Creating a New Profile v12
Use the CREATE PROFILE
command to create a new profile. The syntax is:
Include the LIMIT
clause and one or more space-delimited parameter
/value
pairs to specify the rules enforced by Advanced Server.
Parameters:
profile_name
specifies the name of the profile.
parameter
specifies the attribute limited by the profile.
value
specifies the parameter limit.
Advanced Server supports the value
shown below for each parameter
:
FAILED_LOGIN_ATTEMPTS
specifies the number of failed login attempts that a user may make before the server locks the user out of their account for the length of time specified by PASSWORD_LOCK_TIME
. Supported values are:
- An
INTEGER
value greater than0
. DEFAULT
- the value ofFAILED_LOGIN_ATTEMPTS
specified in theDEFAULT
profile.UNLIMITED
– the connecting user may make an unlimited number of failed login attempts.
PASSWORD_LOCK_TIME
specifies the length of time that must pass before the server unlocks an account that has been locked because of FAILED_LOGIN_ATTEMPTS
. Supported values are:
- A
NUMERIC
value greater than or equal to0
. To specify a fractional portion of a day, specify a decimal value. For example, use the value4.5
to specify4
days,12
hours. DEFAULT
- the value ofPASSWORD_LOCK_TIME
specified in theDEFAULT
profile.UNLIMITED
– the account is locked until it is manually unlocked by a database superuser.
PASSWORD_LIFE_TIME
specifies the number of days that the current password may be used before the user is prompted to provide a new password. Include the PASSWORD_GRACE_TIME
clause when using the PASSWORD_LIFE_TIME
clause to specify the number of days that will pass after the password expires before connections by the role are rejected. If PASSWORD_GRACE_TIME
is not specified, the password will expire on the day specified by the default value of PASSWORD_GRACE_TIME
, and the user will not be allowed to execute any command until a new password is provided. Supported values are:
- A
NUMERIC
value greater than or equal to0
. To specify a fractional portion of a day, specify a decimal value. For example, use the value4.5
to specify4
days,12
hours. DEFAULT
- the value ofPASSWORD_LIFE_TIME
specified in theDEFAULT
profile.UNLIMITED
– The password does not have an expiration date.
PASSWORD_GRACE_TIME
specifies the length of the grace period after a password expires until the user is forced to change their password. When the grace period expires, a user will be allowed to connect, but will not be allowed to execute any command until they update their expired password. Supported values are:
- A
NUMERIC
value greater than or equal to0
. To specify a fractional portion of a day, specify a decimal value. For example, use the value4.5
to specify4
days,12
hours. DEFAULT
- the value ofPASSWORD_GRACE_TIME
specified in theDEFAULT
profile.UNLIMITED
– The grace period is infinite.
PASSWORD_REUSE_TIME
specifies the number of days a user must wait before re-using a password. The PASSWORD_REUSE_TIME
and PASSWORD_REUSE_MAX
parameters are intended to be used together. If you specify a finite value for one of these parameters while the other is UNLIMITED
, old passwords can never be reused. If both parameters are set to UNLIMITED
there are no restrictions on password reuse. Supported values are:
- A
NUMERIC
value greater than or equal to0
. To specify a fractional portion of a day, specify a decimal value. For example, use the value4.5
to specify4
days,12
hours. DEFAULT
- the value ofPASSWORD_REUSE_TIME
specified in theDEFAULT
profile.UNLIMITED
– The password can be re-used without restrictions.
PASSWORD_REUSE_MAX
specifies the number of password changes that must occur before a password can be reused. The PASSWORD_REUSE_TIME
and PASSWORD_REUSE_MAX
parameters are intended to be used together. If you specify a finite value for one of these parameters while the other is UNLIMITED
, old passwords can never be reused. If both parameters are set to UNLIMITED
there are no restrictions on password reuse. Supported values are:
- An
INTEGER
value greater than or equal to0
. DEFAULT
- the value ofPASSWORD_REUSE_MAX
specified in theDEFAULT
profile.UNLIMITED
– The password can be re-used without restrictions.
PASSWORD_VERIFY_FUNCTION
specifies password complexity. Supported values are:
- The name of a PL/SQL function.
DEFAULT
- the value ofPASSWORD_VERIFY_FUNCTION
specified in theDEFAULT
profile.NULL
PASSWORD_ALLOW_HASHED
specifies whether an encrypted password to be allowed for use or not. If you specify the value as TRUE
, the system allows a user to change the password by specifying a hash computed encrypted password on the client side. However, if you specify the value as FALSE
, then a password must be specified in a plain-text form in order to be validated effectively, else an error will be thrown if a server receives an encrypted password. Supported values are:
- A
BOOLEAN
valueTRUE/ON/YES/1
orFALSE/OFF/NO/0
. DEFAULT
- the value ofPASSWORD_ALLOW_HASHED
specified in theDEFAULT
profile.
Note
- The
PASSWORD_ALLOW_HASHED
is not an Oracle-compatible parameter. - Use
DROP PROFILE
command to remove the profile.
Examples
The following command creates a profile named acctg
. The profile specifies that if a user has not authenticated with the correct password in five attempts, the account will be locked for one day:
The following command creates a profile named sales
. The profile specifies that a user must change their password every 90 days:
If the user has not changed their password before the 90 days specified in the profile has passed, they will be issued a warning at login. After a grace period of 3 days, their account will not be allowed to invoke any commands until they change their password.
The following command creates a profile named accts
. The profile specifies that a user cannot re-use a password within 180 days of the last use of the password, and must change their password at least 5 times before re-using the password:
The following command creates a profile named resources
; the profile calls a user-defined function named password_rules
that will verify that the password provided meets their standards for complexity:
creating_a_password_function