1 Description
1.1 Lockdown Profiles on PDB
PDB lockdown profile is a named set of operations can be controlled. PDB control operating authority is to take effect for all users.
For example: the user can control prohibit the syntax straight ALTER SYSTEM. To some extent guarantee the security of the database.
Limiting operation can be the following four aspects:
-
Network access features. These are operations that use the network to communicate outside the PDB. For example, the PL/SQL packages UTL_TCP, UTL_HTTP, UTL_MAIL, UTL_SNMP, UTL_INADDR, and DBMS_DEBUG_JDWP perform these kinds of operations. Currently, ACLs are used to control this kind of access to share network identity.
-
Common user or object access. These are operations in which a local user in the PDB can proxy through common user accounts or access objects in a common schema. These kinds of operations include adding or replacing objects in a common schema, granting privileges to common objects, accessing common directory objects, granting the INHERIT PRIVILEGES role to a common user, and manipulating a user proxy to a common user.
-
Operating System access. For example, you can restrict access to the UTL_FILE or DBMS_FILE_TRANSFER PL/SQL packages.
-
Connections. For example, you can restrict common users from connecting to the PDB or you can restrict a local user who has the SYSOPER administrative privilege from connecting to a PDB that is open in restricted mode.
Experiment 2
2.1 Creating PDB Lockdown Profile
- Log on to the CDB root, and then create Lockdown profile
SQL> create lockdown profile cndba_prof;
Lockdown Profile created.
- Modify Lockdown profile, disable the refresh shared pool
SQL> ALTER LOCKDOWN PROFILE cndba_prof DISABLE STATEMENT = ('ALTER SYSTEM') clause = ('flush shared_pool');
Lockdown Profile altered.
Note: a Lockdown profile is in use, if you modify it, it will take effect immediately.
2.2 Enabling PDB Lockdown Profile
- CDB level enable Lockdown Profile, it will all PDB under the CDB take effect
SQL> alter system set pdb_lockdown=cndba_prof;
System altered.
- PDB level enable Lockdown Profile, only the entry into force of this PDB
alter system set pdb_lockdown=cndba_prof;
2.3 Log on to the PDB test is valid
According Lockdown profile all restrictions of operations, make clear the shared pool operation.
SQL> alter system flush shared_pool;
alter system flush shared_pool
*
ERROR at line 1:
ORA-01031: insufficient privileges
Tip do not have permission to operate, other normal operations. Such as:
SQL> alter system set sessions=400;
System altered.
2.4 disable PDB Lockdown Profile
The same distinction CDB level and level setting PDB
alter system set pdb_lockdown='';
2.5 Delete PDB Lockdown Profile
SQL > DROP Lockdown Profile cndba_prof;
Lockdown Profile dropped.
More PDB Lockdown Profile information, please see the official document:
http://docs.oracle.com/database/122/DBSEG/configuring-privilege-and-role-authorization.htm#DBSEG-GUID-0D525203-A1A7-46BB -B9DB-03F2D1A3803F