Profiles

Main points in this section

• What are profiles
• What resources are managed using profiles
o SESSIONS_PER_USER
o CPU_PER_SESSION
o CPU_PER_CALL
o LOGICAL_READS_PER_SESSION
o LOGICAL_READS_PER_CALL
o PRIVATE_SGA
o CONNECT_TIME
o IDLE_TIME
o COMPOSIT_LIMIT
• How Passwords are managed using profiles
o FAILED_LOGIN_ATTEMPTS
o PASSWORD_LOCK_TIME
o PASSWORD_LIFE_TIME
o PASSWORD_GRACE_TIME
o PASSWORD_REUSE_TIME
o PASSWORD_REUSE_MAX
o PASSWORD_VERIFY_FUNCTION
• Manage Profiles
o Create Profile
o Alter Profile
o Drop Profile
• Initialization Parameters
o RESOURCE_LIMIT=TRUE
• Data Dictionary views related to Profiles
o Dba_profiles
o User_password_limits
o User_resource_limits
o Resource_cost
What are profiles
• Profiles are used to control database resource usage.
• It is also used to manage user passwords.
• Oracle provides predefined resource parameters that
we can use to monitor and control database usage
• Profiles are created using “create profile” command
and assigned to users
• Oracle has created “DEFAULT” profile. It gives
unlimited resource usage to all users if they are not
assigned a specific profile
List of resources managed by profiles

PRIVATE_SGA Limits the amount of SGA (System Global Area)

memory in bytes that a user connecting with shared servers
can allocate to the persistent area in the PGA (Program
Global Area).

CREATE PROFILE agent LIMIT PRIVATE_SGA 2500;

ALTER PROFILE data_analyst LIMIT PRIVATE_SGA UNLIMITED;
List of Password parameters managed by profiles

If FAILED_LOGIN_ATTEMPTS limit is breached, the account is

locked for PASSWORD_LOCK_TIME days. If the
PASSWORD_LOCK_TIME parameter is set to UNLIMITED and a user
exceeds FAILED_LOGIN_ATTEMPTS, the account must be manually
unlocked.
Commands for managing profiles

SQL> ALTER USER sh PROFILE new_profile;

You must specify cascade to de-assign the profile from
existing users. These users are automatically assigned
DEFAULT profile.

-- use a custom password function

CREATE PROFILE agent LIMIT PASSWORD_VERIFY_FUNCTION
my_function;

-- disable use of a custom function

ALTER PROFILE student LIMIT PASSWORD_VERIFY_FUNCTION
DEFAULT;
Example

[oracle@oracledb ~]$ cat abc.txt

SQL> create user user101 identified by mypassword default
tablespace users
2 temporary tablespace tempsmall;

User created.

SQL> grant create session to user101;

Grant succeeded.

SQL> desc dba_users

Name Null? Type
----------------------------------------- -------- -------
---------------------
USERNAME NOT NULL
VARCHAR2(30)
USER_ID NOT NULL NUMBER
PASSWORD
VARCHAR2(30)
ACCOUNT_STATUS NOT NULL
VARCHAR2(32)
LOCK_DATE DATE
EXPIRY_DATE DATE
DEFAULT_TABLESPACE NOT NULL
VARCHAR2(30)
TEMPORARY_TABLESPACE NOT NULL
VARCHAR2(30)
CREATED NOT NULL DATE
PROFILE NOT NULL
VARCHAR2(30)
INITIAL_RSRC_CONSUMER_GROUP
VARCHAR2(30)
EXTERNAL_NAME
VARCHAR2(4000)

SQL> select username, password, account_status, profile

2 from dba_users where username = 'USER101';

USERNAME PASSWORD
------------------------------ ----------------------------
--
ACCOUNT_STATUS PROFILE
-------------------------------- --------------------------
----
USER101 C785129D188B99F3
OPEN DEFAULT

SQL> @$ORACLE_HOME/rdbms/admin/utlpwdmg.sql

Function created.

Profile altered.

SQL> !cat $ORACLE_HOME/rdbms/admin/utlpwdmg.sql

SQL> connect user101/xxxx

ERROR:
ORA-01017: invalid username/password; logon denied

Warning: You are no longer connected to ORACLE.

SQL> connect user101/yyyy
ERROR:
ORA-01017: invalid username/password; logon denied

SQL> connect user101/zzzzz

ERROR:
ORA-01017: invalid username/password; logon denied

SQL> connect shekhar

ERROR:
ORA-28002: the password will expire within 10 days

Connected.
SQL> select username, password, account_status, profile
2 from dba_users where username = 'USER101';

USERNAME PASSWORD
------------------------------ ----------------------------
--
ACCOUNT_STATUS PROFILE
-------------------------------- --------------------------
----
USER101 C785129D188B99F3
 LOCKED(TIMED) DEFAULT

SQL> alter user user101 account unlock;

User altered.

SQL> select username, password, account_status, profile

2 from dba_users where username = 'USER101';

USERNAME PASSWORD
------------------------------ ----------------------------
--
ACCOUNT_STATUS PROFILE
-------------------------------- --------------------------
----
USER101 C785129D188B99F3
OPEN DEFAULT

SQL> connect user101/mypassword

Connected.
SQL> show user
USER is "USER101"
SQL> spool off
[oracle@oracledb]

CREATE OR REPLACE FUNCTION verify_function

(username varchar2,
password varchar2,
old_password varchar2)
RETURN boolean IS
n boolean;
m integer;
differ integer;
isdigit boolean;
ischar boolean;
ispunct boolean;
digitarray varchar2(20);
punctarray varchar2(25);
chararray varchar2(52);

BEGIN
digitarray:= '0123456789';
chararray:= 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
punctarray:='!"#$%&()``*+,-/:;<=>?_';
 -- Check if the password is same as the username
IF NLS_LOWER(password) = NLS_LOWER(username) THEN
raise_application_error(-20001, 'Password same as or similar to user');
END IF;

-- Check for the minimum length of the password

IF length(password) < 4 THEN
raise_application_error(-20002, 'Password length less than 4');
END IF;

-- Check if the password is too simple. A dictionary of words may be

-- maintained and a check may be made so as not to allow the words
-- that are too simple for the password.
IF NLS_LOWER(password) IN ('welcome', 'database', 'account', 'user',
'password', 'oracle', 'computer', 'abcd') THEN
raise_application_error(-20002, 'Password too simple');
END IF;

-- Check if the password contains at least one letter, one digit and one
-- punctuation mark.
-- 1. Check for the digit
isdigit:=FALSE;
m := length(password);
FOR i IN 1..10 LOOP
FOR j IN 1..m LOOP
IF substr(password,j,1) = substr(digitarray,i,1) THEN
isdigit:=TRUE;
GOTO findchar;
END IF;
END LOOP;
END LOOP;
IF isdigit = FALSE THEN
raise_application_error(-20003, 'Password should contain at least one digit,
one character and one punctuation');
END IF;
-- 2. Check for the character
<<findchar>>
ischar:=FALSE;
FOR i IN 1..length(chararray) LOOP
FOR j IN 1..m LOOP
IF substr(password,j,1) = substr(chararray,i,1) THEN
ischar:=TRUE;
GOTO findpunct;
END IF;
END LOOP;
END LOOP;
IF ischar = FALSE THEN
raise_application_error(-20003, 'Password should contain at least one \
digit, one character and one punctuation');
END IF;
-- 3. Check for the punctuation
<<findpunct>>
ispunct:=FALSE;
FOR i IN 1..length(punctarray) LOOP
FOR j IN 1..m LOOP
IF substr(password,j,1) = substr(punctarray,i,1) THEN
 ispunct:=TRUE;
GOTO endsearch;
END IF;
END LOOP;
END LOOP;
IF ispunct = FALSE THEN
raise_application_error(-20003, 'Password should contain at least one \
digit, one character and one punctuation');
END IF;

<<endsearch>>
-- Check if the password differs from the previous password by at least
-- 3 letters
IF old_password IS NOT NULL THEN
differ := length(old_password) - length(password);

IF abs(differ) < 3 THEN

IF length(password) < length(old_password) THEN
m := length(password);
ELSE
m := length(old_password);
END IF;

differ := abs(differ);
FOR i IN 1..m LOOP
IF substr(password,i,1) != substr(old_password,i,1) THEN
differ := differ + 1;
END IF;
END LOOP;

IF differ < 3 THEN

raise_application_error(-20004, 'Password should differ by at \
least 3 characters');
END IF;
END IF;
END IF;
-- Everything is fine; return TRUE ;
RETURN(TRUE);
END;
/

-- This script alters the default parameters for Password Management

-- This means that all the users on the system have Password Management
-- enabled and set to the following values unless another profile is
-- created with parameter values set to different value or UNLIMITED
-- is created and assigned to the user.

ALTER PROFILE DEFAULT LIMIT

PASSWORD_LIFE_TIME 60
PASSWORD_GRACE_TIME 10
PASSWORD_REUSE_TIME 1800
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME 1/1440
PASSWORD_VERIFY_FUNCTION verify_function;