PROFILE MANAGEMENT IN 11g.pdf
April 27, 2017 | Author: G.R.THIYAGU ; Oracle DBA | Category: N/A
Short Description
Download PROFILE MANAGEMENT IN 11g.pdf...
Description
PROFILE MANAGEMENT IN ORACLE 11g
PROFILE MEANS Profile is a database object. Profiles are SET OF LIMITS ON DATABASE RESOURCES. A profile is created to limit the resources a user can use. DBA’S can setup limits on the system resources by setting up profiles with defined limits. Profiles are used to regulate the amount of resources used by each database user by creating and assigning profiles to database users.
LIMITABLE RESOURCES
can be categories into KERNEL LIMITS & PASSWORD LIMITS
SYS> select * from dba_profiles where profile = 'DEFAULT' AND resource_type = 'PASSWORD'; PROFILE
RESOURCE_NAME
------------
RESOURCE
-------------------------- --------
LIMIT --------------------
DEFAULT
FAILED_LOGIN_ATTEMPTS
PASSWORD
10
DEFAULT
PASSWORD_LIFE_TIME
PASSWORD
180
DEFAULT
PASSWORD_REUSE_TIME
PASSWORD
UNLIMITED
DEFAULT
PASSWORD_REUSE_MAX
PASSWORD
UNLIMITED
DEFAULT
PASSWORD_VERIFY_FUNCTION
PASSWORD
NULL
DEFAULT
PASSWORD_LOCK_TIME
PASSWORD
1
DEFAULT
PASSWORD_GRACE_TIME
PASSWORD
7
7 rows selected.
SYS> select * from dba_profiles where profile = 'DEFAULT' AND resource_type = 'KERNEL'; PROFILE
RESOURCE_NAME
RESOURCE LIMIT
---------- -------------------------------- -------- ---------DEFAULT
COMPOSITE_LIMIT
KERNEL
UNLIMITED
DEFAULT
SESSIONS_PER_USER
KERNEL
UNLIMITED
DEFAULT
CPU_PER_SESSION
KERNEL
UNLIMITED
DEFAULT
CPU_PER_CALL
KERNEL
UNLIMITED
DEFAULT
LOGICAL_READS_PER_SESSION
KERNEL
UNLIMITED
DEFAULT
LOGICAL_READS_PER_CALL
KERNEL
UNLIMITED
DEFAULT
IDLE_TIME
KERNEL
UNLIMITED
DEFAULT
CONNECT_TIME
KERNEL
UNLIMITED
DEFAULT
PRIVATE_SGA
KERNEL
UNLIMITED
9 rows selected. RESOURCE PARAMETERS - KERNEL LIMITS PRIVATE_SGA
Maximum amount (integer bytes) of SGA. SYNTAX
: PRIVATE_SGA =
EXAMPLE : alter profile p1 limit private_sga 20k; Amount of space a session can allocate in the shared pool of the SGA. Expressed in BYTES.
Exploring the Oracle DBA Technology by Gunasekaran ,Thiyagu
PROFILE MANAGEMENT IN ORACLE 11g
SESSIONS_PER_USER
Maximum concurrent sessions allowed per user. SYNTAX
: SESSIONS_PER_USER =
EXAMPLE : alter profile p1 limit sessions_per_user 2; CPU_PER_SESSION
Maximum CPU time limit per session. SYNTAX
: CPU_PER_SESSION =
EXAMPLE : alter profile p1 limit cpu_per_session unlimited; CPU_PER_CALL
Maximum CPU time limit per call (parse, execute, fetch) SYNTAX
: CPU_PER_CALL =
EXAMPLE : alter profile p1 limit cpu_per_call 1800; CONNECT_TIME
Maximum connect time per session in minutes. Session will be dropped after specified time). SYNTAX
: CONNECT_TIME =
EXAMPLE : alter profile p1 limit connect_time 15; LOGICAL_READS_PER_CALL
Maximum number of data blocks read per call. SYNTAX
: LOGICAL_READS_PER_CALL =
EXAMPLE : alter profile p1 limit logical_reads_per_call 2000; LOGICAL_READS_PER_SESSION
Maximum number of data blocks read per session. SYNTAX
: LOGICAL_READS_PER_SESSION =
EXAMPLE : alter profile p1 limit logical_reads_per_session unlimited; IDLE_TIME
Maximum idle time in minutes. Allowed specified time before user is disconnected. Long running process are NOT idle). SYNTAX
: IDLE_TIME =
EXAMPLE : alter profile p1 limit idle_time 30; COMPOSITE_LIMIT
Total resource cost for a session, expressed in service units. Oracle database calculates total service unit as weighted sum of below resources. cpu_per_session, connect_time, logical_reads_per_session, private_sga. If this limit is exceeds, oracle aborts the session and returns an error. SYNTAX
: COMPOSITE_LIMIT =
EXAMPLE : alter profile p1 limit composite_limit 100000;
In order to enforce kernel limits resource limits are "turned on" for the database as a whole. First verify RESOURCE_LIMIT initialization parameter. By default resorce_limit is off.
Exploring the Oracle DBA Technology by Gunasekaran ,Thiyagu
PROFILE MANAGEMENT IN ORACLE 11g
VERIFY RESOURCE_LIMIT PARAMETER SYS> show parameter resource_limit; NAME
TYPE
VALUE
------------------------------------ ----------- ---------resource_limit
boolean
FALSE
SYS> alter system set resource_limit = TRUE scope=both; System altered. SYS> show parameter resource_limit; NAME
TYPE
VALUE
------------------------------------ ----------- ---------resource_limit
boolean
TRUE
PASSWORD PARAMETERS - PASSWORD LIMITS FAILED_LOGIN_ATTEMPTS
Maximum failed login attempts. The number of failed attempts to log in to the user account before the account is locked. SYNTAX
: FAILED_LOGIN_ATTEMPTS=
EXAMPLE : alter profile p1 failed_login_attempts 3; PASSWORD_LIFE_TIME
Maximum time a password is valid. Number of days the password is valid before expiry. SYNTAX
: PASSWORD_LIFE_TIME =
EXAMPLE : alter profile p1 limit password_life_time 100; PASSWORD_REUSE_TIME
Number of days between reuses of a password. Number of days after the user can use already used password. SYNTAX
: PASSWORD_REUSE_TIME =
EXAMPLE : alter profile p1 limit password_reuse_time 30; PASSWORD_REUSE_MAX
Number of times a password must be changed before a previous password can be used. SYNTAX
: PASSWORD_REUSE_MAX =
EXAMPLE : alter profile p1 limit password_reuse_max unlimited; PASSWORD_LOCK_TIME
Number of days an account is locked after failing to login. SYNTAX
: PASSWORD_LOCK_TIME =
EXAMPLE : alter profile p1 limit password_lock_time 3; PASSWORD_VERIFY_FUNCTION
Verify function for passwords.
Exploring the Oracle DBA Technology by Gunasekaran ,Thiyagu
PROFILE MANAGEMENT IN ORACLE 11g
PASSWORD_GRACE_TIME
Number of grace days for a user to change a password. If the password is NOT changed during the grace period, password will expire. SYNTAX
: PASSWORD_GRACE_TIME =
EXAMPLE : alter profile p1 limit password_grace_time 3;
DEFAULT PROFILE Whenever you create a user in a database, a default profile is assigned to the user by default. 1) A user can have only one profile. 2) Profiles cannot be assigned to roles or other profiles. 3) Assigning a new profile to a user overtakes any earlier profile. SYS> create user foo identified by foo; User created. SYS> select profile from dba_users where username='FOO'; PROFILE -------DEFAULT SYSTEM PRIVILEGES FOR PROFILES CREATE PROFILE, ALTER PROFILE and DROP PROFILE Profiles are assigned to users by CREATE USER or ALTER USER commands. To create a profile a database user must have CREATE PROFILE system privilege. PROFILE CREATION SYNTAX SYS> create profile
LIMIT
.. ..; EXAMPLES SYS> create profile p1 LIMIT sessions_per_user
2
idle_time
2
connect_time
3
private_sga composite_limit
50k 4000000;
SYS> create profile p2 LIMIT failed_login_attempts
3
password_lock_time
1
password_life_time
60
password_grace_time
2
password_reuse_time
60
password_reuse_max
5;
Exploring the Oracle DBA Technology by Gunasekaran ,Thiyagu
PROFILE MANAGEMENT IN ORACLE 11g
SYS> create profile p3 LIMIT sessions_per_user
2
connect_time
unlimited
# minutes
30
# minutes
idle_time logical_reads_per_session
default
# db blocks
logical_reads_per_call
default
# db blocks
composite_limt
default
private_sga
20m
failed_login_attempts
# bytes
3
password_life_time
30
password_reuse_time
# days
5
password_reuse_max
unlimited
# days
password_lock_time
default
# days
password_grace_time
2;
CHECK EXISTING PROFILES We can check the resource parameter of our profile by querying DBA_PROFILES. SYS> select profile, resource_name, limit from dba_profiles order by profile, resource_name; .. ...
SYS> select * from dba_profiles where profile='P1'; PROFILE
RESOURCE_NAME
RESOURCE LIMIT
---------- -------------------------------- -------- ---------P1
COMPOSITE_LIMIT
KERNEL
4000000
P1
SESSIONS_PER_USER
KERNEL
2
P1
CPU_PER_SESSION
KERNEL
DEFAULT
P1
CPU_PER_CALL
KERNEL
DEFAULT
P1
LOGICAL_READS_PER_SESSION
KERNEL
DEFAULT
P1
LOGICAL_READS_PER_CALL
KERNEL
DEFAULT
P1
IDLE_TIME
KERNEL
2
P1
CONNECT_TIME
KERNEL
3
P1
PRIVATE_SGA
KERNEL
51200
.. ... ASSIGNING A PROFILE We can assign profiles in two ways either user creation or alter statement. SYS> create user sony identified by sony profile p1; User created. SYS> alter user foo profile p1; User altered. Once we assign the profile to a user, then the user cannot exceed profile limits. As I said earlier, assigning a new profile to a user account overtakes any earlier profile. Initially user foo has default profile but we have assigned new profile p1 to foo.
Exploring the Oracle DBA Technology by Gunasekaran ,Thiyagu
PROFILE MANAGEMENT IN ORACLE 11g
SYS> select username, profile from dba_users where username='FOO' or username='SONY'; USERNAME
PROFILE
------------------------------ ---------------------SONY
P1
FOO
P1
ALTERING A PROFILE Profiles can be altered with ALTER PROFILE command. A user must have ALTER PROFILE system privilege. If profile limit is adjusted, the settings overrides the previous setting. New settings do NOT affect current settings in process. SYS> alter profile p1 limit sessions_per_user 1 private_sga 20k; Profile altered. SYS> select * from dba_profiles where profile='P1'; PROFILE
RESOURCE_NAME
RESOURCE LIMIT
---------------------- -------------------------------- -------- ---------P1
SESSIONS_PER_USER
KERNEL
1
P1
PRIVATE_SGA
KERNEL
20480
P1
COMPOSITE_LIMIT
KERNEL
4000000
.. ... DROPPING A PROFILE DEFAULT profile cannot be dropped. The CASCADE clause revokes the profile from the corresponding user account. When dropping a profile CASCADE must be used, if the profile has been assigned to any user. When a profile is dropped, corresponding user account is reassigned to DEFAULT profile. SYS> select username, profile from dba_users where username='FOO'; USERNAME
PROFILE
------------------------------ ---------------------FOO
P1
SYS> drop profile p1; drop profile p1 * ERROR at line 1: ORA-02382: profile P1 has users assigned, cannot drop without CASCADE SYS> drop profile p1 CASCADE; Profile dropped. SYS> select username, profile from dba_users where username='FOO'; USERNAME
PROFILE
------------------------------ ---------------------FOO
P1
Exploring the Oracle DBA Technology by Gunasekaran ,Thiyagu
PROFILE MANAGEMENT IN ORACLE 11g
RESTRICTIONS ON PASSWORD PARAMETERS If PASSWORD_REUSE_TIME is set to an integer value, PASSWORD_REUSE_MAX must be set to UNLIMITED. If PASSWORD_REUSE_MAX is set to an integer value, PASSWORD_REUSE_TIME must be set to UNLIMITED. If PASSWORD_REUSE_TIME is set to DEFAULT and PASSWORD_REUSE_MAX is set to UNLIMITED, then Oracle uses the PASSWORD_REUSE_TIME value defined in the DEFAULT profile. If PASSWORD_REUSE_MAX is set to DEFAULT and PASSWORD_REUSE_TIME is set to UNLIMITED, then Oracle uses the PASSWORD_REUSE_MAX value defined in the DEFAULT profile. If both PASSWORD_REUSE_TIME & PASSWORD_REUSE_MAX are set to DEFAULT, then Oracle uses whichever value is defined in the DEFAULT profile. PASSWORD VERIFY FUNCTION Oracle 11g provides default password verification function. You can notice the file utlpwdmg.sql under $ORACLE_HOME/rdbms/admin location. Many folks may NOT aware of its existence. This script creates a new password function called VERIFY_FUNCTION_11G. This function is quick and easy way to enforce quality of database passwords – for ex Password should contain certain number of characters should NOT be identical to the username and so on. $ cd $ORACLE_HOME/rdbms/admin/ $ ls utlpwd* utlpwdmg.sql At the end of the script has some lines. ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME 60 PASSWORD_GRACE_TIME 10 PASSWORD_REUSE_TIME 1800 PASSWORD_REUSE_MAX UNLIMITED FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 1/1440 PASSWORD_VERIFY_FUNCTION verify_function_11G; Once you execute the script utlpwdmg.sql, it will attach the function to the profile DEFAULT, which is the default profile for all users unless s SYS> select * from dba_profiles where profile = 'DEFAULT' AND resource_name = 'PASSWORD_VERIFY_FUNCTION'; PROFILE
RESOURCE_NAME
RESOURCE LIMIT
---------------------- -------------------------------- -------- ------DEFAULT
PASSWORD_VERIFY_FUNCTION
SYS>@?/rdbms/admin/utlpwdmg.sql;
PASSWORD NULL
# this script alters the default profile.
Function created. Profile altered. Function created.
Exploring the Oracle DBA Technology by Gunasekaran ,Thiyagu
PROFILE MANAGEMENT IN ORACLE 11g
SYS> select * from dba_profiles where profile = 'DEFAULT' and resource_name='PASSWORD_VERIFY_FUNCTION'; PROFILE
RESOURCE_NAME
RESOURCE LIMIT
---------------------- -------------------------------- -------- -------------------DEFAULT
PASSWORD_VERIFY_FUNCTION
PASSWORD VERIFY_FUNCTION_11G
CREATE A NEW USER. SYS> create user sony identified by sony; create user sony identified by sony * ERROR at line 1: ORA-28003: password verification for the specified password failed ORA-20001: Password length less than 8 SYS> create user sony identified by sonyorcl; create user sony identified by sonyorcl * ERROR at line 1: ORA-28003: password verification for the specified password failed ORA-20008: Password must contain at least one digit, one character SYS> create user sony1234 identified by sony1234; create user sony1234 identified by sony1234 * ERROR at line 1: ORA-28003: password verification for the specified password failed ORA-20002: Password same as or similar to user SYS> create user sony identified by orcl1986;
# complex password.
User created.
SYS> select username, profile from dba_users where username='SONY'; USERNAME
PROFILE
------------------------------ ---------------------SONY
DEFAULT
You can remove this password verify function, assign NULL value to PASSWORD_VERIFY_FUNCTION. SYS> ALTER PROFILE DEFAULT LIMIT PASSWORD_VERIFY_FUNCTION NULL; Profile altered.
utlpwdmg.sql This function must be created in SYS schema.
Needs to be run to enable the password security. This script This function makes the minimum complexity checks like minimum length of the password, password not same as the username, etc .. REF_LINK: http://sk-rolling.blogspot.in/2006/08/password-management-script-at.html
Exploring the Oracle DBA Technology by Gunasekaran ,Thiyagu
PROFILE MANAGEMENT IN ORACLE 11g
SOME IMPORTANT VIEWS DBA_PROFILES RESOURCE_COST USER_RESOURCE_LIMITS There are only two RESOURCE TYPEs, "KERNEL" & "PASSWORD"; and 16 RESOURCE NAMEs which can be given a limit from DBA_PROFILES;
Exploring the Oracle DBA Technology by Gunasekaran ,Thiyagu
View more...
Comments
