ALTER PROFILE
The ALTER PROFILE statement adds, modifies, or removes one or more password parameters in a profile.
Required privilege
ADMIN
Usage with TimesTen Scaleout
This statement is supported with TimesTen Scaleout.
SQL syntax
ALTER PROFILE profile LIMIT password_parameters password_parameters::= [FAILED_LOGIN_ATTEMPTS password_parameter_options] [PASSWORD_LIFE_TIME password_parameter_options] [PASSWORD_REUSE_TIME password_parameter_options] [PASSWORD_REUSE_MAX password_parameter_options] [PASSWORD_LOCK_TIME password_parameter_options] [PASSWORD_GRACE_TIME password_parameter_options] [{PASSWORD_COMPLEXITY_CHECKER|PASSWORD_VERIFY_FUNCTION} password_checker_options] password_parameter_options::= UNLIMITED|DEFAULT|constant password_checker_options::= function|NULL|DEFAULT function::= TT_VERIFY_FUNCTION|TT_STRONG_VERIFY_FUNCTION|TT_STIG_VERIFY_FUNCTION
Parameters
| Parameter | Description |
|---|---|
|
|
Name of the profile. |
|
|
The The password parameters consist of the name of the password parameter and the value (or limit) for the password parameter. This includes the password complexity checker functions. All the parameters (with the exception of If you do not specify a password parameter after the |
|
|
Specifies the number of consecutive failed attempts to connect to the database by a user before that user's account is locked. |
|
|
Specifies the number of days that a user can use the same password for authentication. If you also set a value for |
|
|
These two parameters must be used together.
You must specify a value for both parameters for them to have any effect. Specifically:
|
|
|
Specifies the number of days the user account is locked after the specified number of consecutive failed connection attempts. |
|
|
Specifies the number of days after the grace period begins during which TimesTen issues a warning, but allows the connection to the database. If the password is not changed during the grace period, the password expires. This parameter is associated with the |
|
|
Indicates that there is no limit for the password parameter. If you specify |
|
|
Indicates that you want to omit a limit for the password parameter in this profile. A user that is assigned this profile is subject to the limit defined in the If you specify |
|
|
Indicates the value of the password parameter if you do not specify |
|
|
Indicates if password verification is done on passwords and, if so, the function used for verification. You can specify either the function refers to one of the three supported password complexity checker functions. Specify one of these functions to direct TimesTen to perform password verification. Valid values:
If you do not specify the |
Description
-
Use the
ALTERPROFILEstatement to modify a previously created profile. See "CREATE PROFILE" for information on creating a profile. -
Changes made using the
ALTERPROFILEstatement takes effect the next time any affected user connected to the database. The exception is when you modify thePASSWORD_COMPLEXITY_CHECKERpassword parameter. Password verification is only done on newly created passwords (on the password provided in theIDENTIFIEDBYclause of theCREATEUSERorALTERUSERstatement). Therefore, a user can connect to the database with an old password. See "ALTER the PASSWORD_COMPLEXITY_CHECKER password parameter" for an example. -
You can alter the
DEFAULTprofile. However, you cannot drop theDEFAULTprofile. See "Alter the DEFAULT profile" for an example of altering theDEFAULTprofile. -
You cannot alter the password parameters of the
SYSTEMprofile. This profile is assigned to system users, including the instance administrator. - You can alter the profile to change the password verification that is done on the passwords of users that are assigned the profile. See "About Password Complexity Checker Verification" for information on password verification and the password complexity checker verification functions.
Examples
ALTER the PASSWORD_COMPLEXITY_CHECKER password parameter
This example creates the myprofile_alterpw1 profile and specifies TT_VERIFY_FUNCTION for the PASSWORD_COMPLEXITY_CHECKER password parameter. The example then creates the sampleuser_alterpw1 user and assigns the myprofile_alterpw1 profile to the sampleuser_alterpw1 user. The example alters the profile, specifying TT_STIG_VERIFY_FUNCTION for the PASSWORD_COMPLEXITY_CHECKER password parameter. The sampleuser_alterpw1 attempts to connect to the database with the original password. The connection is successful. TimesTen does not perform password verification on old passwords. The example then uses the ALTER USER statement to change the sampleuser_alterpw1 user password to meet the requirements of the TT_STIG_VERIFY_FUNCTION. The ALTER USER statement succeeds and the user's password is changed.
Command> CREATE PROFILE myprofile_alterpw1 LIMIT
PASSWORD_COMPLEXITY_CHECKER TT_VERIFY_FUNCTION;
Profile created.
Command> CREATE USER sampleuser_alterpw1
IDENTIFIED BY "%aabb2L90" PROFILE myprofile_alterpw1;
User created.Alter the myprofile_alterpw1 profile, changing the value of PASSWORD_COMPLEXITY_CHECKER to TT_STIG_VERIFY_FUNCTION. Connect to the database as the sampleuser_alterpw1 user. The connection succeeds.
Command> ALTER PROFILE myprofile_alterpw1 LIMIT
PASSWORD_COMPLEXITY_CHECKER TT_STIG_VERIFY_FUNCTION;
Profile altered.
Command> GRANT CONNECT TO sampleuser_alterpw1;
Command> connect adding "UID=sampleuser_alterpw1;PWD=%aabb2L90" as sampleuser;
Connection successful: DSN=access1;UID=sampleuser_alterpw1;
DataStore=/scratch/sampleuser/mydatabase1;DatabaseCharacterSet=AL32UTF8;
ConnectionCharacterSet=AL32UTF8;PermSize=128;
(Default setting AutoCommit=1)
Alter the sampleuser_alterpw1 user specifying the same password. The ALTER USER statement fails. The newly created password does not meet the requirements of the TT_STIG_VERIFY_FUNCTION function. Alter the sampleuser_alterpw1 again, specifying a password that meets the requirements of the TT_STIG_VERIFY_FUNCTION function. The ALTER USER statement succeeds. See "TT_STIG_VERIFY_FUNCTION" for information on the TT_STIG_VERIFY_FUNCTION function.
Command> ALTER USER sampleuser_alterpw1
IDENTIFIED BY "%aabb2L90";
15186: Password complexity check for the specified password failed
15188: TT-20001: Password length less than 15
The command failed.
Command> ALTER USER sampleuser_alterpw1
IDENTIFIED BY "%aabb2L##mf5Fn!";
User altered.Alter the DEFAULT profile
This example verifies the values of the password parameters in the DEFAULT profile. It then alters the profile with different values. Users that are assigned the DEFAULT profile will inherit the modified values at the user's next connection to the database.
Command> SELECT * FROM dba_profiles WHERE profile='DEFAULT' AND
resource_type='PASSWORD';
< DEFAULT, FAILED_LOGIN_ATTEMPTS, PASSWORD, 10 >
< DEFAULT, PASSWORD_LIFE_TIME, PASSWORD, UNLIMITED >
< DEFAULT, PASSWORD_REUSE_TIME, PASSWORD, UNLIMITED >
< DEFAULT, PASSWORD_REUSE_MAX, PASSWORD, UNLIMITED >
< DEFAULT, PASSWORD_COMPLEXITY_CHECKER, PASSWORD, NULL >
< DEFAULT, PASSWORD_LOCK_TIME, PASSWORD, .0034 >
< DEFAULT, PASSWORD_GRACE_TIME, PASSWORD, UNLIMITED >
7 rows found.
Create the user1 user and do not specify a profile. User1 is assigned the DEFAULT profile. Use the ALTER PROFILE statement to change the value of the FAILED_LOGIN_ATTEMPTS password parameter to 5 and the value of the PASSWORD_LOCK_TIME password parameter to 1 for the DEFAULT profile. Enclose DEFAULT in double quotation marks as DEFAULT is a reserved word. Connect to the database five times as user1 supplying an incorrect password each time. On the sixth attempt, the user1 account is locked.
Command> CREATE USER user1 IDENTIFIED BY user1; User created. Command> GRANT CONNECT TO user1;
Query the dba_users system view to verify that user1 is assigned the DEFAULT profile.
Command> SELECT profile FROM dba_users WHERE username='USER1'; < DEFAULT > 1 row found.
Use the ALTER PROFILE statement to modify the DEFAULT profile.
Command> ALTER PROFILE "DEFAULT" LIMIT
FAILED_LOGIN_ATTEMPTS 5
PASSWORD_LOCK_TIME 1;
Profile altered.
Query the dba_profiles system view to verify the values are changed (represented in bold).
Command> SELECT * FROM dba_profiles WHERE profile='DEFAULT' AND resource_type='PASSWORD'; < DEFAULT, FAILED_LOGIN_ATTEMPTS, PASSWORD, 5 > < DEFAULT, PASSWORD_LIFE_TIME, PASSWORD, UNLIMITED > < DEFAULT, PASSWORD_REUSE_TIME, PASSWORD, UNLIMITED > < DEFAULT, PASSWORD_REUSE_MAX, PASSWORD, UNLIMITED > < DEFAULT, PASSWORD_COMPLEXITY_CHECKER, PASSWORD, NULL > < DEFAULT, PASSWORD_LOCK_TIME, PASSWORD, 1 > < DEFAULT, PASSWORD_GRACE_TIME, PASSWORD, UNLIMITED > 7 rows found.
Attempt to connect to the database as user1. Supply an incorrect password. On the sixth attempt, the user1 account is locked.
Command> connect adding "uid=user1;pwd=user1_test1" as user1; 7001: User authentication failed The command failed. none: Command> connect adding "uid=user1;pwd=user1_test2" as user1; 7001: User authentication failed The command failed. none: Command> connect adding "uid=user1;pwd=user1_test3" as user1; 7001: User authentication failed The command failed. none: Command> connect adding "uid=user1;pwd=user1_test4" as user1; 7001: User authentication failed The command failed. none: Command> connect adding "uid=user1;pwd=user1_test5" as user1; 7001: User authentication failed The command failed. none: Command> connect adding "uid=user1;pwd=user1_test6" as user1; 15179: the account is locked The command failed.
Create a profile then alter the profile
This example creates the profile1 profile and specifies values for the FAILED_LOGIN_ATTEMPTS, the PASSWORD_LIFE_TIME, the PASSWORD_LOCK_TIME, and the PASSWORD_GRACE_TIME password parameters. It then alters the profile1 profile to modify the PASSWORD_REUSE_TIME and the PASSWORD_REUSE_MAX password parameters.
Command> CREATE PROFILE profile1 LIMIT
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LIFE_TIME 90
PASSWORD_LOCK_TIME 30
PASSWORD_GRACE_TIME 10;
Profile created.
Query the dba_profiles system view to verify the values for the password parameters. Note that the PASSWORD_REUSE_TIME and the PASSWORD_REUSE_MAX password parameters each have a value of DEFAULT (represented in bold). These password parameters were not specified in the CREATE PROFILE definition, so TimesTen assigns a value of DEFAULT to each parameter. The values for these parameters are derived from the values in the DEFAULT profile.
Command> SELECT * FROM dba_profiles WHERE profile = 'PROFILE1' AND
resource_type= 'PASSWORD';
< PROFILE1, FAILED_LOGIN_ATTEMPTS, PASSWORD, 3 >
< PROFILE1, PASSWORD_LIFE_TIME, PASSWORD, 90 >
< PROFILE1, PASSWORD_REUSE_TIME, PASSWORD, DEFAULT >
< PROFILE1, PASSWORD_REUSE_MAX, PASSWORD, DEFAULT >
< PROFILE1, PASSWORD_COMPLEXITY_CHECKER, PASSWORD, DEFAULT >
< PROFILE1, PASSWORD_LOCK_TIME, PASSWORD, 30 >
< PROFILE1, PASSWORD_GRACE_TIME, PASSWORD, 10 >
7 rows found.
Alter the profile1 profile, specifying a value of 20 for the PASSWORD_REUSE_TIME password and a value of 15 for the PASSWORD_REUSE_MAX password parameter (represented in bold). A user assigned this profile can reuse the same password after 20 days if the password has been changed 15 times.
Command> ALTER PROFILE profile1 LIMIT
PASSWORD_REUSE_TIME 20
PASSWORD_REUSE_MAX 15;
Profile altered.
Query the dba_profiles system view to verify the values for the password parameters are changed (represented in bold).
Command> SELECT * FROM dba_profiles WHERE profile = 'PROFILE1' AND
resource_type= 'PASSWORD';
< PROFILE1, FAILED_LOGIN_ATTEMPTS, PASSWORD, 3 >
< PROFILE1, PASSWORD_LIFE_TIME, PASSWORD, 90 >
< PROFILE1, PASSWORD_REUSE_TIME, PASSWORD, 20 >
< PROFILE1, PASSWORD_REUSE_MAX, PASSWORD, 15 >
< PROFILE1, PASSWORD_COMPLEXITY_CHECKER, PASSWORD, DEFAULT >
< PROFILE1, PASSWORD_LOCK_TIME, PASSWORD, 30 >
< PROFILE1, PASSWORD_GRACE_TIME, PASSWORD, 10 >
7 rows found.See also