CREATE LOCKDOWN PROFILE
Purpose
Use the CREATE
LOCKDOWN
PROFILE
statement to create a PDB lockdown profile. You can use PDB lockdown profiles in a multitenant container database (CDB) to restrict user operations in PDBs.
After you create a PDB lockdown profile, you can add restrictions to the profile with the ALTER
LOCKDOWN
PROFILE
statement. You can restrict user operations associated with certain database features, options, and SQL statements.
When a lockdown profile is assigned to a PDB, users in that PDB cannot perform the operations that are the disabled for the profile. To assign a lockdown profile, set its name for the value of the PDB_LOCKDOWN
initialization parameter. You can assign a lockdown profile to individual PDBs, or to all PDBs in a CDB or application container, as follows:
-
If you set
PDB_LOCKDOWN
while connected to a CDB root, then the lockdown profile applies to all PDBs in the CDB. It does not apply to the CDB root. -
If you set
PDB_LOCKDOWN
while connected to an application root, then the lockdown profile applies to the application root and all PDBs in the application container. -
If you set
PDB_LOCKDOWN
while connected to a particular PDB, then the lockdown profile applies to that PDB and overrides the lockdown profile for the CDB or application container, if one exists.
See Also:
-
Oracle Database Security Guide for more information on PDB lockdown profiles
Prerequisites
The CREATE
LOCKDOWN
PROFILE
statement is valid only in a CDB. The current container must be the CDB root and you must have the CREATE
LOCKDOWN
PROFILE
system privilege, either granted commonly or granted locally in the CDB root.
Syntax
create_lockdown_profile::=
Semantics
profile_name
Specify the name of the PDB lockdown profile to be created. The name must satisfy the requirements listed in “Database Object Naming Rules”. The profile_name
must be unique across the entire CDB.
Example
The following statement creates PDB lockdown profile hr_prof
:
CREATE LOCKDOWN PROFILE hr_prof;