Managing Resources with Profiles
A profile is a named set of resource limits and password parameters that restrict database usage and instance resources for a user. You can assign a profile to each user, and a default profile to all others. Each user can have only one profile, and creating a new one supersedes an earlier version. You need to create and manage user profiles only if resource limits are a requirement of your database security policy. To use profiles, first categorize the related types of users in a database. Just as roles are used to manage the privileges of related users, profiles are used to manage the resource limits of related users. Determine how many profiles are needed to encompass all types of users in a database and then determine appropriate resource limits for each profile. In general, the word profile refers to a collection of attributes that apply to a user, enabling a single point of reference for any of multiple users that share those exact attributes.
Enabling or Disabling Password Case Sensitivity
When you create or modify user accounts, by default, passwords are case sensitive. To control the use of case sensitivity in passwords, set the SEC_CASE_SENSITIVE_LOGON initialization parameter. Only users who have the ALTER SYSTEM privilege can set the SEC_CASE_SENSITIVE_LOGON parameter. Set it to TRUE to enable case sensitivity or FALSE to disable case sensitivity. For greater security, Oracle recommends that you enable case sensitivity in passwords. However, if you have compatibility issues with your applications, you can use this parameter to disable password case sensitivity. Examples of application compatibility issues are passwords for your applications being hard-coded to be case insensitive, or different application modules being inconsistent about case sensitivity when sending credentials to start a database session.
To enable case sensitivity in passwords:
1. If you are using a password file, ensure that it was created with the IGNORE CASE parameter set to N.
The IGNORE CASE parameter overrides the SEC_CASE_SENSITIVE_LOGON parameter. By default, IGNORE CASE is set to Y, which means that passwords are treated as case-sensitive.
2. Enter the following ALTER SYSTEM statement:
ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = TRUE
In previous releases of Oracle Database, passwords were not case sensitive. If you import user accounts from a previous release, for example, Release 10g, into the current database release, the case-insensitive passwords in these accounts remain case insensitive until the user changes his or her password. If the account was granted SYS DBA or SYS OPER privilege, it is imported to the password file. When a password from a user account from the previous release is changed, it then becomes case sensitive. You can find users who have case sensitive or case insensitive passwords by querying the DBA_USERS view. The PASSWORD_VERSIONS column in this view indicates there lease in which the password was created.
Note: The ALTER USER statement has a REPLACE clause. With this clause, users can change their own unexpired passwords by supplying the old password to authenticate themselves. If the password has expired, then the user cannot log in to SQL to issue the ALTER USER command. Instead, the OCI Password Change() function must be used, which also requires the old password. A database administrator with ALTER ANY USER privilege can change any user password (force a new password) without supplying the old one.
Configuring Password Protection
How Case Sensitivity Affects Password Files
You can enable or disable case sensitivity for password files by using the ignore case argument in the ORA PWD command line utility. The default value for ignore case is n(no), which enforces case sensitivity.
Example: Enabling Password Case Sensitivity
Or a pwd file=or a pw entries=100 ignore case=n
Enter password for SYS: password
This creates a password file called or a pw. Because ignore case is set to n (no), the password entered for the password parameter will be case sensitive. Afterwards, if you connect using this password, it succeeds—as long as you enter it using the exact case sensitivity in which it was created. If you enter the same password but with different case sensitivity, it will fail. If you set ignore case to y, then the passwords in the password file are case insensitive, which means that you can enter the password using any capitalization that you want. If you imported user accounts from a previous release and these accounts were created with SYSDBA or SYSOP ER privileges, then they will be included in the password file. The passwords for these accounts are case insensitive. The next time these users change their passwords, and assuming case sensitivity is enabled, the passwords become case sensitive. For greater security, have these users change their passwords.
How Case Sensitivity Affects Accounts Created for Database Link Connections
When you create a database link connection, you need to define a user name and password for the connection. When you create the database link connection, the password is case sensitive. How this user enters his or her password for connections depends on the release in which the database link was created:
■Before a user can connect from a pr-Release 11g database to a Release 11gdatabase, and assuming that case sensitivity is enabled, you must re-create the password for this database link using all uppercase letters. The reason you need to re-create the password using all uppercase letters is so that it will match how Oracle Database stores database link passwords. Oracle Database always stores this type of password in uppercase letters, even if the password had originally been created using lower or mixed case letters. If case Configuring Password Protection sensitivity is disabled, the user can enter the password using the case the password was created in.
■If the user is connecting from a Release 11g database to another Release 11gdatabase; he or she must enter the password using the case in which it was created, assuming that case sensitivity is enabled.
■If the user connecting from a Release 11g database to a pr-Release 11g database, he or she can enter his or her password using any case, because the password is still case insensitive. In other words, any time a user connects to a Release 11g database from a database link, he or she must enter the password in its exact case. You can find the user accounts for existing database links by querying the V$DBLINK view.
Configuring Privilege and Role Authorization
A user privilege is the right to run a particular type of SQL statement, or the right to access an object that belongs to another user, run a PL/SQL package, and so on. The types of privileges are defined by Oracle Database. Roles are created by users (usually administrators) to group together privileges or other roles. They are a way to facilitate the granting of multiple privileges or roles trousers.
■System privileges. These privileges allow the grantee to perform standard administrator tasks in the database. Restrict them only to trusted users.
■User roles. A role groups several privileges and roles, so that they can be granted to and revoked from users simultaneously. You must enable the role for a user before the user can use it.
■Object privileges. Each type of object has privileges associated with it.