Use the ALTER LOCKDOWN PROFILE statement to alter a PDB lockdown profile. You can use PDB lockdown profiles in a multitenant environment to restrict user operations in pluggable databases (PDBs).

Pluggable databases bring a new separation of database administrator roles. The DBA administers the container database, the CDB, but can then delegate the administration of individual pluggable databases.
Let-s take an example of a CDB that is a dedicated development environment. The fast and thin provisioning features (snapshot clones) make it possible to give a PDB to each developer. Because it is their database, the CDB administrator can grant them the DBA role for the PDB, so that they can do whatever they wish there, as long as their privileges are limited to this pluggable database.

Now we are going to create LockDown Profile and test this feature.

Create a lockdown profile:

SQL> conn / as SYSDBA

SQL> create lockdown profile skant;

Lockdown Profile created.

SQL> ALTER LOCKDOWN PROFILE skant DISABLE STATEMENT = ('ALTER SYSTEM');

Lockdown Profile altered.

Connect in PDB database and check the default pdb_lockdown setting:

SQL> ALTER SESSION SET CONTAINER = pdb1;

System altered.

SQL> SHOW PARAMETER PDB_LOCKDOWN

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
pdb_lockdown                         string      DEFAULT_PDB_LOCKDOWN
SQL> alter system checkpoint;

System altered.

We can now apply the lockdown profile to the pluggable database PDB1, simply by setting the pdb_lockdown parameter for that container:

SQL> ALTER SESSION SET CONTAINER = pdb1;

System altered.

SQL> SHOW PARAMETER PDB_LOCKDOWN

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
pdb_lockdown                         string      DEFAULT_PDB_LOCKDOWN

SQL> ALTER SYSTEM SET PDB_LOCKDOWN = skant;

System altered.

SQL> SHOW PARAMETER PDB_LOCKDOWN;

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
pdb_lockdown                         string      SKANT

Now from this PDB, fire ALTER SYSTEM statement.

SQL> alter system checkpoint;
alter system checkpoint
*
ERROR at line 1:
ORA-01031: insufficient privileges

It is throwing an error as expected because ALTER SYSTEM is disabled due to the PDB_LOCKDOWN setting.

oracle 12.2.PDB ORACLE 12CORACLE SECURITY


Related Topics

how to use DBMS_PRIVILEGE_CAPTURE to capture privs in oracle 12c
Lock account automatically with INACTIVE_ACCOUNT_TIME
how to send mail using utl_mail in oracle 11g
Unified audit trail in Oracle 12c
PDB Lockdown Profiles in Oracle 12.2
Purge AUD$ table using DBMS_AUDIT_MGMT
orapwd tool for password file in oracle
Open wallet automatically after starting the database
How to move AUD$ table to another tablespace using DBMS_AUDIT_MGMT
ENABLE_DDL_LOGGING in oracle 12c

You May Also Like

How to recreate MGMT database in ORACLE 12C GRID
Open wallet automatically after starting the database
Useful DGMGRL commands in oracle dataguard
Shell script to delete old archives using RMAN
How to monitor parallel queries in oracle db
ESTIMATE REQUIRED DISK SPACE FOR EXPORT USING estimate_only
Flashback primary database in dataguard environment
Tablespace monitoring shell script
ORA-32774: more than one file was specified for bigfile tablespace
How to recreate physical standby controlfile

From This Website

Shell script to monitor asm diskgroup usage
How to enable flash recovery area in oracle database
Shell script for monitoring blocking sessions
ERROR: No checkpoint table specified for ADD REPLICAT
How to find cpu and memory information of oracle database server
How to flashback a RAC database
ORA-32771: cannot add file to bigfile tablespace
Steps for changing public hostname for a standalone grid infrastructure
Generate custom report from OEM cloud control
Rollback database patch in oracle 12c