Create and Manage Users on Autonomous AI Database

There are several options to create users on Autonomous AI Database. You can use Oracle Database Actions Database Users card or use client-side tools that connect to the database to create database users.

Parent topic: Manage Users

Create Users on Autonomous AI Database with Database Actions

You can quickly create Autonomous AI Database users with Database Actions.

First, access Database Actions as the ADMIN user. See Access Database Actions as ADMIN for more information.

  1. Click the top left navigation iconnext to Oracle Database Actions.

    This shows the Database Actions menu, including Development, Data Studio, Administration, Downloads, Monitoring, and Related Services.

  2. Under Administration click Database Users.
  3. On the Database Users page, in the All Users area click + Create User.
  4. To create a new user, enter a user name, a password, and enter the password again to confirm the password. Also select any options you want to enable for the user: Graph, OML, or Web Access.
  5. Set a value for the Quota on tablespace DATA for the user.
  6. If you want to grant roles for the new user, click the Granted Roles tab and select the roles for the user. For example, select DWROLE and CONNECT.
  7. Click Create User.

    Database Actions shows the User Created confirmation message.

See Manage User Roles and Privileges on Autonomous AI Database for more information on granting roles and adding or updating privileges for a user.

See The Database Users Page for detailed information on Database Actions Database Users.

If you provide Web Access for the new user, then you need to send a URL to the new user. See Provide Database Actions Access to Database Users for more information.

The administrator needs to provide the credentials wallet to the new user for client-side access. See Connect to Autonomous AI Database for more information on client-side access credentials.

Note:

Autonomous AI Database requires strong passwords; the password you specify must meet the default password complexity rules. See About User Passwords on Autonomous AI Database for more information.

See Create Oracle APEX Workspaces in Autonomous AI Database for information on creating APEX workspaces.

See Create and Update User Accounts for Oracle Machine Learning Components on Autonomous AI Database to add user accounts for Oracle Machine Learning Notebooks.

Parent topic: Create and Manage Users on Autonomous AI Database

Create Users on Autonomous AI Database - Connecting with a Client Tool

You can create users by connecting to the database as the ADMIN user using any SQL client tool.

For example, connect using Oracle SQL Developer (see Connect to Autonomous AI Database).

  1. Connect as the ADMIN user.
  2. Run the following SQL statements:
    CREATE USER new_user IDENTIFIED BY password;
GRANT CREATE SESSION TO new_user;

    Note:

    IDENTIFIED with the EXTERNALLY clause is not supported with Autonomous AI Database.

    In addition, IDENTIFIED with the BY VALUES clause is not allowed.

This creates new_user with connect privileges. This user can now connect to the database and run queries. To grant additional privileges to users, see Manage User Roles and Privileges on Autonomous AI Database.

The administrator needs to provide the credentials wallet to the user new_user. See Connect to Autonomous AI Database for more information on client credentials.

Note:

Autonomous AI Database requires strong passwords; the password you specify must meet the default password complexity rules. See About User Passwords on Autonomous AI Database for more information.

See Provide Database Actions Access to Database Users to add users for Database Actions.

See Create Oracle APEX Workspaces in Autonomous AI Database for information on creating APEX workspaces.

See Create and Update User Accounts for Oracle Machine Learning Components on Autonomous AI Database to add user accounts for Oracle Machine Learning components.

Parent topic: Create and Manage Users on Autonomous AI Database

Create Users with Secret-Based Password Authentication

You can store user passwords securely in an external vault and reference them from the database, instead of managing passwords directly in the database.

When a user authenticates with secret-based credentials, the database retrieves the password from the vault during login, generates authentication verifiers, and completes the authentication process. The user password is never stored in the database.

Secret-based user authentication allows you to:
  • Store database user passwords securely in external vault services
  • Support password rotation
  • Maintain password security
    • Avoid storing the database user passwords as plain text in application scripts
  • Enable multi-cloud database deployments with secure credential management

The Autonomous AI Database supports the following vault providers for vault secret credentials:

  • Oracle Cloud Infrastructure Vault
  • Azure Key Vault
  • AWS Secrets Manager
  • GCP Secret Manager

You can create database users on Autonomous AI Database that authenticate using a password stored securely in a secret in the supported cloud vault.

The following section outlines provisioning a vault secret, defining a credential, and creating a database user that pulls authentication details securely from the vault:

Prerequisites:

  • Before creating users with vault secret credentials, you must create a secret in the vault containing the desired password based on the vault providers you select. Make note of the secret identifier and location details such as region, vault name, or project ID, based on the provider you select.

  • You must also ensure that you configure the required cloud side permission so the Autonomous AI Database can read the secret. For example, if you choose the OCI vault, the Autonomous AI Database must be allowed to read the secret by using a dynamic group and IAM policy that grants access to secret bundles in the compartment that contains the secret.

    See Use Vault Secret Credentials for details on creating a secret in the supported vault providers along with the required permissions based on the vault provider you select.

Note:

Autonomous AI Database requires strong passwords; the password you specify must meet the default password complexity rules. See About User Passwords on Autonomous AI Database for more information.
  1. Create the vault secret credential:
    After creating the secret, create a vault secret credential object that stores the metadata required to access the secret:
    BEGIN
DBMS_CLOUD.CREATE_CREDENTIAL(
credential_name => 'vault_credential_name',
params => JSON_OBJECT(
'username' VALUE 'database_username',
'secret_id' VALUE 'vault_secret_identifier',
'region' VALUE 'vault_region'
)
);
END;
/
    • credential_name: Specifies the name you assign to the credential object inside the database. This is the parameter you reference when creating the user.
    • username: Specifies the database user name associated with the password stored in the external secret.
    • secret_id: Specifies the unique identifier of the secret in the external vault. For Oracle Cloud Infrastructure Vault, this is the vault secret OCID. This parameter value varies with different vault providers.
    • region: Specifies the database which region contains the vault secret.

    Depending on the vault provider, you may need to provide equivalent provider specific fields such as region, azure_vault_name, or gcp_project_id. See Use Vault Secret Credentials for more details.

  2. Create the database user:
    After the vault secret credential is created, create the database user and reference the credential:
    CREATE USER database_username IDENTIFIED BY CREDENTIAL
"credential_schema"."vault_credential_name";
GRANT CREATE SESSION TO database_username;
    • database_username: Specifies the name of the new database user you create.
    • IDENTIFIED BY CREDENTIAL: Specifies that the user will authenticate using secret-based authentication, pulling the password from vault instead of storing it locally.
    • credential_schema: Specifies the schema that owns the credential object.
    • vault_credential_name: Specifies the credential name pointing to the vault secret that you created in the previous DBMS_CLOUD.CREATE_CREDENTIAL procedure.

    After you create the user, the Autonomous AI Database uses the referenced vault secret during authentication so that the user signs in with the password stored in the external secret manager.

When you create a user with secret-based authentication, the following data dictionary columns of DBA_USERS and USER_USERS dictionary views display the associated credential information:
  • LOGON_CREDENTIAL_OWNER - Schema that owns the credential object
  • LOGON_CREDENTIAL_NAME - Name of the vault credential object

    The data dictionary columns refer to the columns in the built‑in data‑dictionary views that describe your tables, columns, constraints, and other objects.

Parent topic: Create Users on Autonomous AI Database - Connecting with a Client Tool

Update Users on Autonomous AI Database - Connecting with a Client Tool

You can create users by connecting to the database as the ADMIN user using any SQL client tool.

For example, connect using Oracle SQL Developer (see Connect to Autonomous AI Database).

  1. Connect as the ADMIN user.
  2. Run the following SQL statement:
    ALTER USER username IDENTIFIED BY new_password;

    Note:

    Autonomous AI Database requires strong passwords; the password you specify must meet the default password complexity rules. See About User Passwords on Autonomous AI Database for more information.

This updates the password of username to new_password.

Parent topic: Create and Manage Users on Autonomous AI Database

Update User Password with Secret-Based Password Authentication

This section covers updating an existing user's password by referencing a vault secret credential.

You can configure a user to authenticate using a password that is stored securely in an external vault instead of being defined directly in the database. This is secret-based authentication. When you use this option, the database retrieves the password from the vault at runtime through a credential object, rather than storing or exposing the password in SQL statements or metadata.

Using secret-based authentication improves security by eliminating plain text passwords from database operations, reducing the risk of accidental exposure in scripts, logs, or audit trails. It also simplifies password rotation and centralized credential management, since updates can be handled in the vault without requiring changes to database user definitions.

The ALTER USER statement enables you to update an existing user to use a vault based credential without dropping and recreating the account. This preserves existing privileges and roles.

For example, connect using Oracle SQL Developer (see Connect to Autonomous AI Database).
  1. Connect as the ADMIN user.
  2. You must ensure the vault secret credential is created and configured in your Autonomous AI Database. See Use Vault Secret Credentials for more information.
    Run the following SQL statement to update a user to use a vault credential:
    ALTER USER database_username IDENTIFIED BY CREDENTIAL
"credential_schema"."credential_name";
    • database_username: Specifies the existing database user whose password you want to update.
    • IDENTIFIED BY CREDENTIAL: Specifies secret-based authentication, pulling the password from vault instead of storing it locally.
    • credential_schema: Specifies the schema containing the credential object.
    • credential_name: Specifies the specific credential name pointing to the vault secret.

    Note:

    Autonomous AI Database requires strong passwords; the password you specify must meet the default password complexity rules. See About User Passwords on Autonomous AI Database for more information.
    When you create a user with secret-based authentication, the following data dictionary columns of DBA_USERS and USER_USERS dictionary views display the associated credential information:
    • LOGON_CREDENTIAL_OWNER - Schema that owns the credential object
    • LOGON_CREDENTIAL_NAME - Name of the vault credential object

      The data dictionary columns refer to the columns in the built‑in data‑dictionary views that describe your tables, columns, constraints, and other objects. See Data Dictionary for more information.

Password Rotation

You can rotate the password in two methods that use secret based authentication:
  1. Create a new secret version under the same secret: You can create multiple versions of the same secret in your vault. When you rotate the secret by creating a new version and run the following statement, the latest version of the secret will be used to authenticate the user. If global password rollover is configured, the previous password will remain valid for the time specified by the PASSWORD_ROLLOVER_TIME limit.
    ALTER USER database_username IDENTIFIED BY CREDENTIAL
"credential_schema"."vault_credential_name";
  2. Create a new secret:

    You can create a new vault secret and a new credential object for your new password.

    If global password rollover is configured, the previous password will remain valid for the time specified by the PASSWORD_ROLLOVER_TIME limit. See Gradual Database Password Rollover for Applications for more details.

    To rotate your user password, run the following statement that uses the new credential object pointing to the new secret:
    ALTER USER database_username IDENTIFIED BY CREDENTIAL
"credential_schema"."new_vault_credential_name";

Note:

Rotating or creating a new version of a secret in the vault does not automatically rotate your database user password. You need to follow either approach described above to rotate your database user password.

You can create or modify a user with secret-based credentials, if you have the EXECUTE privilege on the vault credential object.

Note:

If you do not have the required privilege, the CREATE USER or ALTER USER statement fails.

Run the following SQL statement to grant the EXECUTE privilege:
GRANT EXECUTE ON vault_credential_name TO user_or_role;

The above statement grants the specified user or role permission to use a Vault credential object named vault_credential_name.

Parent topic: Update Users on Autonomous AI Database - Connecting with a Client Tool

Unlock User Accounts on Autonomous AI Database

If a user account is locked, as the ADMIN user you can unlock the account.

To unlock an account, connect to your database as the ADMIN user and run the following command: 

ALTER USER username IDENTIFIED BY password ACCOUNT UNLOCK;

See SQL Language Reference for information on the ALTER USER command.

Parent topic: Create and Manage Users on Autonomous AI Database

About User Passwords on Autonomous AI Database

Autonomous AI Database requires strong passwords; the password you specify for a user must meet the minimum default password complexity rules.

Autonomous AI Database sets minimum standards for passwords, and the default profile sets parameters to limit the number of failed login attempts.

  • The password must be between 12 and 30 characters long and must include at least one uppercase letter, one lowercase letter, and one numeric character.

    Note, the password limit is shown as 60 characters in some help tooltip popups. Limit passwords to a maximum of 30 characters.

  • The password cannot contain the username.

  • The password cannot be one of the last four passwords used for the same username.

  • The password cannot contain double quotation marks (") or single quotation marks (').

  • The password must not be the same password that is set less than 24 hours ago.

To change the password complexity rules and password parameter values you can alter the default profile or create a new profile and assign it to users. See Manage User Profiles with Autonomous AI Database for more information.

The following are the Autonomous AI Database default profile password parameter values:

Password Parameter Description Value
FAILED_LOGIN_ATTEMPTS

The maximum times a user can try to log in and fail before locking the account. This limit applies for regular database user accounts.

10
PASSWORD_GRACE_TIME

The number of days after the grace period begins during which a warning is issued and login is allowed.

 30
PASSWORD_LIFE_TIME

The number of days the same password can be used for authentication.

 360
PASSWORD_LOCK_TIME

The number of days an account will be locked after the specified number of consecutive failed login attempts.

 1
PASSWORD_REUSE_MAX

The number of password changes required before the current password can be reused.

 4
PASSWORD_REUSE_TIME

The number of days before which a password cannot be reused.

 1

See Manage User Profiles with Autonomous AI Database for information on using CREATE USER or ALTER USER with a profile clause.

See SQL Language Reference for information on the ALTER USER command.

Parent topic: Create and Manage Users on Autonomous AI Database

Manage the Administrator Account on Autonomous AI Database

The administrator user for Autonomous AI Database is ADMIN, and this administrator account has several system privileges granted to be able to manage users and other areas of the database.

You can change the administrator user (ADMIN) password and when locked, unlock the administrator user account on Autonomous AI Database. When you use the APIs to create an Autonomous AI Database or to reset the ADMIN password, you can optionally use an Oracle Cloud Infrastructure Vault secret to store the password.

See CreateAutonomousDatabase for more information.

See ADMIN User Roles and Privileges for more information on the ADMIN user.

Parent topic: Create and Manage Users on Autonomous AI Database

Set the ADMIN Password in Autonomous AI Database

Provides the steps to set the ADMIN password.

From the Oracle Cloud Infrastructure Console, change the password for the ADMIN user by following these steps:

  1. On the Details page, from the More actions drop-down list, select Administrator password.
  2. On the Administrator password panel enter the new password and confirm.
  3. Click Change.

Note:

You can also use Database Actions to change the password for the ADMIN user. See Manage Users and User Roles on Autonomous AI Database - Connecting with Database Actions for more information.

The password for the default administrator account, ADMIN, has the same password complexity rules mentioned in the section About User Passwords on Autonomous AI Database.

Parent topic: Manage the Administrator Account on Autonomous AI Database

Unlock the ADMIN Account in Autonomous AI Database

Shows the steps to unlock the ADMIN user account.

Perform the following prerequisite steps as necessary:

  • Open the Oracle Cloud Infrastructure Console by clicking the navigation icon next to Cloud.

  • From the Oracle Cloud Infrastructure left navigation menu click Oracle Database and then click Autonomous AI Database.

  • On the Autonomous AI Databases page select an Autonomous AI Database from the links under the Display name column.

Use the following steps to unlock the ADMIN account by updating the ADMIN password:

  1. On the Details page, from the More actions drop-down list, select Administrator password.
  2. On the Administrator password enter the new password and confirm.
  3. Click Change.

This operation unlocks the ADMIN account if it was locked.

The password for the default administrator account, ADMIN, has the same password complexity rules mentioned in the section About User Passwords on Autonomous AI Database.

Parent topic: Manage the Administrator Account on Autonomous AI Database

Use Oracle Cloud Infrastructure Vault Secret for ADMIN Password

When you create or clone an Autonomous AI Database instance or when you reset the ADMIN password, you can use an Oracle Cloud Infrastructure vault secret to specify the ADMIN password.

Autonomous AI Database allows you to use the APIs to provide a protected vault secret as the ADMIN password, with secure access to the vault secret granted through Oracle Cloud Infrastructure IAM policies.

Note:

Using an Oracle Cloud Infrastructure vault secret for the ADMIN password is only supported with the APIs.

Oracle Cloud Infrastructure Vault secrets are credentials that you use with Oracle Cloud Infrastructure services. Storing secrets in a vault provides greater security than you might achieve storing them elsewhere, such as in code or in configuration files. By calling database APIs you can use secrets from the Vault Service to set the ADMIN password. The vault secret password option is available when you create or clone an Autonomous AI Database instance, or when you set or reset the ADMIN password.

You create secrets using the Oracle Cloud Infrastructure Console, CLI, or API.

Notes for using a vault secret to set or reset the ADMIN password:

  • In order for Autonomous AI Database to reach the secret in a vault, the following conditions must apply:

    • The secret must be in current or previous state.

    • If you specify a secret version in the API call, the specified secret version is used. If you do not specify a secret version, the call uses the latest secret version.

    • You must have the proper user group policy that allows READ access to the specific secret in a given compartment. For example: 

      Allow userGroup1 to read secret-bundles in compartment training

  • The password stored in the secret must conform to Autonomous AI Database password requirements.

See the following for more information:

Parent topic: Manage the Administrator Account on Autonomous AI Database