Creating a new role associated with a profile v16

A database superuser can use clauses of the CREATE USER|ROLE command to assign a named profile to a role when creating the role or to specify profile management details for a role. The command syntax related to profile management functionality is:

CREATE USER|ROLE <name> [[WITH] <option> []]

where option can be the following compatible clauses:

   PROFILE <profile_name>
|  ACCOUNT {LOCK|UNLOCK}
|  PASSWORD EXPIRE [AT '<timestamp>']

Or, option can be the following noncompatible clauses:

|  LOCK TIME '<timestamp>'

For information about the administrative clauses of the CREATE USER or CREATE ROLE command that are supported by EDB Postgres Advanced Server, see the PostgreSQL core documentation.

CREATE ROLE|USER... PROFILE adds a role with an associated profile to an EDB Postgres Advanced Server database cluster.

Roles created with the CREATE USER command are by default login roles. Roles created with the CREATE ROLE command are by default not login roles. To create a login account with the CREATE ROLE command, you must include the LOGIN keyword.

Only a database superuser can use the CREATE USER|ROLE clauses that enforce profile management. These clauses enforce the following behaviors:

  • Include the PROFILE clause and a profile_name to associate a predefined profile with a role or to change the predefined profile associated with a user.

  • Include the ACCOUNT clause and the LOCK or UNLOCK keyword to place the user account in a locked or unlocked state.

  • Include the LOCK TIME 'timestamp' clause and a date/time value to lock the role at the specified time and unlock the role at the time indicated by the PASSWORD_LOCK_TIME parameter of the profile assigned to this role. If LOCK TIME is used with the ACCOUNT LOCK clause, only a database superuser can unlock the role with the ACCOUNT UNLOCK clause.

  • Include the PASSWORD EXPIRE clause with the optional AT 'timestamp' keywords to specify a date/time when the password associated with the role expires. If you omit the AT 'timestamp' keywords, the password expires immediately.

Each login role can have only one profile. To discover the profile that's currently associated with a login role, query the profile column of the DBA_USERS view.

Parameters

name

The name of the role.

profile_name

The name of the profile associated with the role.

timestamp

The date and time when the clause is enforced. When specifying a value for timestamp, enclose the value in single quotes.

Examples

This example uses CREATE USER to create a login role named john associated with the acctg_profile profile:

CREATE USER john PROFILE acctg_profile IDENTIFIED BY1safepwd”;

john can log in to the server using the password 1safepwd.

This example uses CREATE ROLE to create a login role named john associated with the acctg_profile profile:

CREATE ROLE john PROFILE acctg_profile LOGIN PASSWORD “1safepwd”;

john can log in to the server using the password 1safepwd.