Creating a new profile v17
Use the CREATE PROFILE
command to create a new profile. The syntax is:
Include the LIMIT
clause and one or more space-delimited parameter/value pairs to specify the rules enforced by EDB Postgres Advanced Server.
Parameters
profile_name
specifies the name of the profile.parameter
specifies the attribute limited by the profile.value
specifies the parameter limit.
EDB Postgres Advanced Server supports the vollowing value
for each parameter
:
FAILED_LOGIN_ATTEMPTS
specifies the number of failed login attempts that a user can make before the server locks them out of their account for the length of time specified by PASSWORD_LOCK_TIME
. Supported values are:
- An
INTEGER
value greater than0
. DEFAULT
— The value ofFAILED_LOGIN_ATTEMPTS
specified in theDEFAULT
profile.UNLIMITED
— The connecting user can make an unlimited number of failed login attempts.
PASSWORD_LOCK_TIME
specifies the length of time that must pass before the server unlocks an account that was locked because of FAILED_LOGIN_ATTEMPTS
. Supported values are:
- A
NUMERIC
value greater than or equal to 0. To specify a fractional portion of a day, specify a decimal value. For example, use the value4.5
to specify 4 days, 12 hours. DEFAULT
— The value ofPASSWORD_LOCK_TIME
specified in theDEFAULT
profile.UNLIMITED
— The account is locked until a database superuser manually unlocks it.
PASSWORD_LIFE_TIME
specifies the number of days that the current password can be used before the user is prompted to provide a new password. Include the PASSWORD_GRACE_TIME
clause when using the PASSWORD_LIFE_TIME
clause to specify the number of days that pass after the password expires before connections by the role are rejected. If you don't specify PASSWORD_GRACE_TIME
, the password expires on the day specified by the default value of PASSWORD_GRACE_TIME
, and the user can't execute any command until they provide a new password. Supported values are:
- A
NUMERIC
value greater than or equal to 0. To specify a fractional portion of a day, specify a decimal value. For example, use the value4.5
to specify 4 days, 12 hours. DEFAULT
— The value ofPASSWORD_LIFE_TIME
specified in theDEFAULT
profile.UNLIMITED
— The password doesn't have an expiration date.
PASSWORD_GRACE_TIME
specifies the length of the grace period after a password expires until the user is forced to change their password. When the grace period expires, a user can connect but can't execute any command until they update their expired password. Supported values are:
- A
NUMERIC
value greater than or equal to 0. To specify a fractional portion of a day, specify a decimal value. For example, use the value4.5
to specify 4 days, 12 hours. DEFAULT
— The value ofPASSWORD_GRACE_TIME
specified in theDEFAULT
profile.UNLIMITED
— The grace period is infinite.
PASSWORD_REUSE_TIME
specifies the number of days a user must wait before reusing a password. Use the PASSWORD_REUSE_TIME
and PASSWORD_REUSE_MAX
parameters together. If you specify a finite value for one of these parameters while the other is UNLIMITED
, old passwords can never be reused. If both parameters are set to UNLIMITED
, there are no restrictions on password reuse. Supported values are:
- A
NUMERIC
value greater than or equal to 0. To specify a fractional portion of a day, specify a decimal value. For example, use the value4.5
to specify 4 days, 12 hours. DEFAULT
— The value ofPASSWORD_REUSE_TIME
specified in theDEFAULT
profile.UNLIMITED
— The password can be reused without restrictions.
PASSWORD_REUSE_MAX
specifies the number of password changes that must occur before a password can be reused. Use the PASSWORD_REUSE_TIME
and PASSWORD_REUSE_MAX
parameters together. If you specify a finite value for one of these parameters while the other is UNLIMITED
, old passwords can never be reused. If both parameters are set to UNLIMITED
, there are no restrictions on password reuse. Supported values are:
- An
INTEGER
value greater than or equal to 0. DEFAULT
— The value ofPASSWORD_REUSE_MAX
specified in theDEFAULT
profile.UNLIMITED
— The password can be reused without restrictions.
PASSWORD_VERIFY_FUNCTION
specifies password complexity. Supported values are:
- The name of a PL/SQL function.
DEFAULT
— The value ofPASSWORD_VERIFY_FUNCTION
specified in theDEFAULT
profile.NULL
PASSWORD_ALLOW_HASHED
specifies whether an encrypted password is allowed. If you specify TRUE
, the system allows a user to change the password by specifying a hash-computed encrypted password on the client side. If you specify FALSE
, then a password must be specified in a plain-text form to validate. Otherwise, an error is thrown if a server receives an encrypted password. Supported values are:
- A Boolean value
TRUE/ON/YES/1
orFALSE/OFF/NO/0
. DEFAULT
— The value ofPASSWORD_ALLOW_HASHED
specified in theDEFAULT
profile.
Note
- The
PASSWORD_ALLOW_HASHED
isn't an Oracle-compatible parameter. - Use
DROP PROFILE
command to remove the profile.
Examples
The following command creates a profile named acctg
. The profile specifies that if a user doesn't authenticate with the correct password in five attempts, the account is locked for one day:
The following command creates a profile named sales
. The profile specifies that a user must change their password every 90 days:
If the user doesn't change their password before the 90 days specified in the profile has passed, a warning appears at login. After a grace period of their days, their account can't invoke any commands until they change their password.
The following command creates a profile named accts
. The profile specifies that a user can't reuse a password within 180 days of the last use of the password and must change their password at least five times before reusing the password:
The following command creates a profile named resources
. The profile calls a user-defined function named password_rules
that verifies that the password provided meets their standards for complexity:
creating_a_password_function
- On this page
- Parameters
- Examples