EnforceMFAForLogin. We recommend that you use this parameter. EnforceMFAForLogin is still valid. Valid values:

  • mandatory: enforces MFA for all RAM users. This is equivalent to setting EnforceMFAForLogin to true.

  • independent (default): The MFA settings for each RAM user are not affected. This is equivalent to setting EnforceMFAForLogin to false.

  • adaptive: enforces MFA only for unusual logons.

adaptive

MaxIdleDaysForAccessKeys

integer

No

The maximum idle period of the AccessKey pairs of RAM users. An AccessKey pair that is not used for the specified period of time is automatically disabled on the next day. You can set the value to one of the following numbers:

  • 90

  • 180

  • 365

  • 730 (default)

365

MaxIdleDaysForUsers

integer

No

The maximum idle period of RAM users. If a RAM user who can log on to the console does not log on to the console for the specified period of time (SSO logons are not included), the console logon feature of the RAM user is disabled on the next day. You can set the value to one of the following numbers:

  • 90

  • 180

  • 365

  • 730 (default)

365

AllowUserToLoginWithPasskey

boolean

No

Specifies whether RAM users can use passkeys to log on to the console. Valid values:

  • true (default): Allowed.

  • false: Not allowed.

true

AllowUserToManageServiceCredentials

boolean

No

Specifies whether RAM users can manage their own API keys. Valid values:

  • true: Allowed.

  • false: Not allowed.

false

Response elements

Element

Type

Description

Example

object

The data returned.

SecurityPreference

object

The security preferences.

AccessKeyPreference

object

The AccessKey preferences.

AllowUserToManageAccessKeys

boolean

Specifies whether RAM users can manage their own AccessKeys.

false

AllowUserToManageServiceCredentials

boolean

Specifies whether RAM users can manage their own API keys. Valid values:

  • true: RAM users can manage their own API keys.

  • false: RAM users cannot manage their own API keys.

false

LoginProfilePreference

object

The login preferences.

EnableSaveMFATicket

boolean

Specifies whether to save the verification status for seven days after a RAM user completes multi-factor authentication (MFA) during sign-in.

false

LoginSessionDuration

integer

The duration of the login session for a RAM user, in hours.

6

LoginNetworkMasks

string

The login network mask.

10.0.0.0/8

AllowUserToChangePassword

boolean

Specifies whether RAM users can manage their own passwords.

true

OperationForRiskLogin deprecated

string

This parameter is deprecated.

autonomous

MFAOperationForLogin

string

The MFA policy for user sign-in. This parameter is the recommended replacement for EnforceMFAForLogin, which is still supported.

adaptive

AllowUserToLoginWithPasskey

boolean

Specifies whether RAM users can sign in with a passkey.

false

MFAPreference

object

The MFA (multi-factor authentication) preferences.

AllowUserToManageMFADevices

boolean

Specifies whether RAM users can manage their own MFA devices.

false

VerificationPreference

object

The preferences for MFA methods.

VerificationTypes

array

The allowed MFA methods.

string

The MFA method.

["sms", "email"]

PersonalInfoPreference

object

The personal information preferences.

AllowUserToManagePersonalDingTalk

boolean

Specifies whether RAM users can attach or detach their personal DingTalk accounts.

true

MaxIdleDays

object

Settings for the maximum idle period in days.

MaxIdleDaysForUsers

integer

The maximum idle period, in days, for a RAM user. If a RAM user with console sign-in enabled does not sign in within this period, the system automatically disables their console sign-in the next day. This setting does not apply to single sign-on (SSO).

Default value: 730.

730

MaxIdleDaysForAccessKeys

integer

The maximum idle period, in days, for an AccessKey of a RAM user. If an AccessKey is not used within the specified period, the system automatically disables it the next day.

Default value: 730.

730

RequestId

string

The request ID.

17494710-B4BA-4185-BBBB-C1A6ABDE1639

Examples

Success response

JSON format

{
  "SecurityPreference": {
    "AccessKeyPreference": {
      "AllowUserToManageAccessKeys": false,
      "AllowUserToManageServiceCredentials": false
    },
    "LoginProfilePreference": {
      "EnableSaveMFATicket": false,
      "LoginSessionDuration": 6,
      "LoginNetworkMasks": "10.0.0.0/8",
      "AllowUserToChangePassword": true,
      "OperationForRiskLogin": "autonomous",
      "MFAOperationForLogin": "adaptive",
      "AllowUserToLoginWithPasskey": false
    },
    "MFAPreference": {
      "AllowUserToManageMFADevices": false
    },
    "VerificationPreference": {
      "VerificationTypes": [
        "[\"sms\", \"email\"]"
      ]
    },
    "PersonalInfoPreference": {
      "AllowUserToManagePersonalDingTalk": true
    },
    "MaxIdleDays": {
      "MaxIdleDaysForUsers": 730,
      "MaxIdleDaysForAccessKeys": 730
    }
  },
  "RequestId": "17494710-B4BA-4185-BBBB-C1A6ABDE1639"
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.