PROFILE MANAGEMENT IN ORACLE 11g

PROFILE MEANS
Profile is a database object.
Profiles are SET OF LIMITS ON DATABASE RESOURCES.
A profile is created to limit the resources a user can use.
DBAS can setup limits on the system resources by setting up profiles with defined limits.
Profiles are used to regulate the amount of resources used by each database user by creating and
assigning profiles to database users.

LIMITABLE RESOURCES

can be categories into KERNEL LIMITS & PASSWORD LIMITS

SYS> select * from dba_profiles where profile = 'DEFAULT'

AND resource_type = 'PASSWORD';
PROFILE

RESOURCE_NAME

------------

RESOURCE

-------------------------- --------

LIMIT
--------------------

DEFAULT

FAILED_LOGIN_ATTEMPTS

PASSWORD

10

DEFAULT

PASSWORD_LIFE_TIME

PASSWORD

180

DEFAULT

PASSWORD_REUSE_TIME

PASSWORD

UNLIMITED

DEFAULT

PASSWORD_REUSE_MAX

PASSWORD

UNLIMITED

DEFAULT

PASSWORD_VERIFY_FUNCTION

PASSWORD

NULL

DEFAULT

PASSWORD_LOCK_TIME

PASSWORD

DEFAULT

PASSWORD_GRACE_TIME

PASSWORD

7 rows selected.

SYS> select * from dba_profiles where profile = 'DEFAULT'

AND resource_type = 'KERNEL';
PROFILE

RESOURCE_NAME

RESOURCE LIMIT

---------- -------------------------------- -------- ---------DEFAULT

COMPOSITE_LIMIT

KERNEL

UNLIMITED

DEFAULT

SESSIONS_PER_USER

KERNEL

UNLIMITED

DEFAULT

CPU_PER_SESSION

KERNEL

UNLIMITED

DEFAULT

CPU_PER_CALL

KERNEL

UNLIMITED

DEFAULT

LOGICAL_READS_PER_SESSION

KERNEL

UNLIMITED

DEFAULT

LOGICAL_READS_PER_CALL

KERNEL

UNLIMITED

DEFAULT

IDLE_TIME

KERNEL

UNLIMITED

DEFAULT

CONNECT_TIME

KERNEL

UNLIMITED

DEFAULT

PRIVATE_SGA

KERNEL

UNLIMITED

9 rows selected.
RESOURCE PARAMETERS - KERNEL LIMITS
PRIVATE_SGA

Maximum amount (integer bytes) of SGA.

SYNTAX

: PRIVATE_SGA = <VALUE|UNLIMITED|DEFAULT>

EXAMPLE : alter profile p1 limit private_sga 20k;

Amount of space a session can allocate in the shared pool of the SGA. Expressed in BYTES.

Exploring the Oracle DBA Technology by Gunasekaran ,Thiyagu

PROFILE MANAGEMENT IN ORACLE 11g

SESSIONS_PER_USER

Maximum concurrent sessions allowed per user.

SYNTAX

: SESSIONS_PER_USER = <VALUE|UNLIMITED|DEFAULT>

EXAMPLE : alter profile p1 limit sessions_per_user 2;

CPU_PER_SESSION

Maximum CPU time limit per session.

SYNTAX

: CPU_PER_SESSION = <VALUE|UNLIMITED|DEFAULT>

EXAMPLE : alter profile p1 limit cpu_per_session unlimited;

CPU_PER_CALL

Maximum CPU time limit per call (parse, execute, fetch)

SYNTAX

: CPU_PER_CALL = <VALUE|UNLIMITED|DEFAULT>

EXAMPLE : alter profile p1 limit cpu_per_call 1800;

CONNECT_TIME

Maximum connect time per session in minutes. Session will be dropped after specified time).
SYNTAX

: CONNECT_TIME = <VALUE|UNLIMITED|DEFAULT>

EXAMPLE : alter profile p1 limit connect_time 15;

LOGICAL_READS_PER_CALL

Maximum number of data blocks read per call.

SYNTAX

: LOGICAL_READS_PER_CALL = <VALUE|UNLIMITED|DEFAULT>

EXAMPLE : alter profile p1 limit logical_reads_per_call 2000;

LOGICAL_READS_PER_SESSION

Maximum number of data blocks read per session.

SYNTAX

: LOGICAL_READS_PER_SESSION = <VALUE|UNLIMITED|DEFAULT>

EXAMPLE : alter profile p1 limit logical_reads_per_session unlimited;

IDLE_TIME

Maximum idle time in minutes.

Allowed specified time before user is disconnected. Long running process are NOT idle).
SYNTAX

: IDLE_TIME = <VALUE|UNLIMITED|DEFAULT>

EXAMPLE : alter profile p1 limit idle_time 30;

COMPOSITE_LIMIT

Total resource cost for a session, expressed in service units.

Oracle database calculates total service unit as weighted sum of below resources.
cpu_per_session, connect_time, logical_reads_per_session, private_sga.
If this limit is exceeds, oracle aborts the session and returns an error.
SYNTAX

: COMPOSITE_LIMIT = <VALUE|UNLIMITED|DEFAULT>

EXAMPLE : alter profile p1 limit composite_limit 100000;

In order to enforce kernel limits resource limits are "turned on" for the database as a whole.
First verify RESOURCE_LIMIT initialization parameter. By default resorce_limit is off.

Exploring the Oracle DBA Technology by Gunasekaran ,Thiyagu

PROFILE MANAGEMENT IN ORACLE 11g

VERIFY RESOURCE_LIMIT PARAMETER

SYS> show parameter resource_limit;
NAME

TYPE

VALUE

------------------------------------ ----------- ---------resource_limit

boolean

FALSE

SYS> alter system set resource_limit = TRUE scope=both;

System altered.
SYS> show parameter resource_limit;
NAME

TYPE

VALUE

------------------------------------ ----------- ---------resource_limit

boolean

TRUE

PASSWORD PARAMETERS - PASSWORD LIMITS

FAILED_LOGIN_ATTEMPTS

Maximum failed login attempts.

The number of failed attempts to log in to the user account before the account is locked.
SYNTAX

: FAILED_LOGIN_ATTEMPTS= <VALUE|UNLIMITED|DEFAULT>

EXAMPLE : alter profile p1 failed_login_attempts 3;

PASSWORD_LIFE_TIME

Maximum time a password is valid.

Number of days the password is valid before expiry.
SYNTAX

: PASSWORD_LIFE_TIME = <VALUE|UNLIMITED|DEFAULT>

EXAMPLE : alter profile p1 limit password_life_time 100;

PASSWORD_REUSE_TIME

Number of days between reuses of a password.

Number of days after the user can use already used password.
SYNTAX

: PASSWORD_REUSE_TIME = <VALUE|UNLIMITED|DEFAULT>

EXAMPLE : alter profile p1 limit password_reuse_time 30;

PASSWORD_REUSE_MAX

Number of times a password must be changed before a previous password can be used.
SYNTAX

: PASSWORD_REUSE_MAX = <VALUE|UNLIMITED|DEFAULT>

EXAMPLE : alter profile p1 limit password_reuse_max unlimited;

PASSWORD_LOCK_TIME

Number of days an account is locked after failing to login.

SYNTAX

: PASSWORD_LOCK_TIME = <VALUE|UNLIMITED|DEFAULT>

EXAMPLE : alter profile p1 limit password_lock_time 3;

PASSWORD_VERIFY_FUNCTION

Verify function for passwords.

Exploring the Oracle DBA Technology by Gunasekaran ,Thiyagu

PROFILE MANAGEMENT IN ORACLE 11g

PASSWORD_GRACE_TIME

Number of grace days for a user to change a password.

If the password is NOT changed during the grace period, password will expire.
SYNTAX

: PASSWORD_GRACE_TIME = <VALUE|UNLIMITED|DEFAULT>

EXAMPLE : alter profile p1 limit password_grace_time 3;

DEFAULT PROFILE
Whenever you create a user in a database, a default profile is assigned to the user by default.
1) A user can have only one profile.
2) Profiles cannot be assigned to roles or other profiles.
3) Assigning a new profile to a user overtakes any earlier profile.
SYS> create user foo identified by foo;
User created.
SYS> select profile from dba_users where username='FOO';
PROFILE
-------DEFAULT
SYSTEM PRIVILEGES FOR PROFILES
CREATE PROFILE, ALTER PROFILE and DROP PROFILE
Profiles are assigned to users by CREATE USER or ALTER USER commands. To create a profile a
database user must have CREATE PROFILE system privilege.
PROFILE CREATION SYNTAX
SYS> create profile

<profile_name> LIMIT

<profile_item_name>

<value>

<profile_item_name>

<value>

..
..;
EXAMPLES
SYS> create profile p1 LIMIT
sessions_per_user

idle_time

connect_time

private_sga
composite_limit

50k
4000000;

SYS> create profile p2 LIMIT

failed_login_attempts

password_lock_time

password_life_time

60

password_grace_time

password_reuse_time

60

password_reuse_max

5;

Exploring the Oracle DBA Technology by Gunasekaran ,Thiyagu

PROFILE MANAGEMENT IN ORACLE 11g

SYS> create profile p3

LIMIT
sessions_per_user

connect_time

unlimited

# minutes

30

# minutes

idle_time
logical_reads_per_session

default

# db blocks

logical_reads_per_call

default

# db blocks

composite_limt

default

private_sga

20m

failed_login_attempts

# bytes

password_life_time

30

password_reuse_time

# days

password_reuse_max

unlimited

# days

password_lock_time

default

# days

password_grace_time

2;

CHECK EXISTING PROFILES

We can check the resource parameter of our profile by querying DBA_PROFILES.
SYS> select profile, resource_name, limit from dba_profiles order by profile, resource_name;
..
...

SYS> select * from dba_profiles where profile='P1';

PROFILE

RESOURCE_NAME

RESOURCE LIMIT

---------- -------------------------------- -------- ---------P1

COMPOSITE_LIMIT

KERNEL

4000000

P1

SESSIONS_PER_USER

KERNEL

P1

CPU_PER_SESSION

KERNEL

DEFAULT

P1

CPU_PER_CALL

KERNEL

DEFAULT

P1

LOGICAL_READS_PER_SESSION

KERNEL

DEFAULT

P1

LOGICAL_READS_PER_CALL

KERNEL

DEFAULT

P1

IDLE_TIME

KERNEL

P1

CONNECT_TIME

KERNEL

P1

PRIVATE_SGA

KERNEL

51200

..
...
ASSIGNING A PROFILE
We can assign profiles in two ways either user creation or alter statement.
SYS> create user sony identified by sony profile p1;
User created.
SYS> alter user foo profile p1;
User altered.
Once we assign the profile to a user, then the user cannot exceed profile limits. As I said
earlier, assigning a new profile to a user account overtakes any earlier profile. Initially user
foo has default profile but we have assigned new profile p1 to foo.

Exploring the Oracle DBA Technology by Gunasekaran ,Thiyagu

PROFILE MANAGEMENT IN ORACLE 11g

SYS> select username, profile from dba_users where username='FOO' or username='SONY';

USERNAME

PROFILE

------------------------------ ---------------------SONY

P1

FOO

P1

ALTERING A PROFILE
Profiles can be altered with ALTER PROFILE command. A user must have ALTER PROFILE system privilege.
If profile limit is adjusted, the settings overrides the previous setting. New settings do NOT
affect current settings in process.
SYS> alter profile p1 limit sessions_per_user 1 private_sga 20k;
Profile altered.
SYS> select * from dba_profiles where profile='P1';
PROFILE

RESOURCE_NAME

RESOURCE LIMIT

---------------------- -------------------------------- -------- ---------P1

SESSIONS_PER_USER

KERNEL

P1

PRIVATE_SGA

KERNEL

20480

P1

COMPOSITE_LIMIT

KERNEL

4000000

..
...
DROPPING A PROFILE
DEFAULT profile cannot be dropped.
The CASCADE clause revokes the profile from the corresponding user account.
When dropping a profile CASCADE must be used, if the profile has been assigned to any user.
When a profile is dropped, corresponding user account is reassigned to DEFAULT profile.
SYS> select username, profile from dba_users where username='FOO';
USERNAME

PROFILE

------------------------------ ---------------------FOO

P1

SYS> drop profile p1;

drop profile p1
*
ERROR at line 1:
ORA-02382: profile P1 has users assigned, cannot drop without CASCADE
SYS> drop profile p1 CASCADE;
Profile dropped.
SYS> select username, profile from dba_users where username='FOO';
USERNAME

PROFILE

------------------------------ ---------------------FOO

P1

Exploring the Oracle DBA Technology by Gunasekaran ,Thiyagu

PROFILE MANAGEMENT IN ORACLE 11g

RESTRICTIONS ON PASSWORD PARAMETERS

If PASSWORD_REUSE_TIME is set to an integer value, PASSWORD_REUSE_MAX must be set to UNLIMITED.
If PASSWORD_REUSE_MAX is set to an integer value, PASSWORD_REUSE_TIME must be set to UNLIMITED.
If PASSWORD_REUSE_TIME is set to DEFAULT and PASSWORD_REUSE_MAX is set to UNLIMITED, then Oracle
uses the PASSWORD_REUSE_TIME value defined in the DEFAULT profile.
If PASSWORD_REUSE_MAX is set to DEFAULT and PASSWORD_REUSE_TIME is set to UNLIMITED, then Oracle
uses the PASSWORD_REUSE_MAX value defined in the DEFAULT profile.
If both PASSWORD_REUSE_TIME & PASSWORD_REUSE_MAX are set to DEFAULT, then Oracle uses whichever
value is defined in the DEFAULT profile.
PASSWORD VERIFY FUNCTION
Oracle 11g provides default password verification function. You can notice the file utlpwdmg.sql
under $ORACLE_HOME/rdbms/admin location. Many folks may NOT aware of its existence.
This script creates a new password function called VERIFY_FUNCTION_11G. This function is quick and
easy way to enforce quality of database passwords for ex Password should contain certain number
of characters should NOT be identical to the username and so on.
$ cd $ORACLE_HOME/rdbms/admin/
$ ls utlpwd*
utlpwdmg.sql
At the end of the script has some lines.
ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 60
PASSWORD_GRACE_TIME 10
PASSWORD_REUSE_TIME 1800
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME 1/1440
PASSWORD_VERIFY_FUNCTION verify_function_11G;
Once you execute the script utlpwdmg.sql, it will attach the function to the profile DEFAULT,
which is the default profile for all users unless s
SYS> select * from dba_profiles where profile = 'DEFAULT'
AND resource_name = 'PASSWORD_VERIFY_FUNCTION';
PROFILE

RESOURCE_NAME

RESOURCE LIMIT

---------------------- -------------------------------- -------- ------DEFAULT

PASSWORD_VERIFY_FUNCTION

SYS>@?/rdbms/admin/utlpwdmg.sql;

PASSWORD NULL

# this script alters the default profile.

Function created.
Profile altered.
Function created.

Exploring the Oracle DBA Technology by Gunasekaran ,Thiyagu

PROFILE MANAGEMENT IN ORACLE 11g

SYS> select * from dba_profiles where profile = 'DEFAULT' and

resource_name='PASSWORD_VERIFY_FUNCTION';
PROFILE

RESOURCE_NAME

RESOURCE LIMIT

---------------------- -------------------------------- -------- -------------------DEFAULT

PASSWORD_VERIFY_FUNCTION

PASSWORD VERIFY_FUNCTION_11G

CREATE A NEW USER.

SYS> create user sony identified by sony;
create user sony identified by sony
*
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20001: Password length less than 8
SYS> create user sony identified by sonyorcl;
create user sony identified by sonyorcl
*
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20008: Password must contain at least one digit, one character
SYS> create user sony1234 identified by sony1234;
create user sony1234 identified by sony1234
*
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20002: Password same as or similar to user
SYS> create user sony identified by orcl1986;

# complex password.

User created.

SYS> select username, profile from dba_users where username='SONY';

USERNAME

PROFILE

------------------------------ ---------------------SONY

DEFAULT

You can remove this password verify function, assign NULL value to PASSWORD_VERIFY_FUNCTION.
SYS> ALTER PROFILE DEFAULT LIMIT PASSWORD_VERIFY_FUNCTION NULL;
Profile altered.

utlpwdmg.sql
This function must be created in SYS schema.

Needs to be run to enable the password security.

This script This function makes the minimum complexity checks like
minimum length of the password, password not same as the username, etc ..
REF_LINK: http://sk-rolling.blogspot.in/2006/08/password-management-script-at.html

Exploring the Oracle DBA Technology by Gunasekaran ,Thiyagu

PROFILE MANAGEMENT IN ORACLE 11g

SOME IMPORTANT VIEWS

DBA_PROFILES
RESOURCE_COST
USER_RESOURCE_LIMITS
There are only two RESOURCE TYPEs, "KERNEL" & "PASSWORD"; and 16 RESOURCE NAMEs which can be given
a limit from DBA_PROFILES;

Exploring the Oracle DBA Technology by Gunasekaran ,Thiyagu