Thursday, March 27, 2008

6-23. Profiles and users

Users are assigned only one profile at any given time.

Profiles:


  • Control resource consumption
  • Manage account status and password expiration

Control resource consumption

Profiles enable the administrator to control the following system resources:

  • CPU: may be limited on a per-session or per-call basis (in hundredths of a second)
  • Network/Memory: each DB session consumes system memory resources and network resources (if the session is from a user who is not local to the server). You can supply: Connect time, idle time, concurrent sessions or Private SGA.
  • Disk I/O: This limits the amount of data a user can read either at the per-session or per-call level. Reads/Session and Reads/Call place a limitation on the total number of reads from both memory and the disk.

Profiles also allow a composite limit. Composite limits are based on a weighted combination of CPU/Session, Reads/Session, Connect Time, and Private SGA. Composite limits are discussed in more detail in the Oracle Database Security Guide.

Manage account status and password expiration

Oracle password management is implemented with user profiles. You should set it by clicking on the Password tab in the desired Profile from Enterprise Manager. Profiles can provide many standard security features including the following:

Account locking:

  • The FAILED_LOGIN_ATTEMPTS parameter specifies the number of failed login attempts before the lockout of the account.
  • The PASSWORD_LOCK_TIME parameter specifies the number of days for which the account is locked after the specified number of failed login attempts.

Password aging and expiration:

  • The PASSWORD_LIFE_TIME parameter determines the lifetime of the password in days, after which the password expires.
  • The PASSWORD_GRACE_TIME parameter specifies a grace period in days for changing the password after the first successful login after the password has expired.

Password history (mutually exclusive parameters):

  • PASSWORD_REUSE_TIME: specifies that a user cannot reuse a password for a given number of days
  • PASSWORD_REUSE_MAX: specifies the number of password changes that are required before the current password can be reused.

Password complexity verification:

  • The PASSWORD_VERIFY_FUNCTION parameter names a PL/SQL function that performs a password complexity check before a password is assigned. Passowrd verification functions must be owned by SYS user and must return a Boolean value.
Posted by at
Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)