SQL Statements (continued), 20 of 20

CREATE PROFILE

Syntax

Purpose

To create a profile. A profile is a set of limits on database resources. If you assign the profile to a user, that user cannot exceed these limits.

Prerequisites

You must have CREATE PROFILE system privilege.

To specify resource limits for a user, you must:

Enable resource limits dynamically with the ALTER SYSTEM statement (see "ALTER SYSTEM") or with the initialization parameter RESOURCE_LIMIT. (This parameter does not apply to password resources. Password resources are always enabled.)
Create a profile that defines the limits using the CREATE PROFILE statement.
Assign the profile to the user using the CREATE USER or ALTER USER statement (see "CREATE USER" and "ALTER USER").

Keywords and Parameters

Examples

The following statement creates the profile SYSTEM_MANAGER:

CREATE PROFILE system_manager 
   LIMIT SESSIONS_PER_USER    UNLIMITED 
   CPU_PER_SESSION            UNLIMITED 
   CPU_PER_CALL               3000 
   CONNECT_TIME               45 
   LOGICAL_READS_PER_SESSION  DEFAULT 
   LOGICAL_READS_PER_CALL     1000 
   PRIVATE SGA                15K 
   COMPOSITE_LIMIT            5000000;

If you then assign the SYSTEM_MANAGER profile to a user, the user is subject to the following limits in subsequent sessions:

The user can have any number of concurrent sessions.
In a single session, the user can consume an unlimited amount of CPU time.
A single call made by the user cannot consume more than 30 seconds of CPU time.
A single session cannot last for more than 45 minutes.
In a single session, the number of data blocks read from memory and disk is subject to the limit specified in the DEFAULT profile.
A single call made by the user cannot read more than 1000 data blocks from memory and disk.
A single session cannot allocate more than 15 kilobytes of memory in the SGA.
In a single session, the total resource cost cannot exceed 5 million service units. The formula for calculating the total resource cost is specified by the ALTER RESOURCE COST statement.
Since the SYSTEM_MANAGER profile omits a limit for IDLE_TIME and for password limits, the user is subject to the limits on these resources specified in the DEFAULT profile.

The following statement creates the profile PROF:

CREATE PROFILE prof
  LIMIT PASSWORD_REUSE_MAX DEFAULT
        PASSWORD_REUSE_TIME UNLIMITED;

The following statement creates profile MYPROFILE with password profile limits values set:

CREATE PROFILE myprofile LIMIT
   FAILED_LOGIN_ATTEMPTS 5
   PASSWORD_LIFE_TIME 60
   PASSWORD_REUSE_TIME 60
   PASSWORD_REUSE_MAX UNLIMITED
   PASSWORD_VERIFY_FUNCTION verify_function
   PASSWORD_LOCK_TIME 1/24
   PASSWORD_GRACE_TIME 10;

profile	is the name of the profile to be created. Use profiles to limit the database resources available to a user for a single call or a single session.
	Oracle enforces resource limits in the following ways: If a user exceeds the `CONNECT_TIME` or `IDLE_TIME` session resource limit, Oracle rolls back the current transaction and ends the session. When the user process next issues a call, Oracle returns an error. If a user attempts to perform an operation that exceeds the limit for other session resources, Oracle aborts the operation, rolls back the current statement, and immediately returns an error. The user can then commit or roll back the current transaction, and must then end the session. If a user attempts to perform an operation that exceeds the limit for a single call, Oracle aborts the operation, rolls back the current statement, and returns an error, leaving the current transaction intact.
	Notes: You can use fractions of days for all parameters that limit time, with days as units. For example, 1 hour is 1/24 and 1 minute is 1/1440. You can specify resource limits for users regardless of whether the resource limits are enabled. However, Oracle does not enforce the limits until you enable them.
`UNLIMITED`	When specified with a resource parameter, indicates that a user assigned this profile can use an unlimited amount of this resource. When specified with a password parameter, indicates that no limit has been set for the parameter.
`DEFAULT`	omits a limit for this resource in this profile. A user assigned this profile is subject to the limit for this resource specified in the `DEFAULT` profile. The `DEFAULT` profile initially defines unlimited resources. You can change those limits with the `ALTER PROFILE` statement.
	Any user who is not explicitly assigned a profile is subject to the limits defined in the `DEFAULT` profile. Also, if the profile that is explicitly assigned to a user omits limits for some resources or specifies `DEFAULT` for some limits, the user is subject to the limits on those resources defined by the `DEFAULT` profile.
*resource_parameters*
`SESSIONS_PER_USER`	limits a user to integer concurrent sessions.
`CPU_PER_SESSION`	limits the CPU time for a session, expressed in hundredth of seconds.
`CPU_PER_CALL`	limits the CPU time for a call (a parse, execute, or fetch), expressed in hundredths of seconds.
`CONNECT_TIME`	limits the total elapsed time of a session, expressed in minutes.
`IDLE_TIME`	limits periods of continuous inactive time during a session, expressed in minutes. Long-running queries and other operations are not subject to this limit.
`LOGICAL_READS_PER_SESSION`	specifies the number of data blocks read in a session, including blocks read from memory and disk.
`LOGICAL_READS_PER_CALL`	specifies the number of data blocks read for a call to process a SQL statement (a parse, execute, or fetch).
`PRIVATE_SGA`	specifies the amount of private space a session can allocate in the shared pool of the system global area (SGA), expressed in bytes. Use K or M to specify this limit in kilobytes or megabytes.
	Note: This limit applies only if you are using multi-threaded server architecture. The private space for a session in the SGA includes private SQL and PL/SQL areas, but not shared SQL and PL/SQL areas.
`COMPOSITE_LIMIT`	specifies the total resources cost for a session, expressed in service units. Oracle calculates the total service units as a weighted sum of `CPU_PER_SESSION`, `CONNECT_TIME`, `LOGICAL_READS_PER_SESSION`, and `PRIVATE_SGA`. For information on how to specify the weight for each session resource, see "ALTER RESOURCE COST".
*password_parameters*	For a detailed description and explanation of how to use password management and protection, see Oracle8i Administrator's Guide.
`FAILED_LOGIN_ATTEMPTS`	specifies the number of failed attempts to log in to the user account before the account is locked.
`PASSWORD_LIFE_TIME`	limits the number of days the same password can be used for authentication. The password expires if it is not changed within this period, and further connections are rejected.
`PASSWORD_REUSE_TIME`	specifies the number of days before which a password cannot be reused. If you set `PASSWORD_REUSE_TIME` to an integer value, then you must set `PASSWORD_REUSE_MAX` to `UNLIMITED`.
`PASSWORD_REUSE_MAX`	specifies the number of password changes required before the current password can be reused. If you set `PASSWORD_REUSE_MAX` to an integer value, then you must set `PASSWORD_REUSE_TIME` to `UNLIMITED`.
`PASSWORD_LOCK_TIME`	specifies the number of days an account will be locked after the specified number of consecutive failed login attempts.
`PASSWORD_GRACE_TIME`	specifies the number of days after the grace period begins during which a warning is issued and login is allowed. If the password is not changed during the grace period, the password expires.
`PASSWORD_VERIFY_FUNCTION`	allows a PL/SQL password complexity verification script to be passed as an argument to the `CREATE PROFILE` statement. Oracle provides a default script, but you can create your own routine or use third-party software instead.
	function	is the name of the password complexity verification routine.
	`NULL`	indicates that no password verification is performed.
Restrictions on password parameters: If `PASSWORD_REUSE_TIME` is set to an integer value, `PASSWORD_REUSE_MAX` must be set to `UNLIMITED`. If `PASSWORD_REUSE_MAX` is set to an integer value, `PASSWORD_REUSE_TIME` must be set to `UNLIMITED`. If both `PASSWORD_REUSE_TIME` and `PASSWORD_REUSE_MAX` are set to `UNLIMITED`, then Oracle uses neither of these password resources. If `PASSWORD_REUSE_MAX` is set to `DEFAULT` and `PASSWORD_REUSE_TIME` is set to `UNLIMITED`, then Oracle uses the `PASSWORD_REUSE_MAX` value defined in the `DEFAULT` profile. If `PASSWORD_REUSE_TIME` is set to `DEFAULT` and `PASSWORD_REUSE_MAX` is set to `UNLIMITED`, then Oracle uses the `PASSWORD_REUSE_TIME` value defined in the `DEFAULT` profile. If both `PASSWORD_REUSE_TIME` and `PASSWORD_REUSE_MAX` are set to `DEFAULT`, then Oracle uses whichever value is defined in the `DEFAULT` profile.