11g Security features – Profiles

I have been working with 11g for the past few months off and on. One of the things I started to dig into more is the new security features. Profiles in particular. When creating new users on the system or altering existing ones, such as the APEX_PUBLIC_USER. I needed to alter this user since I started to explore Application Express.

There are several default profiles with 11g. DEFAULT, MONITORING_PROFILE, WKSYS_PROF. One of the things you will need to keep in mind when creating users on you system is the DEFAULT password_parameters. If you want to control how long your users passwords last, the reuse time, or how many times the users can use the current password you’ll should consider creating a new profile.
Here are some of the password_parameters that can be set.

FAILED_LOGIN_ATTEMPS: This sets the number of times a users can fail to login before the account is locked.

PASSWORD_LIFE_TIME: This is set in days. And if the parameter is ommitted the default setting is 180 days. Setting the parameter to UNLIMITED will allow the password to never expire. If the PASSWORD_GRACE_TIME is also set the password will expired if it not changed within the grace period.

PASSWORD_RESUE_TIME and PASSWORD_REUSE_MAX: These parameter work with each other and must be set together. PASSWORD_REUSE_TIME is the number of days that must elapse before the a password can be resued. PASSWORD_REUSE_MAX sets the number of password changes that must occur before a password can be reused.

PASSWORD_LOCK_TIME: This is the nuber of days a user is locked if the set number of failed login attemps has been reached.
Ommitting this parameter sets the default to 1.

PASSWORD_GRACE_TIME: The number of days of grace after the password has reached the expired number. Warnings are displayed but logins are allowed until the max number is reached. Default is set to7 days.

PASSWORD_VERIFY_FUNCTION: A PL/SQL script is used to verify the complexity of the password. You can create your own, use a third party script of use the one provided on installation.

Here is an example of setting Profile Password Limits:
This creates a profile named LOCALDB

CREATE PROFILE local_DB LIMIT
FAILED_LOGIN_ATTEMPTS 5
PASSWORD_LIFE_TIME 60
PASSWORD_REUSE_TIME 60
PASSWORD_REUSE_MAX 5
PASSWORD_VERIFY_FUNCTION verify_function
PASSWORD_LOCK_TIME 1/24
PASSWORD_GRACE_TIME 10;

There is a great deal of additional information about setting Profile parameters and their use in <a href=”http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/users.htm#DBSEG002&#8243; target=”new”>Oracle Database Security Guide.</a>

Hope this helps.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s