Creating a new profile v17
Use the CREATE PROFILE command to create a new profile. The syntax is:
CREATE PROFILE <profile_name> [LIMIT {<parameter value>} ... ];
Include the LIMIT clause and one or more space-delimited parameter/value pairs to specify the rules enforced by EDB Postgres Advanced Server.
Parameters
profile_namespecifies the name of the profile.parameterspecifies the attribute limited by the profile.valuespecifies the parameter limit.
EDB Postgres Advanced Server supports the vollowing value for each parameter:
FAILED_LOGIN_ATTEMPTS specifies the number of failed login attempts that a user can make before the server locks them out of their account for the length of time specified by PASSWORD_LOCK_TIME. Supported values are:
- An
INTEGERvalue greater than0. DEFAULT— The value ofFAILED_LOGIN_ATTEMPTSspecified in theDEFAULTprofile.UNLIMITED— The connecting user can make an unlimited number of failed login attempts.
PASSWORD_LOCK_TIME specifies the length of time that must pass before the server unlocks an account that was locked because of FAILED_LOGIN_ATTEMPTS. Supported values are:
- A
NUMERICvalue greater than or equal to 0. To specify a fractional portion of a day, specify a decimal value. For example, use the value4.5to specify 4 days, 12 hours. DEFAULT— The value ofPASSWORD_LOCK_TIMEspecified in theDEFAULTprofile.UNLIMITED— The account is locked until a database superuser manually unlocks it.
PASSWORD_LIFE_TIME specifies the number of days that the current password can be used before the user is prompted to provide a new password. Include the PASSWORD_GRACE_TIME clause when using the PASSWORD_LIFE_TIME clause to specify the number of days that pass after the password expires before connections by the role are rejected. If you don't specify PASSWORD_GRACE_TIME, the password expires on the day specified by the default value of PASSWORD_GRACE_TIME, and the user can't execute any command until they provide a new password. Supported values are:
- A
NUMERICvalue greater than or equal to 0. To specify a fractional portion of a day, specify a decimal value. For example, use the value4.5to specify 4 days, 12 hours. DEFAULT— The value ofPASSWORD_LIFE_TIMEspecified in theDEFAULTprofile.UNLIMITED— The password doesn't have an expiration date.
PASSWORD_GRACE_TIME specifies the length of the grace period after a password expires until the user is forced to change their password. When the grace period expires, a user can connect but can't execute any command until they update their expired password. Supported values are:
- A
NUMERICvalue greater than or equal to 0. To specify a fractional portion of a day, specify a decimal value. For example, use the value4.5to specify 4 days, 12 hours. DEFAULT— The value ofPASSWORD_GRACE_TIMEspecified in theDEFAULTprofile.UNLIMITED— The grace period is infinite.
PASSWORD_REUSE_TIME specifies the number of days a user must wait before reusing a password. Use the PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX parameters together. If you specify a finite value for one of these parameters while the other is UNLIMITED, old passwords can never be reused. If both parameters are set to UNLIMITED, there are no restrictions on password reuse. Supported values are:
- A
NUMERICvalue greater than or equal to 0. To specify a fractional portion of a day, specify a decimal value. For example, use the value4.5to specify 4 days, 12 hours. DEFAULT— The value ofPASSWORD_REUSE_TIMEspecified in theDEFAULTprofile.UNLIMITED— The password can be reused without restrictions.
PASSWORD_REUSE_MAX specifies the number of password changes that must occur before a password can be reused. Use the PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX parameters together. If you specify a finite value for one of these parameters while the other is UNLIMITED, old passwords can never be reused. If both parameters are set to UNLIMITED, there are no restrictions on password reuse. Supported values are:
- An
INTEGERvalue greater than or equal to 0. DEFAULT— The value ofPASSWORD_REUSE_MAXspecified in theDEFAULTprofile.UNLIMITED— The password can be reused without restrictions.
PASSWORD_VERIFY_FUNCTION specifies password complexity. Supported values are:
- The name of a PL/SQL function.
DEFAULT— The value ofPASSWORD_VERIFY_FUNCTIONspecified in theDEFAULTprofile.NULL
PASSWORD_ALLOW_HASHED specifies whether an encrypted password is allowed. If you specify TRUE, the system allows a user to change the password by specifying a hash-computed encrypted password on the client side. If you specify FALSE, then a password must be specified in a plain-text form to validate. Otherwise, an error is thrown if a server receives an encrypted password. Supported values are:
- A Boolean value
TRUE/ON/YES/1orFALSE/OFF/NO/0. DEFAULT— The value ofPASSWORD_ALLOW_HASHEDspecified in theDEFAULTprofile.
Note
- The
PASSWORD_ALLOW_HASHEDisn't an Oracle-compatible parameter. - Use
DROP PROFILEcommand to remove the profile.
Examples
The following command creates a profile named acctg. The profile specifies that if a user doesn't authenticate with the correct password in five attempts, the account is locked for one day:
CREATE PROFILE acctg LIMIT FAILED_LOGIN_ATTEMPTS 5 PASSWORD_LOCK_TIME 1;
The following command creates a profile named sales. The profile specifies that a user must change their password every 90 days:
CREATE PROFILE sales LIMIT PASSWORD_LIFE_TIME 90 PASSWORD_GRACE_TIME 3;
If the user doesn't change their password before the 90 days specified in the profile has passed, a warning appears at login. After a grace period of their days, their account can't invoke any commands until they change their password.
The following command creates a profile named accts. The profile specifies that a user can't reuse a password within 180 days of the last use of the password and must change their password at least five times before reusing the password:
CREATE PROFILE accts LIMIT PASSWORD_REUSE_TIME 180 PASSWORD_REUSE_MAX 5;
The following command creates a profile named resources. The profile calls a user-defined function named password_rules that verifies that the password provided meets their standards for complexity:
CREATE PROFILE resources LIMIT PASSWORD_VERIFY_FUNCTION password_rules;
creating_a_password_function
- On this page
- Parameters
- Examples