ALTER PROFILE v15
Name
ALTER PROFILE — Alter an existing profile.
Synopsis
ALTER PROFILE <profile_name> RENAME TO <new_name>; ALTER PROFILE <profile_name> LIMIT {<parameter value>}[...];
Description
Use the ALTER PROFILE command to modify a user-defined profile. EDB Postgres Advanced Server supports two forms of the command:
- Use ALTER PROFILE…RENAME TOto change the name of a profile.
- Use ALTER PROFILE…LIMITto modify the limits associated with a profile.
Include the LIMIT clause and one or more space-delimited parameter/value pairs to specify the rules enforced by EDB Postgres Advanced Server. Use ALTER PROFILE…RENAME TO to change the name of a profile.
Parameters
profile_name
The name of the profile.
new_name
The new name of the profile.
parameter
The attribute limited by the profile.
value
The parameter limit.
EDB Postgres Advanced Server supports these values for each parameter:
FAILED_LOGIN_ATTEMPTS specifies the number of failed login attempts that a user can make before the server locks them out of their account for the length of time specified by PASSWORD_LOCK_TIME. Supported values are:
- An INTEGERvalue greater than0.
- DEFAULT— The value of- FAILED_LOGIN_ATTEMPTSspecified in the- DEFAULTprofile.
- UNLIMITED— The connecting user can make an unlimited number of failed login attempts.
PASSWORD_LOCK_TIME specifies the length of time that must pass before the server unlocks an account that was locked because of FAILED_LOGIN_ATTEMPTS. Supported values are:
- A NUMERICvalue of0or greater. To specify a fractional portion of a day, specify a decimal value. For example, use the value4.5to specify 4 days, 12 hours.
- DEFAULT— The value of- PASSWORD_LOCK_TIMEspecified in the- DEFAULTprofile.
- UNLIMITED— The account is locked until manually unlocked by a database superuser.
PASSWORD_LIFE_TIME specifies the number of days to use the current password before the user is prompted to provide a new password. Include the PASSWORD_GRACE_TIME clause when using the PASSWORD_LIFE_TIME clause to specify the number of days after the password expires before connections by the role are rejected. If you don't specify PASSWORD_GRACE_TIME, the password expires on the day specified by the default value of PASSWORD_GRACE_TIME. The user can't execute any command until they provide a new password. Supported values are:
- A NUMERICvalue of0or greater. To specify a fractional portion of a day, specify a decimal value. For example, use the value4.5to specify 4 days, 12 hours.
- DEFAULT— The value of- PASSWORD_LIFE_TIMEspecified in the- DEFAULTprofile.
- UNLIMITED— The password doesn't have an expiration date.
PASSWORD_GRACE_TIME specifies the length of the grace period after a password expires until the user is forced to change their password. When the grace period expires, a user is allowed to connect but isn't allowed to execute any command until they update their expired password. Supported values are:
- A NUMERICvalue of0or greater. To specify a fractional portion of a day, specify a decimal value. For example, use the value4.5to specify 4 days, 12 hours.
- DEFAULT— The value of- PASSWORD_GRACE_TIMEspecified in the- DEFAULTprofile.
- UNLIMITED— The grace period is infinite.
PASSWORD_REUSE_TIME specifies the number of days a user must wait before reusing a password. Use the PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX parameters together. If you specify a finite value for one of these parameters while the other is UNLIMITED, old passwords can never be reused. If both parameters are set to UNLIMITED, there are no restrictions on password reuse. Supported values are:
- A NUMERICvalue of0or greater. To specify a fractional portion of a day, specify a decimal value. For example, use the value4.5to specify 4 days, 12 hours.
- DEFAULT— The value of- PASSWORD_REUSE_TIMEspecified in the- DEFAULTprofile.
- UNLIMITED— The password can be reused without restrictions.
PASSWORD_REUSE_MAX specifies the number of password changes that must occur before a password can be reused. Use the PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX parameters together. If you specify a finite value for one of these parameters while the other is UNLIMITED, old passwords can never be reused. If both parameters are set to UNLIMITED, there are no restrictions on password reuse. Supported values are:
- An INTEGERvalue of0or greater.
- DEFAULT— The value of- PASSWORD_REUSE_MAXspecified in the- DEFAULTprofile.
- UNLIMITED— The password can be reused without restrictions.
PASSWORD_VERIFY_FUNCTION specifies password complexity. Supported values are:
- The name of a PL/SQL function.
- DEFAULT— The value of- PASSWORD_VERIFY_FUNCTIONspecified in the- DEFAULTprofile.
- NULL
PASSWORD_ALLOW_HASHED specifies whether an encrypted password is allowed. If you specify the value as TRUE, the system allows a user to change the password by specifying a hash-computed encrypted password on the client side. However, if you specify the value as FALSE, then a password must be specified in a plain-text form to validate without error. Supported values are:
- A BOOLEANvalueTRUE/ON/YES/1orFALSE/OFF/NO/0.
- DEFAULT— The value of- PASSWORD_ALLOW_HASHEDspecified in the- DEFAULTprofile.
Note
The PASSWORD_ALLOW_HASHED isn't compatible with Oracle.
Examples
This example modifies a profile named acctg_profile:
ALTER PROFILE acctg_profile LIMIT FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 1;
acctg_profile counts failed connection attempts when a login role attempts to connect to the server. The profile specifies that if a user doesn't authenticate with the correct password in three attempts, the account is locked for one day.
This example changes the name of acctg_profile to payables_profile:
ALTER PROFILE acctg_profile RENAME TO payables_profile;