Oracle Cloud Infrastructure Documentation

Managing Authentication Settings

This topic describes how to set password policy rules for local IAM users in your tenancy.

Required IAM Policy

If you're in the Administrators group, then you have the required access for managing password policy.

To view authentication policy, you must be granted inspect access on the authentication-policies resource. For example:

Allow group GroupA to inspect authentication-policies in tenancy

To modify authentication policy, you must be granted the AUTHENTICATION_POLICY_UPDATE permission. This permission is included in the manage verb. For example:

Allow group GroupA to manage authentication-policies in tenancy

If you're new to policies, see Getting Started with Policies and Common Policies. If you want to dig deeper into writing policies for groups or other IAM components, see Details for IAM.

Working with Password Policy Rules

A password policy that you set in the IAM service is applicable for all local (or non-federated) users.

When a user is created or when a user changes their password, the IAM service validates the password that is provided against the password policy to ensure that it meets the criteria for the policy. When a user logs in for the first time to change the password, or resets the password at any time, the password policy is evaluated and enforced.

When Do Changes to Password Policy Rules Take Effect

Changes to password policy rules take effect immediately so that the next time any user changes their password they must create a password that meets the criteria. Existing passwords will continue to work even if they would be invalid under the new rules. Users are not forced to change existing passwords to meet the new criteria. Passwords are evaluated against the rules only at the time they are created or changed.

About the Password Policy Rules

The following table describes the rules that you can include in your password policy:

Rule Setting Options Default IAM Service Setting
Minimum password length

Minimum value is 8 (characters). Maximum value is 100.

12 characters

Special characters Require passwords to contain at least 1 of the following special characters: !\"#$%&‘()*+,-./:;<=>?@[\\]^_`{|}~ Enforced
Lowercase characters Require passwords to contain at least 1 lowercase alphabetic character a-z. Enforced
Uppercase characters Require passwords to contain at least 1 uppercase alphabetic character A-Z. Enforced
Numeric characters Require passwords to contain at least 1 number 0-9. Enforced

Oracle recommends that you enforce all the password rules.

Using the Console

To edit password policy rules

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use these API operations to manage password rules: