Profile management key concepts v17
A profile is a set of password attributes that allow you to easily manage a group of roles that share comparable authentication requirements. Each profile defines rules for password management that augment password
and md5
authentication. The rules in a profile can:
- Count failed login attempts
- Lock an account due to excessive failed login attempts
- Mark a password for expiration
- Define a grace period after a password expiration
- Define rules for password complexity
- Define rules that limit password reuse
If the password requirements change, you can modify the profile to apply the new requirements to each user associated with that profile.
After creating the profile, you can associate the profile with one or more users. When a user connects to the server, the server enforces the profile that's associated with their login role. Profiles are shared by all databases in a cluster, but each cluster can have multiple profiles. A single user with access to multiple databases uses the same profile when connecting to each database in the cluster.
EDB Postgres Advanced Server creates a profile named default
that's associated with a new role when the role is created unless you specify an alternative profile. If you upgrade to EDB Postgres Advanced Server from a previous server version, existing roles are automatically assigned to the default
profile. You can't delete the default
profile.
The default
profile specifies the following attributes:
FAILED_LOGIN_ATTEMPTS | UNLIMITED |
---|---|
PASSWORD_LOCK_TIME | UNLIMITED |
PASSWORD_LIFE_TIME | UNLIMITED |
PASSWORD_GRACE_TIME | UNLIMITED |
PASSWORD_REUSE_TIME | UNLIMITED |
PASSWORD_REUSE_MAX | UNLIMITED |
PASSWORD_VERIFY_FUNCTION | NULL |
PASSWORD_ALLOW_HASHED | TRUE |
A database superuser can use the ALTER PROFILE
command to modify the values specified by the default
profile. For more information about modifying a profile, see Altering a profile.