CREATE PROFILE v14

Name

CREATE PROFILE -- create a new profile.

Synopsis

CREATE PROFILE <profile_name>
       [LIMIT {<parameter value>} ... ];

Description

CREATE PROFILE creates a new profile. Include the LIMIT clause and one or more space-delimited parameter/value pairs to specify the rules enforced by EDB Postgres Advanced Server.

EDB Postgres Advanced Server creates a default profile named DEFAULT. When you use the CREATE ROLE command to create a new role, the new role is automatically associated with the DEFAULT profile. If you upgrade from a previous version of EDB Postgres Advanced Server to EDB Postgres Advanced Server 10, the upgrade process automatically creates the roles in the upgraded version to the DEFAULT profile.

You must be a superuser to use CREATE PROFILE.

Include the LIMIT clause and one or more space-delimited parameter/value pairs to specify the rules enforced by EDB Postgres Advanced Server.

Parameters

profile_name

The name of the profile.

parameter

The password attribute for the rule to monitor.

value

The value the parameter must reach before an action is taken by the server.

EDB Postgres Advanced Server supports the value shown below for each parameter:

FAILED_LOGIN_ATTEMPTS specifies the number of failed login attempts that a user may make before the server locks the user out of their account for the length of time specified by PASSWORD_LOCK_TIME. Supported values are:

  • An INTEGER value greater than 0.
  • DEFAULT - the value of FAILED_LOGIN_ATTEMPTS specified in the DEFAULT profile.
  • UNLIMITED – the connecting user may make an unlimited number of failed login attempts.

PASSWORD_LOCK_TIME specifies the length of time that must pass before the server unlocks an account that has been locked because of FAILED_LOGIN_ATTEMPTS. Supported values are:

  • A NUMERIC value greater than or equal to 0. To specify a fractional portion of a day, specify a decimal value. For example, use the value 4.5 to specify 4 days, 12 hours.
  • DEFAULT - the value of PASSWORD_LOCK_TIME specified in the DEFAULT profile.
  • UNLIMITED – the account is locked until it is manually unlocked by a database superuser.

PASSWORD_LIFE_TIME specifies the number of days that the current password may be used before the user is prompted to provide a new password. Include the PASSWORD_GRACE_TIME clause when using the PASSWORD_LIFE_TIME clause to specify the number of days to pass after the password expires before connections by the role are rejected. If PASSWORD_GRACE_TIME is not specified, the password expires on the day specified by the default value of PASSWORD_GRACE_TIME, and the user isn't allowed to execute any command until a new password is provided. Supported values are:

  • A NUMERIC value greater than or equal to 0. To specify a fractional portion of a day, specify a decimal value. For example, use the value 4.5 to specify 4 days, 12 hours.
  • DEFAULT - the value of PASSWORD_LIFE_TIME specified in the DEFAULT profile.
  • UNLIMITED – The password does not have an expiration date.

PASSWORD_GRACE_TIME specifies the length of the grace period after a password expires until the user is forced to change their password. When the grace period expires, a user is allowed to connect but isn't allowed to execute any command until they update their expired password. Supported values are:

  • A NUMERIC value greater than or equal to 0. To specify a fractional portion of a day, specify a decimal value. For example, use the value 4.5 to specify 4 days, 12 hours.
  • DEFAULT - the value of PASSWORD_GRACE_TIME specified in the DEFAULT profile.
  • UNLIMITED – The grace period is infinite.

PASSWORD_REUSE_TIME specifies the number of days a user must wait before re-using a password. The PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX parameters are intended to be used together. If you specify a finite value for one of these parameters while the other is UNLIMITED, old passwords can never be reused. If both parameters are set to UNLIMITED there are no restrictions on password reuse. Supported values are:

  • A NUMERIC value greater than or equal to 0. To specify a fractional portion of a day, specify a decimal value. For example, use the value 4.5 to specify 4 days, 12 hours.
  • DEFAULT - the value of PASSWORD_REUSE_TIME specified in the DEFAULT profile.
  • UNLIMITED – The password can be re-used without restrictions.

PASSWORD_REUSE_MAX specifies the number of password changes that must occur before a password can be reused. The PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX parameters are intended to be used together. If you specify a finite value for one of these parameters while the other is UNLIMITED, old passwords can never be reused. If both parameters are set to UNLIMITED there are no restrictions on password reuse. Supported values are:

  • An INTEGER value greater than or equal to 0.
  • DEFAULT - the value of PASSWORD_REUSE_MAX specified in the DEFAULT profile.
  • UNLIMITED – The password can be re-used without restrictions.

PASSWORD_VERIFY_FUNCTION specifies password complexity. Supported values are:

  • The name of a PL/SQL function.
  • DEFAULT - the value of PASSWORD_VERIFY_FUNCTION specified in the DEFAULT profile.
  • NULL

PASSWORD_ALLOW_HASHED specifies whether an encrypted password to be allowed for use or not. If you specify the value as TRUE, the system allows a user to change the password by specifying a hash computed encrypted password on the client side. However, if you specify the value as FALSE, then a password must be specified in a plain-text form in order to be validated effectively, else an error is thrown if a server receives an encrypted password. Supported values are:

  • A BOOLEAN value TRUE/ON/YES/1 or FALSE/OFF/NO/0.
  • DEFAULT – the value of PASSWORD_ALLOW_HASHED specified in the DEFAULT profile.
Note

The PASSWORD_ALLOW_HASHED is not an Oracle-compatible parameter.

Notes

Use DROP PROFILE command to remove the profile.

Examples

The following command creates a profile named acctg. The profile specifies that if a user has not authenticated with the correct password in five attempts, the account is locked for one day:

CREATE PROFILE acctg LIMIT
       FAILED_LOGIN_ATTEMPTS 5
       PASSWORD_LOCK_TIME 1;

The following command creates a profile named sales. The profile specifies that a user must change their password every 90 days:

CREATE PROFILE sales LIMIT
       PASSWORD_LIFE_TIME 90
       PASSWORD_GRACE_TIME 3;

If the user has not changed their password before the 90 days specified in the profile has passed, they are issued a warning at login. After a grace period of 3 days, their account isn't allowed to invoke any commands until they change their password.

The following command creates a profile named accts. The profile specifies that a user cannot re-use a password within 180 days of the last use of the password, and must change their password at least 5 times before re-using the password:

CREATE PROFILE accts LIMIT
       PASSWORD_REUSE_TIME 180
       PASSWORD_REUSE_MAX 5;

The following command creates a profile named resources; the profile calls a user-defined function named password_rules that verifis that the password provided meets their standards for complexity:

CREATE PROFILE resources LIMIT
       PASSWORD_VERIFY_FUNCTION password_rules;

See also

ALTER PROFILE, DROP PROFILE