Profiles and password management

================================

http://www.orafaq.com/wiki/Profiles_and_password_management
http://www.siue.edu/~dbock/cmis565/module13-profile_resource.htm

1 What is Profile
2 Benefits of Profile
3 Resource Parameters
4 Creating Profile
5 Assigning Profile
6 Altering Profile
7 Dropping Profile
8 Password Management
9 Password Parameters
10 Enabling Password Management
11 Restrictions on password parameters
12 How profiles are stored
13 Examples

What is Profile ?

A profile is a database object - a named set of resource limits to:

Restrict database usage by a system user – profiles restrict users from performing
operations that exceed reasonable resource utilization. Examples of resources that
need to be managed:

Disk storage space.

I/O bandwidth to run queries.
CPU power.
Connect time.
Cpu time

Enforce password practices – how user passwords are created, reused, and
validated.

Profiles are assigned to users as part of the CREATE USER or ALTER USER
commands.

User accounts can have only a single profile.

A default profile can be created – a default already exists within Oracle
named DEFAULT – it is applied to any user not assigned another profile.
Assigning a new profile to a user account supersedes any earlier profile.
Profiles cannot be assigned to roles or other profiles.

Here are some system privileges for PROFILE.

alter profile
create profile
drop profile

Benefits of Profile
===================

You can enforce a limit on resource utilization using resource limit parameters.
Also you can maintain database security by using password management feature.

Resource Parameters
===================

SESSIONS_PER_USER Specify the number of concurrent sessions to which you want

to limit the user.
CPU_PER_SESSION Specify the CPU time limit for a session, expressed in hundredth
of seconds.
CPU_PER_CALL Specify the CPU time limit for a call (a parse, execute, or
fetch), expressed in hundredths of seconds.
CONNECT_TIME Specify the total elapsed time limit for a session,
expressed in minutes.
IDLE_TIME Specify the permitted periods of continuous inactive time during
a session, expressed in minutes. Long-running queries and
other operations are not subject to this limit.
LOGICAL_READS_PER_SESSION Specify the permitted number of data blocks read in a
session, including blocks read from memory and disk.
LOGICAL_READS_PER_CALL Specify the permitted the number of data blocks read for a
call to process a SQL statement (a parse, execute, or fetch).
PRIVATE_SGA Specify the amount of private space a session can allocate in the
shared pool of the system global area (SGA), expressed in bytes.
COMPOSITE_LIMIT Specify the total resource cost for a session, expressed in
service units. Oracle Database calculates the total service units as a weighted sum
of CPU_PER_SESSION, CONNECT_TIME, LOGICAL_READS_PER_SESSION, and PRIVATE_SGA.

Creating Profile
================

Profiles only take effect when resource limits are "turned on" for the database as
a whole.

• Specify the RESOURCE_LIMIT initialization parameter.

RESOURCE_LIMIT = TRUE

Let check the parameter value.

SQL> show parameter resource_limit

NAME TYPE VALUE
------------------------------------ ----------- ---------
resource_limit boolean FALSE

Its mean resource limit is off,we ist have to enable it.

• Use the ALTER SYSTEM statement to turn on resource limits.

SQL> ALTER SYSTEM SET RESOURCE_LIMIT = TRUE;

System altered.
SQL> show parameter resource_limit
NAME TYPE VALUE
------------------------------------ ----------- ---------
resource_limit boolean TRUE

• Resource limit specifications pertaining to passwords are always in effect.

Now I'm going to create a profile with the name my_profile.

SQL> CREATE PROFILE my_profile LIMIT

 2 SESSIONS_PER_USER 2
3 IDLE_TIME 5
4 CONNECT_TIME 10;

Profile created.

In the above example i created simple profile which will handle

SESSIONS_PER_USER <<<I'm able to open 2 sessions concurrent

IDLE_TIME <<<My session will be terminate automatically after the time
specified for this parameter.
CONNECT_TIME <<<It will keep me online until the value of this parameter.

NOTE:

Both parameters take values in min.

Now I'm creating a test user to check the functionality of this profile.

SQL> create user Michel identified by michel

2 default tablespace users
3 temporary tablespace temp;

User created.

SQL> alter user Michel profile my_profile;

User altered.

With the above statement i assigned the profile my_profile to user Michel.

Let see how our profile will work.

I already opened 2 sessions with the user name Michel but when i tried for third
session it throws this error.

sqlplus Michel
SQL*Plus: Release 11.1.0.6.0 - Production on Mon Nov 26 15:57:23 2007
Copyright (c) 1982, 2007, Oracle. All rights reserved.
Enter password:
ERROR:
ORA-02391: exceeded simultaneous SESSIONS_PER_USER limit

You noticed when i tried to open third session it gave me error.

Lets go to 2nd step IDLE_TIME.Here we go again

SQL> select * from tab;

select * from tab
*
ERROR at line 1:
ORA-02396: exceeded maximum idle time, please connect again

Because i was idle more than 5 min so thats why Oracle server kill mine session.

We can check the resource parameter of our profile by querying DBA_PROFILES.

SQL> select * from dba_profiles
2 where profile='MY_PROFILE';

PROFILE RESOURCE_NAME RESOURCE LIMIT

------------------------------ -------------------------------- -------- -------
MY_PROFILE COMPOSITE_LIMIT KERNEL DEFAULT
MY_PROFILE SESSIONS_PER_USER KERNEL 2
MY_PROFILE IDLE_TIME KERNEL 5
MY_PROFILE CONNECT_TIME KERNEL 10
.
.
.

Assigning Profile
=================

Profile can be assign in two ways either during USER creation or by using ALTER
statement.

Case 1:

SQL> create user orafaq identified by pass profile my_profile;

User created.

We can check it by using this query.

SQL> select username,profile

from dba_users
where username='ORAFAQ';

USERNAME PROFILE
------------------------------ --------------
ORAFAQ MY_PROFILE

CASE 2:

SQL> drop user orafaq cascade;

User dropped.
SQL> create user orafaq identified by pass;
User created.
SQL> alter user orafaq profile my_profile;
User altered.

Altering Profile
================

Profiles can be altered with the ALTER PROFILE command. • A DBA must have the ALTER
PROFILE system privilege to use this command. • When a profile limit is adjusted,
the new setting overrides the previous setting for the limit, but these changes do
not affect current sessions in process. See the example below

SQL> ALTER PROFILE accountant LIMIT

2 CPU_PER_CALL default
3 LOGICAL_READS_PER_SESSION 20000
4 SESSIONS_PER_USER 1;

Dropping Profile
================
Profiles no longer required can be dropped with the DROP PROFILE command.

The DEFAULT profile cannot be dropped.

The CASCADE clause revokes the profile from any user account to which it was
assigned – the CASCADE clause MUST BE USED if the profile has been assigned to any
user account.
When a profile is dropped, any user account with that profile is reassigned the
DEFAULT profile. See example below:

SQL> DROP PROFILE accountant;

ERROR at line 1:
ORA-02382: profile ACCOUNTANT has users assigned, cannot drop without CASCADE

SQL> DROP PROFILE accountant CASCADE;

Password Management
===================
Password Parameters
===================

FAILED_LOGIN_ATTEMPTS Maximum times the user is allowed in fail login before

locking the user account
PASSWORD_LIFE_TIME Number of days the password is valid before expiry
PASSWORD_REUSE_TIME Number of day after the user can use the already used
password
PASSWORD_REUSE_MAX Number of times the user can use the already used password
PASSWORD_LOCK_TIME Number of days the user account remains locked after failed
login
PASSWORD_GRACE_TIME Number of grace days for user to change password
PASSWORD_VERIFY_FUNCTION PL/SQL that can be used for password verification
SEC_CASE_SENSITIVE_LOGON To control the case sensitivity in passwords

Enabling Password Management

============================

Restrictions on password parameters

===================================

How profiles are stored

=======================

Profiles can be viewed via the DBA_PROFILE views (available only with DBA role):

SQL> describe DBA_PROFILES

Name Null? Type
------------- -------- -------------
PROFILE NOT NULL VARCHAR2(30)
RESOURCE_NAME NOT NULL VARCHAR2(32)
RESOURCE_TYPE VARCHAR2(8)
LIMIT VARCHAR2(40)

There are only two RESOURCE TYPEs, "KERNEL" and "PASSWORD"; and 16 RESOURCE NAMEs
which can be given a limit; the limit in the DEFAULT profile is written in the 3rd
column (as of 11gR2):

RESOURCE_NAME RESOURCE_TYPE LIMIT

--------------------------- ------------- --------------
COMPOSITE_LIMIT KERNEL UNLIMITED
CONNECT_TIME KERNEL UNLIMITED
CPU_PER_CALL KERNEL UNLIMITED
CPU_PER_SESSION KERNEL UNLIMITED
IDLE_TIME KERNEL UNLIMITED
LOGICAL_READS_PER_CALL KERNEL UNLIMITED
LOGICAL_READS_PER_SESSION KERNEL UNLIMITED
PRIVATE_SGA KERNEL UNLIMITED
SESSIONS_PER_USER KERNEL UNLIMITED

FAILED_LOGIN_ATTEMPTS PASSWORD 10
PASSWORD_GRACE_TIME PASSWORD 7
PASSWORD_LIFE_TIME PASSWORD UNLIMITED
PASSWORD_LOCK_TIME PASSWORD 1
PASSWORD_REUSE_MAX PASSWORD UNLIMITED
PASSWORD_REUSE_TIME PASSWORD UNLIMITED
PASSWORD_VERIFY_FUNCTION PASSWORD NULL