LU 3: SECURE ORACLE DATABASE

LO 3.1: ADMINISTER USER ACCOUNT AND SECURITY

LO3.2. MANAGE OF DATABASE ACCESS RIGHT

 Administering Roles

Roles are groupings of privileges that you can use to create different levels of database access.
For example, you can create a role for application developers that enable users to create tables
and programs. You can grant privileges and roles to other users only when you possess the
necessary privilege.

 Creating a Role

To create a new role, you use the CREATE ROLE statement.

The basic syntax of the CREATE ROLE statement is as follows:
CREATE ROLE role_name [IDENTIFIED BY password] [NOT IDENTIFIED]

 First, specify the name of the role that you want to create.

Example: Create role salesclerk;

 Second, use NOT IDENTIFIED to indicate that the role is authorized by the
database and the user, who was granted this role, don’t need a password to enable
the role.

Example: Create role clerk not identified;

 Third, use IDENTIFIED BY password option to create a local role and indicate that
the user, who was granted the role, must provide the password to the database when
enabling the role.

Example: Create role salesclerk2 identified by 123@abc;

 To enable the role salesclerk2 identified by the password 123@abc for your current
session, issue the following statement:

1|Page
SET ROLE salesclerk2 IDENTIFIED BY 123@abc;

 To enable all roles granted to you for the current session, issue the following
statement:

SET ROLE ALL;

 To enable all roles granted to you except saleslerck2, issue the following statement:

SET ROLE ALL EXCEPT salesclerk2;

 To disable all roles granted to you for the current session, issue the following
statement:

SET ROLE NONE;

 Grant system Privileges SALESCLERK Role

 Syntax
The syntax for granting system privileges to a role in Oracle is:

GRANT system privileges TO role_name,

Example:

Privilege Description

CREATE TABLE Enables a user to create, modify, and delete tables in his schema.

ALTER ANY TABLE Enables a user to alter any table in the database.

CREATE ANY Enables a user to create a table owned by any user in the
TABLE database.

2|Page
 Privilege Description

CREATE SESSION Enables a user to create a connection to the database.

DELETE ANY Enables a user to delete from any table in the database.
TABLE

DROP ANY TABLE Enables a user to drop any table in the database.

 Granting CREATE TABLE to SALESCLERK role:

SQL> grant CREATE TABLE to SALESCLERK;

 Granting DELETE ANY TABLE to SALESCLERK role:

SQL> grant DELETE ANY to SALESCLERK;

 Granting CREATE SESSION to SALESCLERK role:

SQL> grant CREATE SESSION to SALESCLERK;

 Revoke system Privileges from Role

Once you have granted system privileges to a role, you may need to revoke some or all of these
privileges. To do this, you can execute a revoke command.

 Syntax

The syntax for revoking system privileges from a role in Oracle is:

REVOKE privileges FROM role_name;

3|Page
Example

For example, if you wanted to revoke CREATE TABLE, CREATE ANY TABLE or
CREATE SESSION from a role named SALESCLERK, you would run the following
REVOKE statement:

REVOKE CREATE TABLE from SALESCLERK;

REVOKE CREATE ANY TABLE from SALESCLERK;

REVOKE CREATE SESSION from SALESCLERK;

 Grant object Privileges to Role

Once you have created the role in Oracle, your next step is to grant privileges to that role.

Let's start with granting table privileges to a role. Table privileges can be any combination of
SELECT, INSERT, UPDATE, DELETE, or ALL.

 Syntax

The syntax for granting table privileges to a role in Oracle is:

GRANT privileges ON schema.object TO role_name;

The privileges to assign to the role. It can be any of the following values:

Privilege Description

SELECT Ability to perform SELECT statements on the table.

INSERT Ability to perform INSERT statements on the table.

UPDATE Ability to perform UPDATE statements on the table.

4|Page
 Privilege Description

DELETE Ability to perform DELETE statements on the table.

Ability to perform ALTER TABLE statements to change the table

ALTER
definition.

ALL All privileges on table.

Example

For example, if you wanted to grant SELECT, INSERT, UPDATE, and DELETE privileges on a
table called regions from schema hr to a role named SALESCLERK, you would run the
following GRANT statement:

GRANT select, insert, update, delete ON hr.regions TO SALESCLERK;

You can also use the ALL keyword to indicate that you wish all permissions to be granted.
For example:

GRANT all ON hr.regions TO SALESCLERK;

Revoke object Privileges from Role

Once you have granted table privileges to a role, you may need to revoke some or all of these
privileges. To do this, you can execute a revoke command. You can revoke any combination of
SELECT, INSERT, UPDATE, DELETE or ALL.

5|Page
  Syntax

The syntax for revoking table privileges from a role in Oracle is:

REVOKE privileges ON schema.object FROM role_name;

Example

For example, if you wanted to revoke DELETE privileges on a table called regions of schema
hr from a role named SALESCLERK, you would run the following REVOKE statement:

REVOKE delete ON hr.regions FROM SALESCLERK;

If you wanted to revoke ALL privileges on the table called regions of schema hr from a role
named SALESCLERK, you could use the ALL keyword.

For example:

REVOKE all ON hr.regions FROM SALESCLERK;

 MODIFYING A ROLE

 Changing Role Identification

Syntax for changing identification to NOT IDENTIFIED:

ALTER ROLE ROLE_NAME NOT IDENTIFIED;

Example: ALTER ROLE SALESCLERK NOT IDENTIFIED;

6|Page
  Changing a Role Password
This statement changes the password on the role

Syntax:

ALTER ROLE role_name IDENTIFIED BY new_password;

Example: Alter role SALESCLERK identified by 1234abcd;

 DROP ROLE

 Removes a role from the database.

Syntax: DROP ROLE role-name;

Example: DROP ROLE clerk;

 Listing All Role Grants

 The following query returns all the roles from the database:
SELECT * from dba_roles;

 The following query returns all the roles granted to users and other roles:

SELECT * FROM DBA_ROLE_PRIVS;

 Listing All System Privilege Grants

 The following query returns all object privileges granted to a Role:

SELECT * FROM role_tab_privs;

The following query returns all system privilege grants made to roles and users:

SELECT * FROM DBA_SYS_PRIVS;

7|Page
  Administering Database User Accounts

 About User Accounts

For users to access your database, you must create user accounts and grant appropriate database
access privileges to those accounts. A user account is identified by a user name and defines the
attributes of the user, including the following:

 Authentication method
 Password for database authentication
 Default tablespaces for permanent and temporary data storage
 Tablespace quotas
 Account status (locked or unlocked)
 Password status (expired or not)

When you create a user account, you must not only assign a user name, a password, and
default tablespaces for the account, but you must also do the following:

 Grant the appropriate system privileges, object privileges, and roles to the account.
 If the user will be creating database objects, then give the user account a space usage
quota on each tablespace in which the objects will be created.

Oracle recommends that you grant each user just enough privileges to perform his job, and no
more. For example, a database application developer needs privileges to create and modify
tables, indexes, views, and stored procedures, but does not need (and should not be granted)
privileges to drop (delete) tablespaces or recover the database. You can create user accounts for
database administration, and grant only a subset of administrative privileges to those accounts.

In addition, you may want to create user accounts that are used by applications only. That is,
nobody logs in with these accounts; instead, applications use these accounts to connect to the
database, and users log in to the applications. This type of user account avoids giving application
users the ability to log in to the database directly, where they could unintentionally cause
damage.

8|Page
When you create a user account, you are also implicitly creating a schema for that user.
A schema is a logical container for the database objects (such as tables, views, triggers, and so
on) that the user creates. The schema name is the same as the user name, and can be used to
unambiguously refer to objects owned by the user. For example, hr.employees refers to the table
named employees in the hr schema. (The employees table is owned by hr.) The terms database
object and schema object are used interchangeably.

When you delete a user, you must either simultaneously delete all schema objects of that user, or
you must have previously deleted the schema objects in separate operations.

 Predefined User Accounts

In addition to the user accounts that you create, the database includes several user accounts that
are automatically created upon installation.

All databases include the administrative accounts SYS, SYSTEM,

and DBSNMP. Administrative accounts are highly privileged accounts, and are needed only by
individuals authorized to perform administrative tasks such as starting and stopping the database,
managing database memory and storage, creating and managing database users, and so on. You
log in to Oracle Enterprise Manager Database Express (EM Express) with SYS or SYSTEM.
You assign the passwords for these accounts when you create the database with Oracle Database
Configuration Assistant (DBCA). You must not delete these accounts.

All databases also include internal accounts, which are automatically created so that individual
Oracle Database features or components such as Oracle Application Express can have their own
schemas. To protect these accounts from unauthorized access, they are initially locked and their
passwords are expired. (A locked account is an account for which login is disabled.) You must
not delete internal accounts, and you must not use them to log in to the database.

Your database may also include sample schemas, if you chose the option to create the sample
schemas in your database when the database was installed. The sample schemas are a set of
interlinked schemas that enable Oracle documentation and Oracle instructional materials to

9|Page
illustrate common database tasks. These schemas also provide a way for you to experiment
without endangering production data.

Each sample schema has a user account associated with it. For example, the hr user account
owns the hr schema, which contains a set of simple tables for a human resources application. The
sample schema accounts are also initially locked and have an expired password. As the database
administrator, you are responsible for unlocking these accounts and assigning passwords to these
accounts.

 User Privileges and Roles

User privileges provide a basic level of database security. They are designed to control user
access to data and to limit the kinds of SQL statements that users can execute. When creating a
user, you grant privileges to enable the user to connect to the database, to run queries and make
updates, to create schema objects, and more.

 The main types of user privileges are as follows:

 System privileges—A system privilege gives a user the ability to perform a particular
action, or to perform an action on any schema objects of a particular type. For example,
the system privilege CREATE TABLE permits a user to create tables in the schema
associated with that user, and the system privilege CREATE USER permits a user to
create database users.
 Object privileges—An objectprivilege gives a user the ability to perform a particular
action on a specific schema object. Different object privileges are available for different
types of schema objects. The privilege to select rows from the EMPLOYEES table or to
delete rows from the DEPARTMENTS table are examples of object privileges.

Managing privileges is made easier by using roles, which are named groups of related privileges.
You create roles, grant system and object privileges to the roles, and then grant roles to users.
You can also grant roles to other roles. Unlike schema objects, roles are not contained in any
schema.

10 | P a g e
Table: lists three widely used roles that are predefined in Oracle Database. You can grant these
roles when you create a user or at any time thereafter.

Role Name Description

CONNECT Enables a user to connect to the database. Grant this role to any user or
application that needs database access. If you create a user using Oracle
Enterprise Manager Database Control, this role is automatically granted to the
user.

RESOURCE Enables a user to create, modify, and delete certain types of schema objects in
the schema associated with that user. Grant this role only to developers and to
other users that must create schema objects. This role grants a subset of
the create object system privileges. For example, it grants
the CREATE TABLE system privilege, but does not grant
the CREATE VIEW system privilege. It grants only the following
privileges: CREATE CLUSTER, CREATE INDEX
TYPE, CREATE OPERATOR, CREATEPROCEDURE, CREATE SEQUEN
CE, CREATE TABLE, CREATE TRIGGER, CREATE TYPE. In addition,
this role grants the UNLIMITED TABLESPACE system privilege, which
effectively assigns a space usage quota of UNLIMITED on all tablespaces in
which the user creates schema objects.

DBA Enables a user to perform most administrative functions, including creating

users and granting privileges; creating and granting roles; creating, modifying,
and deleting schema objects in any schema; and more. It grants all system
privileges, but does not include the privileges to start up or shut down the
database. It is by default granted to users SYS and SYSTEM.

 About Administrative Accounts and Privileges

Administrative accounts and privileges enable you to perform administrative functions such as
managing users, managing database memory, and starting up and shutting down the database.

11 | P a g e
  SYS and SYSTEM Users

The SYS and SYSTEM administrative user accounts are automatically created when you install
Oracle Database. They are both created with the password that you supplied upon installation,
and they are both automatically granted the DBA role.

 SYS

This account can perform all administrative functions. All base (underlying) tables and views for
the database data dictionary are stored in the SYS schema. These base tables and views are
critical for the operation of Oracle Database. To maintain the integrity of the data dictionary,
tables in the SYS schema are manipulated only by the database. They should never be modified
by any user or database administrator. You must not create any tables in the SYS schema.

The SYS user is granted the SYSDBA privilege, which enables a user to perform high-level
administrative tasks such as backup and recovery.

 SYSTEM

This account can perform all administrative functions except the following:

 Backup and recovery

 Database upgrade

While you can use this account to perform day-to-day administrative tasks, Oracle strongly
recommends creating named user accounts for administering the Oracle database to enable
monitoring of database activity.

Note: SYSBACKUP is another automatically created account that is used to perform backup and
recovery.

 SYSDBA and SYSOPER System Privileges

SYSDBA and SYSOPER are administrative privileges required to perform high-level

administrative operations such as creating, starting up, shutting down, backing up, or recovering
the database. The SYSDBA system privilege is for fully empowered database administrators and

12 | P a g e
the SYSOPER system privilege allows a user to perform basic operational tasks, but without the
ability to look at user data.

The SYSDBA and SYSOPER system privileges allow access to a database instance even when
the database is not open. Control of these privileges is therefore completely outside of the
database itself. This control enables an administrator who is granted one of these privileges to
connect to the database instance to start the database.

You can also think of the SYSDBA and SYSOPER privileges as types of connections that enable
you to perform certain database operations for which privileges cannot be granted in any other
way. For example, if you have the SYSDBA privilege, then you can connect to the database
using AS SYSDBA.

The SYS user is automatically granted the SYSDBA privilege upon installation. When you log
in as user SYS, you must connect to the database as SYSDBA or SYSOPER. Connecting as
a SYSDBA user invokes the SYSDBA privilege; connecting as SYSOPER invokes
the SYSOPER privilege. EM Express allows you to log in as user SYS and connect
as SYSDBA or SYSOPER.

When you connect with the SYSDBA or SYSOPER privilege, you connect with a default
schema, not with the schema that is generally associated with your user name. For SYSDBA this
schema is SYS; for SYSOPER the schema is PUBLIC.

Note: When you connect as user SYS, you have unlimited privileges on data dictionary tables.
Be certain that you do not modify any data dictionary tables.

 Viewing User Accounts

List all users in the Oracle Database:

SELECT * FROM dba_users;

13 | P a g e
List username and default tablespace in the Oracle Database:

select username, default_tablespace from dba_users;

 Creating a User Account

The CREATE USER statement allows you to create a new database user which you can use to
log in to the Oracle database.

 The basic syntax of the CREATE USER statement is as follows:

CREATE USER username

IDENTIFIED BY password

[DEFAULT TABLESPACE tablespace]

[QUOTA {size | UNLIMITED} ON tablespace]

[PROFILE profile]

[PASSWORD EXPIRE]

[ACCOUNT {LOCK | UNLOCK}];

 Description

 IDENTIFIED BY password: Specify a password for the local user to use to log on
to the database.
 DEFAULT TABLESPACE: Specify the tablespace of the objects such as tables
and views that the user will create. If you skip this clause, the user’s objects will be
stored in the database default tablespace if available, typically it
is USERS tablespace; or the SYSTEM tablespace in case there is no database default
tablespace.

14 | P a g e
  QUOTA: Specify the maximum of space in the tablespace that the user can use. You
can have multiple QUOTA clauses, each for a tablespace. Use UNLIMITED if you
don’t want to restrict the size in the tablespace that user can use.
 PROFILE: A user profile limits the database resources or password that the user
cannot exceed. You can assign a profile to a newly created user. If you skip this
clause, Oracle will assign the DEFAULT profile to the user.
 PASSWORD EXPIRE: Use the PASSWORD EXPIRE if you want to force the user
to change the password for the first time the user logs in to the database.
 ACCOUNT {LOCK | UNLOCK}: Use ACCOUNT LOCK if you want to lock user
and disable access. On the other hand, specify ACCOUNT UNLOCK to unlock
user and enable access.

To execute the CREATE USER statement, you must have the CREATE USER system privilege.
Once you create the new user, the privilege domain of the user will be empty. Therefore, if you
want to the user to be able to login to the database, you should grant the CREATE
SESSION system privilege to the user.

 CREATE USER examples

Let’s practice with the CREATE USER statement.

1. Using Oracle CREATE USER statement to create a new local user example

This example uses the CREATE USER statement to create a new local user named john with the
password abcd1234:

CREATE USER john IDENTIFIED BY abcd1234;

 To find a list of users with the OPEN status, you query the information from
the dba_users:
SELECT username, default_tablespace, profile, authentication_type

FROM dba_users WHERE account_status = 'OPEN';

15 | P a g e
As you can see from the output, user john has a default tablespace as USERS, profile
as DEFAULT, and log in to the database using a PASSWORD.

Example 2: Creating user account

CREATE USER sidney

IDENTIFIED BY 123@abc

DEFAULT TABLESPACE example

QUOTA 10M ON example

TEMPORARY TABLESPACE temp

PROFILE app_user

PASSWORD EXPIRE

ACCOUNT LOCK;

 Changing User Identification:

Example: The following statement changes the password of the user sidney to 1234@abcd and
default tablespace to the tablespace users:

ALTER USER sidney

IDENTIFIED BY 1234@abcd

DEFAULT TABLESPACE users;

 To unlock an account:

ALTER USER account ACCOUNT UNLOCK;

16 | P a g e
Example:

ALTER USER sidney ACCOUNT unlock;

 Make a user password expiry:

When we make a user id expiry, then when the user does login, it will prompt him to set a new
password.

ALTER USER name PASSWORD EXPIRE;

Example:

ALTER USER sidney PASSWORD EXPIRE;

 DROP USER

The DROP USER statement is used to remove a user from the Oracle database and remove all
objects owned by that user.

Syntax

The syntax for the DROP USER statement in Oracle:

DROP USER user_name [ CASCADE ];

Example

Let's look at a simple DROP USER statement.

If the user does not own any objects in its schema, you could execute the following DROP USER
statement:

DROP USER smithj;

17 | P a g e
This would drop the user called smithj. This DROP USER statement will only run if smithj does
not own any objects in its schema.

If smithj did own objects in its schema, you would need to run the following DROP USER
statement instead:

DROP USER smithj CASCADE;

This DROP USER statement would remove the user smithj, drop all objects (ie: tables and
views) owned by smithj, and all referential integrity constraints on smithj's objects would also be
dropped.

 Granting Privileges and Roles to a User Account

 Granting User Privileges

 You give permissions with the grant command. For system privileges this takes the
form:

GRANT <privilege> to username;

 To allow your user to login, you need to give it the create session privilege. Let’s do
that:
GRANT create session to smith;

We also need to ensure our new user has disk space allocated in the system to actually create or
modify tables and data, so we’ll GRANT TABLESPACE like so:

GRANT UNLIMITED TABLESPACE TO user;

Example:
GRANT UNLIMITED TABLESPACE TO smith;

18 | P a g e
  Table Privileges
While not typically necessary in newer versions of Oracle, some older installations may require
that you manually specify the access rights the new user has to a specific schema and database
tables.

For example, if we want our smith user to have the ability to

perform SELECT, UPDATE, INSERT, and DELETE capabilities on the books table, we might
execute the following GRANT statement:

GRANT SELECT, INSERT, UPDATE, DELETE ON schema.books TO smith;

 Revoke Privileges on Table
Once you have granted privileges, you may need to revoke some or all of these privileges. To do
this, you can run a revoke command. You can revoke any combination of SELECT, INSERT,
UPDATE, DELETE, or ALL.

Syntax

REVOKE privileges ON schema.object FROM user;

For example, if we want to remove the ability of performing SELECT, UPDATE, INSERT,
and DELETE from user smith.

REVOKE SELECT, INSERT, UPDATE, DELETE ON schema.books FROM smith;

 Granting roles to user account

Now, that you've created the role and assigned the privileges to the role, you'll need to grant the
role to specific users.

Syntax

GRANT role_name TO user_name;

19 | P a g e
Example

Let's look at an example of how to grant a role to a user in Oracle:

GRANT test_role TO smithj;

This example would grant the role called test_role to the user named smithj.

 Checking Roles Granted to a User :

You can check which roles have been granted to a user by querying user_role_privs. A user who
creates a role is also granted that role by default.

SELECT username, granted_role FROM user_role_privs;

 Revoking a Role from a User:

Example The following statement revokes the role SALESCLERK from the user smith:

REVOKE SALESCLERK FROM smith;

The user smith can no longer enable the SALESCLERK role.

3.1.3. Managing profiles

The purpose of a profile in oracle database is basically to limit the use of resouce for a particular
user. When you create a profile you define a set of limits on database resources. If you assign the
profile to a user, then that user cannot exceed these limits.

 How to find the contents of a Profile

SQL> select * from dba_profiles where profile='DEFAULT';

20 | P a g e
  Creating profile

To create a profile, you must have the CREATE PROFILE system privilege.

 Resource parameters
 SESSIONS_PER_USER: specify the number of concurrent sessions to which you want
to limit the user.
 CPU_PER_SESSION: specify the CPU time limit for a session, expressed in hundredth
of seconds.
 CPU_PER_CALL: specify the CPU time limit for a call (a parse, execute, or fetch),
expressed in hundredths of seconds.
 CONNECT_TIME Specify the total elapsed time limit for a session, expressed in
minutes.
 IDLE_TIME: specify the permitted periods of continuous inactive time during a session,
expressed in minutes. Long-running queries and other operations are not subject to this
limit.
 LOGICAL_READS_PER_SESSION: specify the permitted number of data blocks read
in a session, including blocks read from memory and disk.
 LOGICAL_READS_PER_CALL: specify the permitted number of data blocks read for
a call to process a SQL statement (a parse, execute, or fetch).
 PRIVATE_SGA: specify the amount of private space a session can allocate in the
shared pool of the system global area (SGA). Please refer to size_clause for information
on that clause.
 COMPOSITE_LIMIT: specify the total resource cost for a session, expressed in service
units. Oracle Database calculates the total service units as a weighted sum
of CPU_PER_SESSION, CONNECT_TIME, LOGICAL_READS_PER_SESSION,
and PRIVATE_SGA.

 Password parameters

Use the following clauses to set password parameters. Parameters that set lengths of time are
interpreted in number of days. For testing purposes you can specify minutes (n/1440) or even
seconds (n/86400).

21 | P a g e
  FAILED_LOGIN_ATTEMPTS: Specify the number of failed attempts to log in to the
user account before the account is locked.
 PASSWORD_LIFE_TIME: Specify the number of days the same password can be used
for authentication. If you also set a value for PASSWORD_GRACE_TIME, the
password expires if it is not changed within the grace period, and further connections are
rejected. If you do not set a value for PASSWORD_GRACE_TIME, its default
of UNLIMITED will cause the database to issue a warning but let the user continue to
connect indefinitely.
 PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX These two
parameters must be set in conjunction with each
other. PASSWORD_REUSE_TIME specifies the number of days before which a
password cannot be reused. PASSWORD_REUSE_MAX specifies the number of
password changes required before the current password can be reused. For these
parameter to have any effect, you must specify an integer for both of them.

 If you specify an integer for both of these parameters, then the user cannot reuse a
password until the password has been changed the password the number of times
specified for PASSWORD_REUSE_MAX during the number of days specified
for PASSWORD_REUSE_TIME.

For example, if you specify PASSWORD_REUSE_TIME to 30

and PASSWORD_REUSE_MAX to 10, then the user can reuse the password after 30 days if the
password has already been changed 10 times.

 If you specify an integer for either of these parameters and specify UNLIMITED for the
other, then the user can never reuse a password.
 If you specify DEFAULT for either parameter, then Oracle Database uses the value
defined in the DEFAULT profile. By default, all parameters are set to UNLIMITED in
the DEFAULT profile. If you have not changed the default setting of UNLIMITED in
the DEFAULT profile, then the database treats the value for that parameter
as UNLIMITED.

22 | P a g e
  If you set both of these parameters to UNLIMITED, then the database ignores both of
them.

 PASSWORD_LOCK_TIME: Specify the number of days an account will be locked

after the specified number of consecutive failed login attempts.
 PASSWORD_LOCK_TIME: Specify the number of days an account will be locked
after the specified number of consecutive failed login attempts.
 PASSWORD_GRACE_TIME: Specify the number of days after the grace period
begins during which a warning is issued and login is allowed. If the password is not
changed during the grace period, the password expires.

 Creating a Profile: Example The following statement creates the profile new_profile:

CREATE PROFILE new_profile

LIMIT PASSWORD_REUSE_MAX 10

PASSWORD_REUSE_TIME 30;

 Setting Profile Resource Limits: Example The following statement creates the
profile app_user:

CREATE PROFILE app_user

SESSIONS_PER_USER UNLIMITED

CPU_PER_SESSION UNLIMITED

CPU_PER_CALL 3000

CONNECT_TIME 45

LOGICAL_READS_PER_SESSION DEFAULT

LOGICAL_READS_PER_CALL 1000

23 | P a g e
 PRIVATE_SGA 15K

COMPOSITE_LIMIT 5000000;

 Setting Profile Password Limits: Example The following statement creates

the app_user2 profile with password limits values set:

CREATE PROFILE app_user2 LIMIT

FAILED_LOGIN_ATTEMPTS 5

PASSWORD_LIFE_TIME 60

PASSWORD_REUSE_TIME 60

PASSWORD_REUSE_MAX 5

PASSWORD_LOCK_TIME 1

PASSWORD_GRACE_TIME 10;

 How to modify a Profile

SQL> ALTER PROFILE new_profile LIMIT PASSWORD_REUSE_TIME 20
PASSWORD_REUSE_MAX UNLIMITED;

 Drop profile

SQL> DROP PROFILE app_user2 CASCADE;

24 | P a g e