USER statement to create and configure a database user, which is an account through which you can log in to the database, and to establish the means by which Oracle Database permits access by the user.
You can issue this statement in an Oracle Automatic Storage Management (Oracle ASM) cluster to add a user and password combination to the password file that is local to the Oracle ASM instance of the current node. Each node's Oracle ASM instance can use this statement to update its own password file. The password file itself must have been created by the
You can enable a user to connect to the database through a proxy application or application server. For syntax and discussion, refer to ALTER USER.
You must have the
USER system privilege. When you create a user with the
USER statement, the user's privilege domain is empty. To log on to Oracle Database, a user must have the
SESSION system privilege. Therefore, after creating a user, you should grant the user at least the
SESSION system privilege. Refer to GRANT for more information.
Only a user authenticated
SYSASM can issue this command to modify the Oracle ASM instance password file.
To specify the
CONTAINER clause, you must be connected to a multitenant container database (CDB). To specify
ALL, the current container must be the root. To specify
CURRENT, the current container must be a pluggable database (PDB).
Specify the name of the user to be created. This name can contain only characters from your database character set and must follow the rules described in the section "Database Object Naming Rules". Oracle recommends that the user name contain at least one single-byte character regardless of whether the database character set also contains multibyte characters.
In a non-CDB, a user name cannot begin with
A multitenant container database is the only supported architecture in Oracle Database 20c. While the documentation is being revised, legacy terminology may persist. In most cases, "database" and "non-CDB" refer to a CDB or PDB, depending on context. In some contexts, such as upgrades, "non-CDB" refers to a non-CDB from a previous release.
In a CDB, the requirements for a user name are as follows:
The name of a common user must begin with characters that are a case-insensitive match to the prefix specified by the
COMMON_USER_PREFIXinitialization parameter. By default, the prefix is
The name of a local user must not begin with characters that are a case-insensitive match to the prefix specified by the
COMMON_USER_PREFIXinitialization parameter. Regardless of the value of
COMMON_USER_PREFIX, the name of a local user can never begin with
If the value of
COMMON_USER_PREFIX is an empty string, then there are no requirements for common or local user names with one exception: the name of a local user can never begin with
c##. Oracle recommends against using an empty string value because it might result in conflicts between the names of local and common users when a PDB is plugged into a different CDB, or when opening a PDB that was closed when a common user was created.
Oracle recommends that user names and passwords be encoded in ASCII or EBCDIC characters only, depending on your platform.
IDENTIFIED clause lets you indicate how Oracle Database authenticates the user.
password clause lets you creates a local user and indicates that the user must specify
password to log on to the database. Passwords are case sensitive. Any subsequent
CONNECT string used to connect this user to the database must specify the password using the same case (upper, lower, or mixed) that is used in this
USER statement or a subsequent
USER statement. Passwords can contain any single-byte, multibyte, or special characters, or any combination of these, from your database character set, with the exception of the double quotation mark (") and the return character. If a password starts with a non-alphabetic character, or contains a character other than an alphanumeric character, the underscore (_), dollar sign ($), or pound sign (#), then it must be enclosed in double quotation marks. Otherwise, enclosing a password in double quotation marks is optional.
Oracle Database Security Guide for more information about case-sensitive passwords, password complexity, and other password guidelines
Passwords must follow the rules described in the section "Database Object Naming Rules", unless you are using one of the three Oracle Database password complexity verification routines. These routines requires a more complex combination of characters than the normal naming rules permit. You implement these routines with the
UTLPWDMG.SQL script, which is further described in Oracle Database Security Guide.
Oracle recommends that user names and passwords be encoded in ASCII or EBCDIC characters only, depending on your platform.
Oracle Database Security Guide to for a detailed discussion of password management and protection
[HTTP] DIGEST Clause
This clause lets you
DISABLE HTTP Digest Access Authentication for the user. The default is
HTTP keyword is optional and is provided for semantic clarity.
Restriction on the [HTTP] DIGEST Clause
You cannot specify this clause for external or global users.
EXTERNALLY to create an external user. Such a user must be authenticated by an external service, such as an operating system or a third-party service. In this case, Oracle Database relies on authentication by the operating system or third-party service to ensure that a specific external user has access to a specific database user.
This clause is required for and used for SSL-authenticated external users only. The
certificate_DN is the distinguished name in the user's PKI certificate in the user's wallet. The maximum length of
certificate_DN is 1024 characters.
This clause is required for and used for Kerberos-authenticated external users only. The maximum length of
kerberos_principal_name is 1024 characters.
Oracle strongly recommends that you do not use
EXTERNALLY with operating systems that have inherently weak login security.
Restriction on Creating External Users
Oracle ASM does not support the creation of external users.
Oracle Database Enterprise User Security Administrator's Guide for more information on externally identified users
directory_DN string can take one of two forms:
The X.509 name at the enterprise directory service that identifies this user. It should be of the form
other_attributesis the rest of the user's distinguished name (DN) in the directory. This form uses the LDAP Data Interchange Format (LDIF) and creates a private global schema.
A null string (' ') indicating that the enterprise directory service will map authenticated global users to this database schema with the appropriate roles. This form is the same as specifying the
GLOBALLYkeyword alone and creates a shared global schema.
The maximum length of
directory_DN is 1024 characters.
You can control the ability of an application server to connect as the specified user and to activate that user's roles using the
Restriction on Creating Global Users
Oracle ASM does not support the creation of global users.
NO AUTHENTICATION Clause
NO AUTHENTICATION clause to create a schema that does not have a password and cannot be logged into. This is intended for schema only accounts and reduces maintenance by removing default passwords and any requirement to rotate the password.
DEFAULT COLLATION Clause
This clause lets you specify the default collation for the schema owned by the user. The default collation is assigned to tables, views, and materialized views that are subsequently created in the schema.
collation_name, specify a valid named collation or pseudo-collation.
If you omit this clause, then the default collation for the schema owned by the user is set to the
You can override this clause and assign a different default collation to a particular table, materialized view, or view by specifying the
COLLATION clause of the
ALTER statement for the table, materialized view, or view. You can also override the default collations of all schemas for the duration of a database session by setting the default collation for the session. See the DEFAULT_COLLATION clause of
SESSION for more details.
You can specify the
COLLATION clause only if the
COMPATIBLE initialization parameter is set to
12.2 or greater, and the
MAX_STRING_SIZE initialization parameter is set to
DEFAULT TABLESPACE Clause
Specify the default tablespace for objects that are created in the user's schema. If you omit this clause, then the user's objects are stored in the database default tablespace. If no default tablespace has been specified for the database, then the user's objects are stored in the
Restriction on Default Tablespaces
You cannot specify a locally managed temporary tablespace, including an undo tablespace, or a dictionary-managed temporary tablespace, as a user's default tablespace.
[LOCAL] TEMPORARY TABLESPACE Clause
Specify the tablespace or tablespace group for the user's temporary segments. If you omit this clause, then the user's temporary segments are stored in the database default temporary tablespace or, if none has been specified, in the
tablespaceto indicate the user's temporary tablespace. Specify
TABLESPACEto indicate a shared temporary tablespace. Specify
TABLESPACEto indicate a local temporary tablespace. If you are connected to a CDB, then you can specify
CDB$DEFAULTto use the CDB-wide default temporary tablespace.
tablespace_group_nameto indicate that the user can save temporary segments in any tablespace in the tablespace group specified by
tablespace_group_name. Local temporary tablespaces cannot be part of a tablespace group.
Restrictions on Temporary Tablespace
This clause is subject to the following restrictions:
The tablespace must be a temporary tablespace and must have a standard block size.
The tablespace cannot be an undo tablespace or a tablespace with automatic segment-space management.
USER statement can have multiple
QUOTA clauses for multiple tablespaces.
UNLIMITED lets the user allocate space in the tablespace without bound.
The maximum amount of space that you can specify is 2 terabytes (TB). If you need more space, then specify
Restriction on the QUOTA Clause
You cannot specify this clause for a temporary tablespace.
Specify the profile you want to assign to the user. The profile limits the amount of database resources the user can use. If you omit this clause, then Oracle Database assigns the
DEFAULT profile to the user.
You can use the
CREATE USER statement to create a new user, and associate the user with a profile that has the
You must first set the password rollover period using
CREATE PROFILE or
In the example
u1 is the user, with password
prof1 is the profile with
CREATE USER u1 IDENTIFIED BY p1 PROFILE prof1 ;
Oracle recommends that you use the Database Resource Manager to establish database resource limits rather than SQL profiles. The Database Resource Manager offers a more flexible means of managing and tracking resource use. For more information on the Database Resource Manager, refer to Oracle Database Administrator's Guide.
PASSWORD EXPIRE Clause
This clause is not reversible. Specify
EDITIONS to allow the user to create multiple versions of editionable objects in this schema using editions. Editionable objects in schemas that are not editions-enabled cannot be editioned.
Note the following before enabling editions with
Enabling editions is not a live operation.
When a database is upgraded from Release 11.2 to Release 12.1, users who were enabled for editions in the pre-upgrade database are enabled for editions in the post-upgrade database and the default schema object types are editionable in their schemas. The default schema object types are displayed by the static data dictionary view
DBA_EDITIONED_TYPES. Users who were not enabled for editions in the pre-upgrade database are not enabled for editions in the post-upgrade database and no schema object types are editionable in their schemas.
To see which users already have editions enabled, see the
EDITIONS_ENABLEDcolumn of the static data dictionary view
Restriction on Enabling Editions
FOR clause is ignored when used with
ENABLE EDITIONS. This only applies to the
CREATE USER statement, not the
ALTER USER statement.
You cannot enable editions for any schemas supplied by Oracle.
CONTAINER clause applies when you are connected to a CDB. However, it is not necessary to specify the
CONTAINER clause because its default values are the only allowed values.
To create a common user, you must be connected to the root. You can optionally specify
ALL, which is the default when you are connected to the root.
To create a local user, you must be connected to a PDB. You can optionally specify
CURRENT, which is the default when you are connected to a PDB.
While creating a common user, any default tablespace, temporary tablespace, or profile specified using the following clauses must exist in all the containers belonging to the CDB:
If these objects do not exist in all the containers, the
USER statement fails.
All of the following examples use the
example tablespace, which exists in the seed database and is accessible to the sample schemas.
Creating a Database User: Example
If you create a new user with
EXPIRE, then the user's password must be changed before the user attempts to log in to the database. You can create the user
sidney by issuing the following statement:
CREATE USER sidney IDENTIFIED BY out_standing1 DEFAULT TABLESPACE example QUOTA 10M ON example TEMPORARY TABLESPACE temp QUOTA 5M ON system PROFILE app_user PASSWORD EXPIRE;
sidney has the following characteristics:
example, with a quota of 10 megabytes
Access to the tablespace
SYSTEM, with a quota of 5 megabytes
Limits on database resources defined by the profile
app_user(which was created in "Creating a Profile: Example")
An expired password, which must be changed before
sidneycan log in to the database
Creating External Database Users: Examples
The following example creates an external user, who must be identified by an external source before accessing the database:
CREATE USER app_user1 IDENTIFIED EXTERNALLY DEFAULT TABLESPACE example QUOTA 5M ON example PROFILE app_user;
app_user1 has the following additional characteristics:
Default temporary tablespace
5M of space on the tablespace
exampleand unlimited quota on the temporary tablespace of the database
Limits on database resources defined by the
To create another user accessible only by an operating system account, prefix the user name with the value of the initialization parameter
OS_AUTHENT_PREFIX. For example, if this value is "
ops$", then you can create the externally identified user
external_user with the following statement:
CREATE USER ops$external_user IDENTIFIED EXTERNALLY DEFAULT TABLESPACE example QUOTA 5M ON example PROFILE app_user;
Creating a Global Database User: Example
The following example creates a global user. When you create a global user, you can specify the X.509 name that identifies this user at the enterprise directory server:
CREATE USER global_user IDENTIFIED GLOBALLY AS 'CN=analyst, OU=division1, O=oracle, C=US' DEFAULT TABLESPACE example QUOTA 5M ON example;
Creating a Common User in a CDB
The following example creates a common user called c##
comm_user in a CDB. Before you run this
CREATE USER statement, ensure that the tablespaces
temp_tbs exist in all of the containers in the CDB.
CREATE USER c##comm_user IDENTIFIED BY comm_pwd DEFAULT TABLESPACE example QUOTA 20M ON example TEMPORARY TABLESPACE temp_tbs;
comm_user has the following additional characteristics:
example, with a quota of 20 megabytes