100% found this document useful (1 vote)
116 views13 pages

06 Profiles

Profiles in Oracle are used to control resource usage and manage passwords for users, with predefined parameters to limit resources like CPU time and memory and configure password policies including complexity rules, lifetime, and account locking. Default profiles provide unlimited access, while custom profiles can be created to assign specific limits and rules to users. Common profile parameters include settings for passwords, resource limits, and the password verification function to enforce password strength requirements.

Uploaded by

Thirumal Reddy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
100% found this document useful (1 vote)
116 views13 pages

06 Profiles

Profiles in Oracle are used to control resource usage and manage passwords for users, with predefined parameters to limit resources like CPU time and memory and configure password policies including complexity rules, lifetime, and account locking. Default profiles provide unlimited access, while custom profiles can be created to assign specific limits and rules to users. Common profile parameters include settings for passwords, resource limits, and the password verification function to enforce password strength requirements.

Uploaded by

Thirumal Reddy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

Profiles

Main points in this section


• What are profiles
• What resources are managed using profiles
o SESSIONS_PER_USER
o CPU_PER_SESSION
o CPU_PER_CALL
o LOGICAL_READS_PER_SESSION
o LOGICAL_READS_PER_CALL
o PRIVATE_SGA
o CONNECT_TIME
o IDLE_TIME
o COMPOSIT_LIMIT
• How Passwords are managed using profiles
o FAILED_LOGIN_ATTEMPTS
o PASSWORD_LOCK_TIME
o PASSWORD_LIFE_TIME
o PASSWORD_GRACE_TIME
o PASSWORD_REUSE_TIME
o PASSWORD_REUSE_MAX
o PASSWORD_VERIFY_FUNCTION
• Manage Profiles
o Create Profile
o Alter Profile
o Drop Profile
• Initialization Parameters
o RESOURCE_LIMIT=TRUE
• Data Dictionary views related to Profiles
o Dba_profiles
o User_password_limits
o User_resource_limits
o Resource_cost
What are profiles
• Profiles are used to control database resource usage.
• It is also used to manage user passwords.
• Oracle provides predefined resource parameters that
we can use to monitor and control database usage
• Profiles are created using “create profile” command
and assigned to users
• Oracle has created “DEFAULT” profile. It gives
unlimited resource usage to all users if they are not
assigned a specific profile
List of resources managed by profiles

PRIVATE_SGA Limits the amount of SGA (System Global Area)


memory in bytes that a user connecting with shared servers
can allocate to the persistent area in the PGA (Program
Global Area).

CREATE PROFILE agent LIMIT PRIVATE_SGA 2500;


ALTER PROFILE data_analyst LIMIT PRIVATE_SGA UNLIMITED;
List of Password parameters managed by profiles

If FAILED_LOGIN_ATTEMPTS limit is breached, the account is


locked for PASSWORD_LOCK_TIME days. If the
PASSWORD_LOCK_TIME parameter is set to UNLIMITED and a user
exceeds FAILED_LOGIN_ATTEMPTS, the account must be manually
unlocked.
Commands for managing profiles

SQL> ALTER USER sh PROFILE new_profile;


You must specify cascade to de-assign the profile from
existing users. These users are automatically assigned
DEFAULT profile.

-- use a custom password function


CREATE PROFILE agent LIMIT PASSWORD_VERIFY_FUNCTION
my_function;

-- disable use of a custom function


ALTER PROFILE student LIMIT PASSWORD_VERIFY_FUNCTION
DEFAULT;
Example

[oracle@oracledb ~]$ cat abc.txt


SQL> create user user101 identified by mypassword default
tablespace users
2 temporary tablespace tempsmall;

User created.

SQL> grant create session to user101;

Grant succeeded.

SQL> desc dba_users


Name Null? Type
----------------------------------------- -------- -------
---------------------
USERNAME NOT NULL
VARCHAR2(30)
USER_ID NOT NULL NUMBER
PASSWORD
VARCHAR2(30)
ACCOUNT_STATUS NOT NULL
VARCHAR2(32)
LOCK_DATE DATE
EXPIRY_DATE DATE
DEFAULT_TABLESPACE NOT NULL
VARCHAR2(30)
TEMPORARY_TABLESPACE NOT NULL
VARCHAR2(30)
CREATED NOT NULL DATE
PROFILE NOT NULL
VARCHAR2(30)
INITIAL_RSRC_CONSUMER_GROUP
VARCHAR2(30)
EXTERNAL_NAME
VARCHAR2(4000)

SQL> select username, password, account_status, profile


2 from dba_users where username = 'USER101';

USERNAME PASSWORD
------------------------------ ----------------------------
--
ACCOUNT_STATUS PROFILE
-------------------------------- --------------------------
----
USER101 C785129D188B99F3
OPEN DEFAULT

SQL> @$ORACLE_HOME/rdbms/admin/utlpwdmg.sql

Function created.

Profile altered.

SQL> !cat $ORACLE_HOME/rdbms/admin/utlpwdmg.sql

SQL> connect user101/xxxx


ERROR:
ORA-01017: invalid username/password; logon denied

Warning: You are no longer connected to ORACLE.


SQL> connect user101/yyyy
ERROR:
ORA-01017: invalid username/password; logon denied

SQL> connect user101/zzzzz


ERROR:
ORA-01017: invalid username/password; logon denied

SQL> connect shekhar


ERROR:
ORA-28002: the password will expire within 10 days

Connected.
SQL> select username, password, account_status, profile
2 from dba_users where username = 'USER101';

USERNAME PASSWORD
------------------------------ ----------------------------
--
ACCOUNT_STATUS PROFILE
-------------------------------- --------------------------
----
USER101 C785129D188B99F3
LOCKED(TIMED) DEFAULT

SQL> alter user user101 account unlock;

User altered.

SQL> select username, password, account_status, profile


2 from dba_users where username = 'USER101';

USERNAME PASSWORD
------------------------------ ----------------------------
--
ACCOUNT_STATUS PROFILE
-------------------------------- --------------------------
----
USER101 C785129D188B99F3
OPEN DEFAULT

SQL> connect user101/mypassword


Connected.
SQL> show user
USER is "USER101"
SQL> spool off
[oracle@oracledb]

CREATE OR REPLACE FUNCTION verify_function


(username varchar2,
password varchar2,
old_password varchar2)
RETURN boolean IS
n boolean;
m integer;
differ integer;
isdigit boolean;
ischar boolean;
ispunct boolean;
digitarray varchar2(20);
punctarray varchar2(25);
chararray varchar2(52);

BEGIN
digitarray:= '0123456789';
chararray:= 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
punctarray:='!"#$%&()``*+,-/:;<=>?_';
-- Check if the password is same as the username
IF NLS_LOWER(password) = NLS_LOWER(username) THEN
raise_application_error(-20001, 'Password same as or similar to user');
END IF;

-- Check for the minimum length of the password


IF length(password) < 4 THEN
raise_application_error(-20002, 'Password length less than 4');
END IF;

-- Check if the password is too simple. A dictionary of words may be


-- maintained and a check may be made so as not to allow the words
-- that are too simple for the password.
IF NLS_LOWER(password) IN ('welcome', 'database', 'account', 'user',
'password', 'oracle', 'computer', 'abcd') THEN
raise_application_error(-20002, 'Password too simple');
END IF;

-- Check if the password contains at least one letter, one digit and one
-- punctuation mark.
-- 1. Check for the digit
isdigit:=FALSE;
m := length(password);
FOR i IN 1..10 LOOP
FOR j IN 1..m LOOP
IF substr(password,j,1) = substr(digitarray,i,1) THEN
isdigit:=TRUE;
GOTO findchar;
END IF;
END LOOP;
END LOOP;
IF isdigit = FALSE THEN
raise_application_error(-20003, 'Password should contain at least one digit,
one character and one punctuation');
END IF;
-- 2. Check for the character
<<findchar>>
ischar:=FALSE;
FOR i IN 1..length(chararray) LOOP
FOR j IN 1..m LOOP
IF substr(password,j,1) = substr(chararray,i,1) THEN
ischar:=TRUE;
GOTO findpunct;
END IF;
END LOOP;
END LOOP;
IF ischar = FALSE THEN
raise_application_error(-20003, 'Password should contain at least one \
digit, one character and one punctuation');
END IF;
-- 3. Check for the punctuation
<<findpunct>>
ispunct:=FALSE;
FOR i IN 1..length(punctarray) LOOP
FOR j IN 1..m LOOP
IF substr(password,j,1) = substr(punctarray,i,1) THEN
ispunct:=TRUE;
GOTO endsearch;
END IF;
END LOOP;
END LOOP;
IF ispunct = FALSE THEN
raise_application_error(-20003, 'Password should contain at least one \
digit, one character and one punctuation');
END IF;

<<endsearch>>
-- Check if the password differs from the previous password by at least
-- 3 letters
IF old_password IS NOT NULL THEN
differ := length(old_password) - length(password);

IF abs(differ) < 3 THEN


IF length(password) < length(old_password) THEN
m := length(password);
ELSE
m := length(old_password);
END IF;

differ := abs(differ);
FOR i IN 1..m LOOP
IF substr(password,i,1) != substr(old_password,i,1) THEN
differ := differ + 1;
END IF;
END LOOP;

IF differ < 3 THEN


raise_application_error(-20004, 'Password should differ by at \
least 3 characters');
END IF;
END IF;
END IF;
-- Everything is fine; return TRUE ;
RETURN(TRUE);
END;
/

-- This script alters the default parameters for Password Management


-- This means that all the users on the system have Password Management
-- enabled and set to the following values unless another profile is
-- created with parameter values set to different value or UNLIMITED
-- is created and assigned to the user.

ALTER PROFILE DEFAULT LIMIT


PASSWORD_LIFE_TIME 60
PASSWORD_GRACE_TIME 10
PASSWORD_REUSE_TIME 1800
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME 1/1440
PASSWORD_VERIFY_FUNCTION verify_function;

You might also like