Professional Documents
Culture Documents
Module 13 - Profiles and Resources
Module 13 - Profiles and Resources
htm; updated July 1, 2013; Some figures shown in these notes are from Oracle document
D11321GC11.
The PASSWORD_LIFE_TIME and PASSWORD_GRACE_TIME parameters
are specified as part of a profile.
PASSWORD_LIFE_TIME specifies the maximum life of a password.
If the PASSWORD_GRACE_TIME is exceeded, the account automatically
locks.
Both of these parameters are specified in days.
Password History: This option ensures that a password is not reused within a
specified period of time or number of password changes.
If either PASSWORD_REUSE_TIME or PASSWORD_REUSE_MAX are set
to a value other than DEFAULT or UNLIMITED, the other parameter must be
set to UNLIMITED.
PASSWORD_REUSE_TIME is specified in days.
PASSWORD_REUSE_MAX is an integer value specifying the number of
password changes required before a password can be reused.
If you set PASSWORD_REUSE_TIME to an integer value, then you must
set PASSWORD_REUSE_MAX to UNLIMITED.
If you set PASSWORD_REUSE_MAX to an integer value, then you must
set PASSWORD_REUSE_TIME to UNLIMITED
Password Complexity Verification: This option ensures that a password is
complex – this helps provide protection against system intruders who attempt to
guess a password.
This is implemented by use of a password verification function. A DBA can
write such a function or can use the default function
namedVERIFY_FUNCTION.
The function that is used for password complexity verification is specified with
the profile parameter, PASSWORD_VERIFY_FUNCTION.
If NULL is specified (the default), no password verification is performed.
The default VERIFY_FUNCTION has the characteristics shown in the figure
below.
When a DBA connected as the user SYS executes the utlpwdmg.sql script
(located at $ORACLE_HOME/rdbms/admin/utlpwdmg.sql) , the Oracle Server
creates the VERIFY_FUNCTION . The script also executes the ALTER
PROFILE command given below – the command modifies the DEFAULT profile.
Example of executing the utlpwdmg.sql script.
SQL> Connect SYS as SYSDBA
SQL> start $ORACLE_HOME/rdbms/admin/utlpwdmg.sql
Function created.
Profile altered.
This ALTER PROFILE command is part of the utlpwdmg.sql script and does not
need to be executed separately.
-- This script alters the default parameters for Password
Management
-- This means that all the users on the system have
Password Management
-- enabled and set to the following values unless another
profile is
-- created with parameter values set to different value
or UNLIMITED
-- is created and assigned to the user.
ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 60
PASSWORD_GRACE_TIME 10
PASSWORD_REUSE_TIME 1800
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME 1/1440
PASSWORD_VERIFY_FUNCTION Verify_Function;
Creating a Profile with Password Protection: The figure shown below provides
an example CREATE PROFILE command.
Use these parameters values when setting parameters to values that are less than
a day:
1 hour: PASSWORD_LOCK_TIME = 1/24
10 minutes: PASSWORD_LOCK_TIME = 10/1400
5 minutes: PASSWORD_LOCK_TIME = 5/1440
Resource Management
Enabling Resource Limits
As noted earlier, resource limits are enabled by setting
the RESOURCE_LIMIT initialization parameter to TRUE (the default is FALSE) or
by enabling the parameter with the ALTER SYSTEM command.
ALTER SYSTEM SET RESOURCE_LIMIT=TRUE
System altered.
Setting User Session Resource Limits
Resource limits can also be managed through use of a Profile object.
This table describes the resource limit parameters for a Profile.
Parameters can be either an integer value, or the
keyword UNLIMITED or DEFAULT.
DEFAULT specifies the limit from the DEFAULT profile.
UNLIMITED specifies no limit on the resource is enforced.
The COMPOSITE_LIMIT parameter enables controlling a group of resource
limits – example a system user may use a lot of CPU time, but not much disk
I/O during a session, or vice versa during another session – this keeps the
policy from disconnecting the user.
Resource Description
CPU_PER_SESSION Total CPU time – measured in hundredths of
seconds
CPU_PER_CALL Maximum CPU time allowed for a statement
parse, execute, or fetch operation, in hundredths
of a second.
SESSIONS_PER_USER Maximum number of concurrent sessions allowed
for each user name
CONNECT_TIME Maximum total elapsed connect time measured in
minutes
IDLE_TIME Maximum continuous inactive time in a session
measured in minutes when a query or other
operation is not in progress.
LOGICAL_READS_ Number of data blocks (physical and logical reads)
PER_SESSION read per session from either memory or disk.
LOGICAL_READS_PER_CALL Maximum number of data blocks read for a
statement parse, execute, or fetch operation.
COMPOSITE_LIMIT Total Resource cost, in service units, as a
composite weighted sum of CPU_PER_SESSION,
CONNECT_TIME,
LOGICAL_READS_PER_SESSION, and
PRIVATE_SGA.
PRIVATE_SGA Maximum amount of memory a session can
allocate in the shared pool of the SGA measured
in bytes, kilobytes, or megabytes (applies to
Shared Server only).
Profile limits enforced at the session level are enforced for each connection
where a system user can have more than one concurrent connection.
If a session-level limit is exceeded, then the Oracle Server issues an error
message such as ORA-02391: exceeded simultaneous
SESSION_PER_USER limit, and then disconnects the system user.
Resource limits can also be set at the Call-level, but this applies to PL/SQL
programming limitations and we do not cover setting these Call-level limits in
this course.
Adjusting Resource Cost Weights
The ALTER RESOURCE COST command is used to adjust weightings for resource
costs. This can affect the impact of the COMPOSITE_LIMIT parameter.
Example: Here the weights are changed so CPU_PER_SESSION favors CPU
usage over connect time by a factor of 50 to 1. This means it is much more likely
that a system user will be disconnected from excessive CPU usage than from the
use of excessive connect time.
Step 1. Alter the resource cost for these two parameters.
ALTER RESOURCE COST
CPU_PER_SESSION 50
CONNECT_TIME 1;
Resource cost altered.
SELECT * FROM Resource_Cost;
RESOURCE_NAME UNIT_COST
-------------------------------- ----------
CPU_PER_SESSION 50
LOGICAL_READS_PER_SESSION 0
CONNECT_TIME 1
PRIVATE_SGA 0
Step 2. Create a new profile or modify an existing profile to use
a COMPOSITE_LIMIT parameter. Here the Accountant profile is recreated
based on the command given earlier in these notes, then altered to set
the COMPOSITE_LIMIT to 300. We also ensure that user349 is assigned this
profile.
CREATE PROFILE Accountant LIMIT
SESSIONS_PER_USER 4
CPU_PER_SESSION unlimited
CPU_PER_CALL 6000
LOGICAL_READS_PER_SESSION unlimited
LOGICAL_READS_PER_CALL 100
IDLE_TIME 30
CONNECT_TIME 480
PASSWORD_REUSE_TIME 1
PASSWORD_LOCK_TIME 7
PASSWORD_REUSE_MAX 3;
ALTER PROFILE Accountant LIMIT
COMPOSITE_LIMIT 300;
Profile altered.
ALTER USER user349 PROFILE Accountant;
User altered.
Step 3. Test the new limit. The COMPOSITE_COST can be computed. This
is the formula. This table compares high/low values
for CPU and CONNECTusage to compute the composite cost and indicates if
the resource limit is exceeded.
Composite_Cost = (50 * CPU_PER_SESSION) + (1 *
CONNECT_TIME)
CPU Connect Composite Cost Exceeded
(Seconds) (Seconds) Limit of
300
High (50 * 6) + (1 * 250) = 300 + 250 = Yes
CPU 0.06 250 490
High
Connec
t
Medium (50 * 5) + (1 * 40) = 250 + 40 = 290 No
CPU 0.05 40
Low
Connec
t
Low (50 * 2) + (1 * 175) = 100 + 175 = No
CPU 0.02 175 275
Medium
Connec
t
Low (50 * 2) + (1 * 40) = 100 + 40 = 140 No
CPU 0.02 40
Low
Connec
t
The Database Resource Manager
The Database Resource Manager can provide the Oracle server more control over
resource management decisions; thus, avoiding problems from inefficient operating
system management.
Oracle Database Resource Manager (the Resource Manager) enables you to
manage multiple workloads within a database through the creation of resource
plans and resource groups, and the allocation of individual user accounts to
resource groups that are, in turn, allocated resource plans.
Generally the operating system handles resource management. However, within an
Oracle database, this can result in a number of problems: