User Profiles

With the User Profiles feature in User Assessment, you gain a comprehensive understanding of the password-related attributes associated with your database user profiles. User Profiles enables you to identify and address any weak login and password governance policies, helping to strengthen the system's overall security.

About User Profiles

As part of User Assessment, User Profiles allow you to view password-related attributes associated with your database users via user profiles. After identifying potential misconfigurations or discrepancies between user profiles in different databases, you can implement best practices, such as enforcing strong, complex passwords and limiting the number of failed login attempts to strengthen the system's overall security.

A user profile is a collection of password-related attributes determining the rules and restrictions for logging in and managing passwords within a database. The database can contain multiple user profiles, each associated with zero to many users. Each user in an Oracle database is assigned to a single user profile at any given time. If a user is not explicitly assigned to a profile, they are automatically assigned to the DEFAULT profile.

As a best practice and to ensure proper security and governance of your users' logins and passwords, it's recommended to customize the DEFAULT profile to fit your specific policies and requirements. This way, all users who aren't created with a defined user profile will still be governed by your organization's standards. Additionally, creating specific user profiles tailored to particular users or application needs is best. For instance, you should allow more failed login attempts, such as five, for interactive user accounts, as users may make mistakes entering their passwords. It's also advisable to automatically unlock locked accounts after some inactivity. This will block automated brute-force attacks from succeeding while not preventing interactive users from retrying their password to log in after some time. However, for service accounts, limit the number of failed login attempts to a lower value, like two, as these accounts are less likely to fail due to incorrect passwords.

Regardless of the user profile, setting a password verification function is essential to ensure all passwords meet complexity standards. By taking these steps, you can enhance the security of your system and protect your users' sensitive information.

Note:

While a user profile comprises of password and resource-related attributes, Oracle Data Safe focuses solely on password-related attributes.

The following table lists password parameters.

FAILED_LOGIN_ATTEMPTS	Maximum times the user is allowed in failed login before locking the user account
PASSWORD_LIFE_TIME	Number of days the password is valid before the expiry
PASSWORD_REUSE_TIME	Number of days after the user can use the already-used password
PASSWORD_REUSE_MAX	Number of times the user can use the already-used password
PASSWORD_LOCK_TIME	Number of days the user account remains locked after failed login
PASSWORD_GRACE_TIME	Number of grace days for the user to change the password
PASSWORD_VERIFY_FUNCTION	PL/SQL that can be used for password verification
SEC_CASE_SENSITIVE_LOGON	To control the case sensitivity in passwords
PASSWORD_ROLLOVER_TIME	The number of days the password rollover is allowed. The minimum value can be 1/24 day (1 hour) to 60 days.

Oracle Data Safe uses the user profiles that are already defined on the target database. User Profiles in Oracle Data Safe does not allow you to create or edit user profiles; they can only be viewed or analyzed. Possible analysis includes:

• How many users are assigned to the DEFAULT profile, other Oracle-provided profiles, or your custom profiles in your databases or fleet.
• How many databases have a specific named user profile so you can identify loosely-defined profiles and discrepancies, harden them, and work towards consistency across all your databases to reduce risk.
• For each target database, what are the all the password-related attributes for each profile, including the password verification function code.

To create or edit user profiles in your target database, see the Oracle Database SQL Language Reference guide.

View User Profile Charts

1. On the left navigation pane, under User assessment, select User profiles. The User profiles page opens.
2. On the Overview tab, examine the charts.
   • Configure the compartment filter to include the target databases that you want.
   • The Users distribution chart compares the number of users per user profile.
   • The Password complexity check (Users) chart compares the number of user profiles that meet complexity requirements with those that do not.
   • You can select items in the legend to show and hide chart elements.

View User Profile Details

1. On the left navigation pane, under User assessment, select User profiles. The User profiles page opens.
2. Select the User profile summary tab.
   • This tab consists of a table that lists all user profile names and the number of target databases and users for each profile.
   • The profiles are aggregated by name, even though profiles of the same name might have different parameters in different target databases.
3. Select a profile name. Details for the selected user profile is displayed.
4. View the number of target databases and users that use the user profile.
5. For each target database listed in the table, view the number of users using the profile, allowed failed login attempts, password requirements, allowed inactivity period (days), account lockout period (days), and sessions per user.
6. (Optional) Select the Search and Filter box, and then set a filter on target database, number of users, allowed failed login attempts, password requirements, allowed inactivity period (days), or account lockout period (days).
7. (Optional) Select the Manage Columns icon, and then select/deselect columns to be displayed/hidden in the table. Select Apply Changes.
8. (Optional) In the table, select the name of a target database to view details about the user profile on that target specifically.
   • You can view the User Assessment OCID and compartment; the target database name; user count for the profile; and details about password parameters.
   • Scroll down to view a table that shows you user details. For each user, you can view the user's name; user type; whether the user is a DBA, DV Admin, or Audit admin; potential risk level of the user; status; password changed time; last login time; schema access; link to the user's profile; link to the user's audit records; password expiry date; when the user was created; and the user authentication method.

View User Profile Details by Target

1. On the left navigation pane, under User assessment, select User profiles. The User profiles page opens.
2. Select the Target summary tab.
   • This tab consists of a table that shows all user profiles in target databases and specific password parameters for each one, including the number of allowed failed login attempts, password requirements, how many sessions a user can have open, whether the user profile is defined by Oracle, and the number of users using the profile.
3. Configure the compartment filter to include the target databases that you want.
4. Select the Search and Filter box, and the set a filter on target database, profile name, password requirements, and created (when the profile was created).
5. (Optional) In the table, select a profile name to view more detail about the profile.
   • You can view the User Assessment OCID and compartment; the target database name; user count for the profile; and details about password parameters.
   • Scroll down to view a table that shows you user details. For each user, you can view the user's name; user type; whether the user is a DBA, DV Admin, or Audit admin; potential risk level of the user; status; password changed time; last login time; schema access; link to the user's profile; link to the user's audit records; password expiry date; when the user was created; and the user authentication method.