Use the CREATE LOCKDOWN PROFILE statement to create a PDB lockdown profile. You can use PDB lockdown profiles in a multitenant container database (CDB) to restrict user operations in PDBs.

After you create a PDB lockdown profile, you can add restrictions to the profile with the ALTER LOCKDOWN PROFILE statement. You can restrict user operations associated with certain database features, options, and SQL statements.

When a lockdown profile is assigned to a PDB, users in that PDB cannot perform the operations that are the disabled for the profile. To assign a lockdown profile, set its name for the value of the PDB_LOCKDOWN initialization parameter. You can assign a lockdown profile to individual PDBs, or to all PDBs in a CDB or application container, as follows:

  • If you set PDB_LOCKDOWN while connected to a CDB root, then the lockdown profile applies to all PDBs in the CDB. It does not apply to the CDB root.

  • If you set PDB_LOCKDOWN while connected to an application root, then the lockdown profile applies to the application root and all PDBs in the application container.

  • If you set PDB_LOCKDOWN while connected to a particular PDB, then the lockdown profile applies to that PDB and overrides the lockdown profile for the CDB or application container, if one exists.

See Also:


The CREATE LOCKDOWN PROFILE statement is valid only in a CDB. The current container must be the CDB root and you must have the CREATE LOCKDOWN PROFILE system privilege, either granted commonly or granted locally in the CDB root.




Specify the name of the PDB lockdown profile to be created. The name must satisfy the requirements listed in “Database Object Naming Rules”. The profile_name must be unique across the entire CDB.


The following statement creates PDB lockdown profile hr_prof: