A PDB lockdown profile is used to restrict the features and options available to Oracle Database Exadata Express Cloud Service users. These restrictions are important to enhance security.

There is a default lockdown profile for each type of Exadata Express depending on the size of the PDB (X20, X50, and X50IM). The service uses the Resource Manager to limit resources used by each tenant in the service. This is complementary to the lockdown profile that is used for each tenant. See Resource Restrictions for further information.

The following lists the security restrictions imposed on Exadata Express by the lockdown profile:

• ALTER SYSTEM is disabled except ALTER SYSTEM SET. In other words, you cannot issue a ALTER SYSTEM statement unless it contains the SET clause as well.

• ALTER SYSTEM SET is allowed except for the following cases:

  • It cannot be used to alter the value of any hidden parameters (underscore parameters).

  • It cannot be used to set SQL_TRACE, EVENTS, ENABLE_DDL_LOGGING, 07_DICTIONARY_ACCESSIBILITY, and SEC_PROTOCOL_ERROR_TRACE_ACTION.

• ALTER SESSION is disabled if you try to:

  • Alter the value of any hidden parameters (underscore parameters).

  • Set SQL_TRACE, EVENTS, ENABLE_DDL_LOGGING.

• All ALTER PLUGGABLE DATABASE and ALTER DATABASE statements are disabled except the ones that do the following operations:

  • Set DEFAULT EDITION, DEFAULT TEMPORARY TABLESPACE, TABLESPACE, TIME_ZONE, {DATAFILE|TEMPFILE} RESIZE, {DATAFILE|TEMPFILE} AUTOEXTEND ON, {DATAFILE|TEMPFILE}AUTOEXTEND OFF

  • {OPEN|CLOSE}

• Operating system access, common schema access, and AWR access are all disabled.

• Network access is disabled, except when using APEX_WEB_SERVICE and APEX_MAIL PL/SQL APIs. See:

  • "APEX_WEB_SERVICE" in Application Express API Reference .

  • "APEX_MAIL" in Application Express API Reference .