Manage Passwords Using Profiles


Profiles are named sets of passwords and resource limits. They are assigned to individual users using the CREATE USER or ALTER USER command and can be enabled or disabled. Every database comes with at least one profile, the DEFAULT profile. With a profile, you can do the following:

  • Set rules for password aging and expiration.

  • Maintain password history so that you can manage reuse.

  • Set rules for password complexity and verification.

  • Set rules for account locking.

  • Set limits on CPU time and I/O operations.

  • Set limits on allowable idle time.

  • Set limits on allowable connect time.

  • Set limits on allowable concurrent sessions.

After a profile is created, the DBA assigns users to that profile. If resource limits are used, Oracle limits the database usage and resources to the defined profile.

Resource limits are assessed at the profile level, not the user level. A user who is assigned a profile inherits the resource limits of that profile.


DEFAULT Profile

When the database is created, Oracle automatically creates the DEFAULT profile. Users who have not been explicitly assigned to another profile will be assigned to DEFAULT. When DEFAULT is created, it has all its resource limits set to UNLIMITED. You, as the DBA, can change these values so that the limits in your environment reflect the default settings that you want to have applied to your average user.

Profile Usage

Profiles restrict sets of users from performing operations that require heavy use of resources. They ensure either that users log off the database when they are finished or that their session is logged off after it has been idle for a specified amount of time. You can group people and resources together based on similarities in need, a feature that is particularly useful when managing large complex databases with many different kinds of users.

Profiles have the following characteristics:

  • Assigning a profile to a user does not affect the currently logged-in session.

  • Profiles have to be assigned to users, not to roles or other profiles.

  • If you don't assign another profile to a user when that user is created, the DEFAULT profile is automatically assigned.

  • Any parameters not set within a profile will take on the values from the DEFAULT profile.

Passwords

Often, it is easier to exercise greater control over database security and password management by using profiles. You can identify similar characteristics that a given set of users has and determine password maintenance characteristics similar to those users.

Account Locking

Account locking enables the automatic locking of an account whenever a user fails to log in to the database after a specific number of attempts. Although it is true that users often forget passwords and need to be able to try a couple of alternatives before they get it right, it is also a fact that people trying to gain illicit access to a database may have a good guess at a userid but not know the password. An unlimited number of attempts may not be a wise security decision. Limiting a user to three or five invalid attempts limits your security exposure and provides users with a little guessing room for passwords they may have forgotten.

Two parameters assist the DBA with controlling account locking. FAILED_LOGIN_ATTEMPTS allows the account to be automatically locked after the value to which this parameter has been set is passed. The account is automatically locked and either can be set to automatically unlock after a specific amount of time has passed (set by the other parameter, PASSWORD_LOCK_TIME) or can be unlocked by the DBA with the ALTER USER command. If an account is locked using the ALTER USER command, it is never automatically unlocked.

Password Aging and Expiration

Password aging and expiration enable you to determine in advance a password's lifetime. After the expiration period, the password must be changed. This limits security exposure because a user who has had the same password for five years may have at some point given his password to someone else. Forcing the password to be changed limits the length of time that there is a hole in the security.

Two parameters are available to help with maintaining password aging and expiration. PASSWORD_LIFE_TIME sets the maximum lifetime after which the password must be changed (there is no minimum time that must pass before the user must change the password). You, as the DBA, can specify a grace period (specified by the PASSWORD_GRACE_TIME parameter). As soon as the PASSWORD_LIFE_TIME time has passed, at the next user login, PASSWORD_GRACE_TIME goes into effect. A warning message is generated every time the user tries to log in until the grace period has passed. The user is expected to change the password within the grace period. If the password is not changed within the grace period, the account is locked.

You can deliberately set the state of a password to "expired" by using the EXPIRED keyword in the CREATE USER or ALTER USER command. This forces the user to change his password the first time that he logs in to the system.


Password History

Password history allows you to preset an amount of time that must pass before a password can be reused. This can be set either as a specific amount of time, for example 90 days, or as a specific number of password changes, three or five or any number that you set.

Oracle provides two parameters that assist with password history maintenance. PASSWORD_REUSE_TIME specifies the given number of days that must pass before a user can reuse a previous password. PASSWORD_REUSE_MAX forces a user to arrive at a password that is not identical to earlier passwords. PASSWORD_REUSE_MAX specifies the number of password changes required before the current password can be reused. If you set PASSWORD_REUSE_MAX to an integer value, you have to set PASSWORD_REUSE_TIME to UNLIMITED.

If PASSWORD_REUSE_TIME is set to a value other than DEFAULT or UNLIMITED, PASSWORD_REUSE_MAX must be set to UNLIMITED.


Password Complexity Verification

Complexity verification ensures that a password fits with rules that you set up ahead of time that deal with how many characters must be in a password and the different configurations that can be used for passwords. (For example, a password must have at least one number and at least one non-number character, must not be the same or similar to your userid, must have at most one set of duplicated letters or numbers within the password, and so forth.)

When users change their passwords, before the password gets assigned, a PL/SQL function can be invoked to verify the validity of the password. Oracle provides a default verification routine, but the DBA can create an alternative PL/SQL function that is a customized way of checking the validity. The Oracle provided parameter, PASSWORD_VERIFY_FUNCTION, can be set to the custom PL/SQL function to enable the use of the custom program unit for password verification.

The Oracle provided password function takes the userid, new password, and old password as parameters and returns a Boolean value to specify its validity. The characteristics that the VERIFY_FUNCTION (the Oracle supplied SYS function for password verification) looks for follow:

  • Minimum length of password is four characters.

  • Password should not be equal to username.

  • Password should have at least one alphabetic, one numeric, and one special character.

  • Password should differ from immediately previous password by at least three letters.

To use the VERIFY_FUNCTION, you need to have run the utlpwdmg.sql script as the SYS user. This script changes the DEFAULT profile and sets the following defaults:

  • PASSWORD_LIFE_TIME = 60

  • PASSWORD_GRACE_TIME = 10

  • PASSWORD_REUSE_TIME = 1800

  • PASSWORD_REUSE_MAX = UNLIMITED

  • FAILED_LOGIN_ATTEMPTS = 3

  • PASSWORD_LOCK_TIME = 1/1440

  • PASSWORD_VERIFY_FUNCTION = verify_function

Whether or not password management is enabled in a profile, the user account can be locked or unlocked with the CREATE USER or ALTER USER command. This is the same method used to assign profiles to users, and password limits are always enforced reliably across users.



    Oracle 9i Fundamentals I Exam Cram 2
    Oracle 9i Fundamentals I Exam Cram 2
    ISBN: 0789732653
    EAN: 2147483647
    Year: 2004
    Pages: 244
    Authors: April Wells

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net