1. Using Oracle Data Safe
  2. User Assessment
  3. User Profiles

User Profiles

With User Profiles, you gain a comprehensive understanding of the password-related attributes associated with your Oracle Database user profiles. User Profiles enables you to identify and address any weak login and password governance policies, helping to strengthen the system's overall security.

About User Profiles

As part of User Assessment, User Profiles allow you to view password-related attributes associated with your database users via user profiles. After identifying potential misconfigurations or discrepancies between user profiles in different databases, you can implement best practices such as enforcing strong, complex passwords and limiting the number of failed login attempts to strengthen the system's overall security.

A user profile is a collection of password-related attributes determining the rules and restrictions for logging in and managing passwords within a database. The database can contain multiple user profiles, each associated with zero to many users. Each user in an Oracle database is assigned to a single user profile at any given time. If a user is not explicitly assigned to a profile, they will be automatically assigned to the DEFAULT profile.

As a best practice and to ensure proper security and governance of your users' logins and passwords, it's recommended to customize the DEFAULT profile to fit your specific policies and requirements. This way, all users who aren't created with a defined user profile will still be governed by your organization's standards. Additionally, creating specific user profiles tailored to particular users or application needs would be best. For instance, you should allow more failed login attempts, such as five, for interactive user accounts, as users may make mistakes entering their passwords. It's also advisable to automatically unlock locked accounts after some inactivity. This will block automated brute-force attacks from succeeding while not preventing interactive users from retrying their password to log in after some time. However, for service accounts, limit the number of failed login attempts to a lower value, like two, as these accounts are less likely to fail due to incorrect passwords.

Regardless of the user profile, setting a password verification function is essential to ensure all passwords meet complexity standards. By taking these steps, you can enhance the security of your system and protect your users' sensitive information.

Note:

While a user profile comprises of password and resource-related attributes, Data Safe focuses solely on password-related attributes.
Password parameters include:
FAILED_LOGIN_ATTEMPTS Maximum times the user is allowed in failed login before locking the user account
PASSWORD_LIFE_TIME Number of days the password is valid before the expiry
PASSWORD_REUSE_TIME Number of days after the user can use the already-used password
PASSWORD_REUSE_MAX Number of times the user can use the already-used password
PASSWORD_LOCK_TIME Number of days the user account remains locked after failed login
PASSWORD_GRACE_TIME Number of grace days for the user to change the password
PASSWORD_VERIFY_FUNCTION PL/SQL that can be used for password verification
SEC_CASE_SENSITIVE_LOGON To control the case sensitivity in passwords
PASSWORD_ROLLOVER_TIME The number of days the password rollover is allowed. The minimum value can be 1/24 day (1 hour) to 60 days.
Oracle Data Safe uses the user profiles that are already defined on the target database. User Profiles in Data Safe does not allow you to create or edit user profiles, they can only be viewed or analyzed. Possible analysis includes:
  • How many users are assigned to the DEFAULT profile, other Oracle-provided profiles, or your custom profiles in your databases or fleet.
  • How many databases have a specific named user profile so you can identify loosely defined profiles and discrepancies, harden them, and work towards consistency across all your databases to reduce risk.
  • For each target database, what are the all the password-related attributes for each profile, including the password verification function code.

To create or edit user profiles in your target database see the information in the Oracle Database SQL Language Reference guide.

View User Profiles

User Profiles shows two charts displaying the distribution of users by profile and users with password complexity.

The User Profile Summary tab shows a table of profiles, how many databases have each profile, and how many total users are in each profile across all databases. The profiles are aggregated by name, even though profiles of the same name might have different parameters in different target databases. To view the parameters of the user profile in each target databases, see View User Profile Details.

The Target Summary tab show a table of all profiles in target databases and specific password parameters for each one, including the number of allowed failed logins, the password verification function that checks for password complexity (if any), how many sessions a user can have open, if the profile is user-created, and the number of users on that profile. To view the user details and password parameters of a user profile, see View User Profile Details by Target.

  1. Under Security Center, click User Assessment.
  2. Under Related Resources, click User Profiles.

    The User Profiles page is displayed.

  3. (Optional) Narrow the scope of the User Profile and Target Summary tabs by using List Scope.
    1. Select a compartment you have access to from the Compartment list.
    2. Select or deselect Include child compartments.
  4. (Optional) Narrow the scope of the Target Summary tab by using Filters.
    1. Select a target database from the Target Database list.
    2. Select a profile name from the Profile Name list.
    3. Select a set of password requirements from the Password Requirements list.

View User Profile Details

The User Profile Details show the total number of target databases and users that have the selected user profile.

In addition, the table lists the target databases that have the selected user profile, the number of users in that profile per target database, the parameters that control the number of allowed failed login attempts, the password verification function that enforces password requirements, the permitted inactivity period set, the account lockout period, and sessions per user.

  1. Under Security Center, click User Assessment.
  2. Under Related Resources, click User Profiles.
  3. Select one of the user profiles from the list in the User Profile Summary tab.

    The details of the selected user profiles are displayed.

  4. (Optional) Add a filter using Add Filter.
    1. Select a type from the drop down list.
    2. Select an operation from the drop down list.
    3. Type in a value.
    4. Click Apply.
    5. Repeat the above steps to apply more filters.
  5. (Optional) Click Manage Columns to select and deselect columns to be displayed. Click Save Changes.

View User Profile Details by Target

The User Profile Details by Target shows the profile details in that specific target database. It lists the user assessment OCID, the compartment, the specifics of the password parameters, and how many users in the target database have been assigned the selected profile.

The password requirements field lists the password verification that is used to enforce password complexity checks and by clicking View Details a user can see the details of the function (PL/SQL) code.

In addition, the table lists the details of the users in the specified profile. This includes the user name, the user type, the potential risk level, their status, their last login, and a link to a filtered report of all operations performed by the selected user.

Accessing User Profile Details by Target from the Target Summary Tab

  1. Under Security Center, click User Assessment.
  2. Under Related Resources, click User Profiles.
  3. Select one of the user profiles from the list in the Target Summary tab.

    The details of the selected user profile are displayed.

  4. (Optional) Add a filter using Add Filter.
    1. Select a type from the drop down list.
    2. Select an operation from the drop down list.
    3. Type in a value.
    4. Click Apply.
    5. Repeat the above steps to apply more filters.
  5. (Optional) Click Manage Columns to select and deselect columns to be displayed. Click Save Changes.

Accessing User Profiles Details by Target from the User Profile Summary Tab

  1. Under Security Center, click User Assessment.
  2. Under Related Resources, click User Profiles.
  3. Select one of the user profiles from the list in the User Profile Summary tab.

    The details of the selected user profile are displayed for all targets where this profile is available.

  4. Select one of the targets where the profile is available from the list in the User Profiles table.

    The details of the selected user profile are displayed.

  5. (Optional) Add a filter using Add Filter.
    1. Select a type from the drop down list.
    2. Select an operation from the drop down list.
    3. Type in a value.
    4. Click Apply.
    5. Repeat the above steps to apply more filters.
  6. (Optional) Click Manage Columns to select and deselect columns to be displayed. Click Save Changes.