- What's New
- Function Overview
- Service Overview
- Getting Started
-
User Guide
- Before You Start
- Logging In to Huawei Cloud
- IAM Users
- User Groups and Authorization
- Permissions Management
- Projects
- Agencies
- Security Settings
- Identity Providers
- Custom Identity Broker
- MFA Authentication and Virtual MFA Device
- Viewing IAM Operation Records
- Quotas
- Best Practices
-
API Reference
- Before You Start
- API Overview
- Calling APIs
- Getting Started
-
API
- Token Management
-
Access Key Management
- Obtaining Temporary Access Keys and Security Tokens of an Agency
- Obtaining Temporary Access Keys and Security Tokens of an IAM User
- Obtaining Temporary Access Keys and Security Tokens of a Federated User
- Creating a Permanent Access Key
- Querying Permanent Access Keys
- Querying a Permanent Access Key
- Modifying a Permanent Access Key
- Deleting a Permanent Access Key
- Region Management
- Project Management
- Account Management
-
IAM User Management
- Listing IAM Users
- Querying IAM User Details (Recommended)
- Querying IAM User Details
- Querying the User Groups Which an IAM User Belongs to
- Querying the IAM Users in a Group
- Creating an IAM User (Recommended)
- Creating an IAM User
- Changing the Login Password
- Modifying IAM User Information (By an IAM User) (Recommended)
- Modifying IAM User Information (By the Administrator) (Recommended)
- Modifying IAM User Information (By the Administrator)
- Deleting an IAM User
- User Group Management
-
Permissions Management
- Listing Permissions
- Querying Permission Details
- Querying Permissions Assignment Records
- Querying Permissions of a User Group for a Global Service Project
- Querying Permissions of a User Group for a Region-specific Project
- Granting Permissions to a User Group for a Global Service Project
- Granting Permissions to a User Group for a Region-specific Project
- Checking Whether a User Group Has Specified Permissions for a Global Service Project
- Checking Whether a User Group Has Specified Permissions for a Region-specific Project
- Querying All Permissions of a User Group
- Checking Whether a User Group Has Specified Permissions for All Projects
- Removing Specified Permissions of a User Group in All Projects
- Removing Permissions of a User Group for a Global Service Project
- Removing the Permissions of a User Group for a Region-specific Project
- Granting Permissions to a User Group for All Projects
- Custom Policy Management
-
Agency Management
- Listing Agencies
- Querying Agency Details
- Creating an Agency
- Modifying an Agency
- Deleting an Agency
- Querying Permissions of an Agency for a Global Service Project
- Querying Permissions of an Agency for a Region-specific Project
- Granting Permissions to an Agency for a Global Service Project
- Granting Permissions to an Agency for a Region-specific Project
- Checking Whether an Agency Has Specified Permissions for a Global Service Project
- Checking Whether an Agency Has Specified Permissions for a Region-specific Project
- Removing Permissions of an Agency for a Global Service Project
- Removing Permissions of an Agency for a Region-specific Project
- Querying All Permissions of an Agency
- Granting Specified Permissions to an Agency for All Projects
- Checking Whether an Agency Has Specified Permissions
- Removing Specified Permissions of an Agency in All Projects
-
Enterprise Project Management
- Querying User Groups Associated with an Enterprise Project
- Querying the Permissions of a User Group Associated with an Enterprise Project
- Granting Permissions to a User Group Associated with an Enterprise Project
- Removing Permissions of a User Group Associated with an Enterprise Project
- Querying the Enterprise Projects Associated with a User Group
- Querying the Enterprise Projects Directly Associated with an IAM User
- Querying Users Directly Associated with an Enterprise Project
- Querying Permissions of a User Directly Associated with an Enterprise Project
- Granting Permissions to a User Associated with an Enterprise Project
- Removing Permissions of a User Directly Associated with an Enterprise Project
- Granting Permissions to Agencies Associated with Specified Enterprise Projects
- Removing Permissions of Agencies Associated with Specified Enterprise Projects
-
Security Settings
- Modifying the Operation Protection Policy
- Querying the Operation Protection Policy
- Modifying the Password Policy
- Querying the Password Policy of an Account
- Modifying the Login Authentication Policy
- Querying the Login Authentication Policy
- Modifying the ACL for Console Access
- Querying the ACL for Console Access
- Modifying the ACL for API Access
- Querying the ACL for API Access
- Listing MFA Device Information of IAM Users
- Querying the MFA Device Information of an IAM User
- Listing Login Protection Configurations of IAM Users
- Querying the Login Protection Configuration of an IAM User
- Modifying the Login Protection Configuration of an IAM User
- Binding a Virtual MFA Device
- Unbinding a Virtual MFA Device
- Creating a Virtual MFA Device
- Deleting a Virtual MFA Device
-
Federated Identity Authentication Management
- Obtaining a Token Through Federated Identity Authentication
-
Identity Providers
- Listing Identity Providers
- Querying Identity Provider Details
- Creating an Identity Provider
- Modifying a SAML Identity Provider
- Deleting a SAML Identity Provider
- Creating an OpenID Connect Identity Provider Configuration
- Modifying an OpenID Connect Identity Provider
- Querying an OpenID Connect Identity Provider
- Mappings
- Protocols
- Metadata
- Token
- Listing Accounts Accessible to Federated Users
- Listing Projects Accessible to Federated Users
- Custom Identity Brokers
- Version Information Management
- Services and Endpoints
- Out-of-Date APIs
- Permissions and Actions
- Appendix
- Change History
- SDK Reference
-
FAQs
-
User Groups and Permissions Management
- Why Can't I Find Permissions for a Cloud Service?
- How Do I Grant Cloud Service Permissions in the EU-Dublin Region to IAM Users?
- Why Have Permissions Granted to a User Not Been Applied?
- What Should I Do If an IAM User Does Not Have the Required Permissions to Access the IAM Console?
- How Can I Grant an IAM User Permissions to Place Orders But Disallow Order Payment?
- IAM User Management
-
Security Settings
- How Do I Enable Login Verification?
- How Do I Disable Login Verification?
- How Do I Change the Verification Method for Performing Critical Operations?
- How Do I Disable Operation Protection?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain a Virtual MFA Verification Code?
- How Do I Unbind or Remove a Virtual MFA Device?
- Why Does MFA Authentication Fail?
- Why Am I Not Getting the Verification Code?
- Why Is My Account Locked?
- Why Doesn't My API Access Control Policy Take Effect?
- Why Do I Still Need to Perform MFA During Login After Unbinding the Virtual MFA Device?
-
Passwords and Credentials
- What Should I Do If I Forgot My Password?
- How Do I Change My Password?
- How Do I Obtain an Access Key (AK/SK)?
- What Should I Do If I Have Forgotten My Access Key (AK/SK)?
- What Are Temporary Security Credentials (AK/SK and Security Token)?
- How Do I Obtain a Token with Security Administrator Permissions?
- How Do I Obtain Access Keys (AK/SK Pairs) for the EU-Dublin Region?
- Project Management
- Agency Management
- Account Management
- Others
-
User Groups and Permissions Management
- Videos
-
More Documents
-
User Guide (ME-Abu Dhabi Region)
- Service Overview
- Getting Started
-
User Guide
- Before You Start
- IAM Users
- User Groups and Authorization
- Permissions
- Projects
- Agencies
- Account Security Settings
- Identity Providers
- MFA Authentication and Virtual MFA Device
- Viewing IAM Operation Records
- Quotas
-
FAQs
- User Groups and Permissions Management
- IAM User Management
-
Security Settings
- How Do I Enable Login Authentication?
- How Do I Disable Login Authentication?
- How Do I Change the Verification Method for Performing Critical Operations?
- How Do I Disable Operation Protection?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain a Virtual MFA Verification Code?
- How Do I Unbind or Remove a Virtual MFA Device?
- Why Does MFA Authentication Fail?
- Why Am I Not Getting the Verification Code?
-
Passwords and Credentials
- How Do I Reset My Password?
- How Do I Change My Password?
- What Should I Do If I Have Forgotten My Access Key (AK/SK)?
- What Are Temporary Security Credentials (AK/SK and SecurityToken)?
- How Do I Obtain a Token with Security Administrator Permissions?
- How Do I Obtain an Access Key (AK/SK) in the ME-Abu Dhabi-OP5 Region?
- Project Management
- Agency Management
- Others
- Change History
- API Reference (ME-Abu Dhabi Region)
-
User Guide (Paris Regions)
- Service Overview
- Getting Started
-
User Guide
- IAM Users
- User Groups and Authorization
- Permissions
- Account Settings
- Projects
- Agencies
- Identity Providers
- MFA Authentication and Virtual MFA Device
- Auditing
-
FAQs
- How Do I Enable Login Authentication?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain MFA Verification Codes?
- How Do I Unbind a Virtual MFA Device?
- Why Does IAM User Login Fail?
- How Do I Control IAM User Access to the Console?
- Differences Between IAM and Enterprise Management
- What Are the Differences Between IAM Projects and Enterprise Projects?
- How Can I Obtain Permissions to Create an Agency?
- What Can I Do If Text Box Prompt Information Does Not Disappear?
- How Do I Disable Password Association and Saving on Google Chrome?
- How Do I Grant Cloud Service Permissions in the EU-Paris Region to IAM Users?
- How Do I Obtain an Access Key (AK/SK) in the EU-Paris Region?
- Change History
- API Reference (Paris Regions)
-
User Guide (Kuala Lumpur Region)
- Service Overview
- Getting Started
-
User Guide
- Before You Start
- IAM Users
- User Groups and Authorization
- Permissions Management
- Projects
- Agencies
- Security Settings
- Identity Providers
- MFA Authentication and Virtual MFA Device
- Viewing IAM Operation Records
- Quotas
-
FAQs
- User Groups and Permissions Management
- IAM User Management
-
Security Settings
- How Do I Enable Login Verification?
- How Do I Disable Login Verification?
- How Do I Change the Verification Method for Performing Critical Operations?
- How Do I Disable Operation Protection?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain a Virtual MFA Verification Code?
- How Do I Unbind or Remove a Virtual MFA Device?
- Why Does MFA Authentication Fail?
- Why Am I Not Getting the Verification Code?
- Why Is My Account Locked?
- Why Do I Still Need to Perform MFA During Login After Unbinding the Virtual MFA Device?
-
Passwords and Credentials
- What Should I Do If I Forgot My Password?
- How Do I Change My Password?
- What Should I Do If I Have Forgotten My Access Key (AK/SK)?
- What Are Temporary Security Credentials (AK/SK and Security Token)?
- How Do I Obtain a Token with Security Administrator Permissions?
- How Do I Obtain an Access Key (AK/SK) in the AP-Kuala Lumpur-OP6 Region?
- Project Management
- Agency Management
- Others
- Change History
-
API Reference (Kuala Lumpur Region)
- Before You Start
- API Overview
- Calling APIs
-
APIs
- Token Management
- Access Key Management
- Region Management
-
Project Management
- Querying Project Information Based on the Specified Criteria
- Querying a User Project List
- Querying the List of Projects Accessible to Users
- Creating a Project
- Modifying Project Data
- Querying Information About a Specified Project
- Setting the Status of a Specified Project
- Querying Information and Status of a Specified Project
- Querying the Quotas of a Project
- Tenant Management
-
User Management
- Querying a User List
- Querying User Details
- Querying User Details (Recommended)
- Querying the User Group to Which a User Belongs
- Querying Users in a User Group
- Creating a User
- Changing a Password
- Modifying User Information
- Modifying User Information (Including Email Address and Mobile Number)
- Modifying User Information (Including Email Address and Mobile Number)
- Deleting a User
- Deleting a User from a User Group
- Querying MFA Device Information of Users
- Querying the MFA Device Information of a User
- Querying Login Protection Configurations of Users
- Querying the Login Protection Configuration of a User
- Creating a Virtual MFA Device
- Deleting a Virtual MFA Device
- Binding a Virtual MFA Device
- Unbinding a Virtual MFA Device
- Modifying the Login Protection Configuration of a User
- User Group Management
-
Permission Management
- Querying a Role List
- Querying Role Details
- Querying Permissions of a User Group Under a Domain
- Querying Permissions of a User Group Corresponding to a Project
- Granting Permissions to a User Group of a Domain
- Granting Permissions to a User Group Corresponding to a Project
- Deleting Permissions of a User Group Corresponding to a Project
- Deleting Permissions of a User Group of a Domain
- Querying Whether a User Group Under a Domain Has Specific Permissions
- Querying Whether a User Group Corresponding to a Project Has Specific Permissions
- Granting Permissions to a User Group for All Projects
- Removing Specified Permissions of a User Group in All Projects
- Checking Whether a User Group Has Specified Permissions for All Projects
- Querying All Permissions of a User Group
- Custom Policy Management
-
Agency Management
- Creating an Agency
- Querying an Agency List Based on the Specified Conditions
- Obtaining Details of a Specified Agency
- Modifying an Agency
- Deleting an Agency
- Granting Permissions to an Agency for a Project
- Checking Whether an Agency Has the Specified Permissions on a Project
- Querying the List of Permissions of an Agency on a Project
- Deleting Permissions of an Agency on a Project
- Granting Permissions to an Agency on a Domain
- Checking Whether an Agency Has the Specified Permissions on a Domain
- Querying the List of Permissions of an Agency on a Domain
- Deleting Permissions of an Agency on a Domain
- Querying All Permissions of an Agency
- Granting Specified Permissions to an Agency for All Projects
- Checking Whether an Agency Has Specified Permissions
- Removing Specified Permissions of an Agency in All Projects
-
Security Settings
- Querying the Operation Protection Policy
- Modifying the Operation Protection Policy
- Querying the Password Policy
- Modifying the Password Policy
- Querying the Login Authentication Policy
- Modifying the Login Authentication Policy
- Querying the ACL for Console Access
- Modifying the ACL for Console Access
- Querying the ACL for API Access
- Modifying the ACL for API Access
- Federated Identity Authentication Management
- Version Information Management
- Services and Endpoints
- Permissions Policies and Supported Actions
- Appendix
- Change History
-
User Guide (Ankara Region)
- Service Overview
- Getting Started
-
User Guide
- Before You Start
- IAM Users
- User Groups and Authorization
- Permissions Management
- Projects
- Agencies
- Security Settings
- Identity Providers
- MFA Authentication and Virtual MFA Device
- Quotas
-
FAQs
- IAM User Management
-
Security Settings
- How Do I Enable Login Verification?
- How Do I Disable Login Verification?
- How Do I Change the Verification Method for Performing Critical Operations?
- How Do I Disable Operation Protection?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain a Virtual MFA Verification Code?
- How Do I Unbind or Remove a Virtual MFA Device?
- Why Does MFA Authentication Fail?
- Why Am I Not Getting the Verification Code?
- Passwords and Credentials
- Agency Management
- Others
- Change History
- API Reference (Ankara Region)
-
User Guide (ME-Abu Dhabi Region)
- General Reference
Copied.
Critical Operation Protection
Only an administrator can configure critical operation protection, and IAM users can only view the configurations. If an IAM user needs to modify the configurations, the user can request the administrator to perform the modification or grant the required permissions.
Federated users do not need to verify their identity when performing critical operations.
Virtual MFA Device
An MFA device generates 6-digit verification codes in compliance with the Time-based One-time Password Algorithm (TOTP). MFA devices can be hardware- or software-based. Currently, only software-based virtual MFA devices are supported, and they are application programs running on smart devices such as mobile phones.
This section describes how to bind a virtual MFA device. If you have installed another MFA application, add a user by following the on-screen prompts. For details about how to bind or remove a virtual MFA device, see Virtual MFA Device.
Before binding a virtual MFA device, ensure that you have installed an MFA application on your mobile device.
- Go to the Security Settings page.
- Click the Critical Operations tab, and click Bind in the Virtual MFA Device row.
- Set up the MFA application by scanning the QR code or manually entering the secret key.
You can bind a virtual MFA device to your account by scanning the QR code or entering the secret key.
- Scanning the QR code
Open the MFA application on your mobile phone, and use the application to scan the QR code displayed on the Bind Virtual MFA Device page. Your account is then added to the application.
- Manually entering the secret key
Open the MFA application on your mobile phone, and enter the secret key.
NOTE:
Your account is manually added using the time-based algorithm. Ensure that automatic time setting has been enabled on your mobile phone.
- Scanning the QR code
- View the verification code on the MFA application. The code is automatically updated every 30 seconds.
- On the Bind Virtual MFA Device page, enter two consecutive verification codes and click OK.
Login Protection
After login protection is enabled, you and IAM users created using your account will need to enter a verification code in addition to the username and password during login. Enable this function for account security.
For the account, only the account administrator can enable login protection for it. For IAM users, both the account administrator and other administrators can enable this feature for the users.
- (Administrator) Enabling login protection for an IAM user
To enable login protection for an IAM user, go to the Users page and choose More > Security Settings in the row that contains the IAM user. In the Login Protection area on the displayed Security Settings tab, click
next to Verification Method, and select a verification method from SMS, email, or virtual MFA device.
- Enabling login protection for your account
To enable login protection, click the Critical Operations tab on the Account Security Settings page, click Enable next to Login Protection, select a verification method, enter the verification code, and click OK.
Operation Protection
- Enabling operation protection
After operation protection is enabled, you and IAM users created using your account need to enter a verification code when performing a critical operation, such as deleting an ECS. This function is enabled by default. To ensure resource security, keep it enabled.
The verification is valid for 15 minutes and you do not need to be verified again when performing critical operations within the validity period.
- Go to the Account Security Settings page.
- Click the Critical Operations tab on the Account Security Settings page, click Enable in the Operation Protection row, select Enable, and click OK.
Figure 1 Enabling operation protection
- Select Enable and then select Self-verification or Verification by another person.
If you select Verification by another person, an identity verification is required to ensure that this verification method is available.
Figure 2 Configuring operation protection- Self-verification: You or IAM users themselves perform verification when performing a critical operation.
- Verification by another person: The specified person completes verification when you or IAM users perform a critical operation. Only SMS and email verification are supported.
- Click OK.
- Disabling operation protection
If operation protection is disabled, you and IAM users created using your account do not need to enter a verification code when performing a critical operation.
- Go to the Account Security Settings page.
- Click the Critical Operations tab on the Account Security Settings page, and click Change in the Operation Protection row.
Figure 3 Disabling operation protection
- Select Disable and click OK.
Figure 4 Disabling operation protection
- Enter a verification code.
- Self-verification: The administrator who wants to disable operation protection completes the verification. SMS, email, and virtual MFA verification are supported.
- Verification by another person: The specified person completes the verification. Only SMS and email verification are supported.
- Click OK.
- Each cloud service defines its own critical operations.
- When IAM users created using your account perform a critical operation, they will be prompted to choose a verification method from email, SMS, and virtual MFA device.
- If a user is only associated with a mobile number, only SMS verification is available.
- If a user is only associated with an email address, only email verification is available.
- If a user is not associated with an email address, mobile number, or virtual MFA device, the user will need to associate at least one of them before the user can perform any critical operations.
- Email or SMS verification codes may not be received due to communication errors. You are advised to use a virtual MFA device.
- If operation protection is enabled, IAM users need to enter a verification code when performing a critical operation. The verification code is sent to the mobile number or email address bound to the IAM users.
Access Key Management
- Enabling access key management
After access key management is enabled, only the administrator can create, enable, disable, or delete access keys of IAM users. This function is disabled by default. To ensure resource security, enable this function.
To enable access key management, click the Critical Operations tab on the Account Security Settings page, and click
in the Access Key Management row.
- Disabling access key management
After access key management is disabled, all IAM users can create, enable, disable, or delete their own access keys.
To enable access key management, click the Critical Operations tab on the Account Security Settings page, and click
in the Access Key Management row.
Information Self-Management
- Enabling information self-management
By default, information self-management is enabled, indicating that all IAM users can manage their own basic information (login password, mobile number, and email address). Determine whether to allow IAM users to manage their own information and what information they can modify.
To enable information self-management, click the Critical Operations tab on the Security Settings page, and click Enable next to Information Self-Management. Select Enable, select the information types that IAM users can modify, and click OK.
- Disabling information self-management
After you disable information self-management, only administrators can manage their own basic information. If IAM users need to modify their login password, mobile number, or email address, they can contact the administrator. For details, see Viewing or Modifying IAM User Information.
To disable information self-management, click the Critical Operations tab on the Security Settings page, and click Change in the Information Self-Management row. In the displayed pane, select Disable and click OK.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot