Profiles
You can set password policies for users by assigning them profiles. You can create multiple profiles to manage the password policies for several categories of users. For example, you might create one profile for interactive users, requiring them to frequently change their passwords. You might create another profile for user accounts that are not required to change passwords
Defining Profiles
You create profiles with CREATE PROFILE statement, and change existing profiles with ALTER PROFILE. Both statements let you set one or more profile parameters.
Each profile can specify one or more of the following policies:
- How often users must change their passwords.
- How many times users must change their passwords before they can reuse an old password.
- How many times a user can fail to log in before the account is locked.
-
The required length and content of the password:
- Maximum and minimum number of characters
- Minimum number of capital letters, lowercase letters, digits, and symbols required in a password.
Assigning Profiles
After you define a profile, you can assign it to new and existing users with CREATE USER and ALTER USER, respectively.
Changes to profile policies for password content—for example, PASSWORD_MAX_LENGTH
and PASSWORD_MIN_SYMBOLS
—affect users only when they change their passwords. Vertica does not test existing passwords to verify that they comply with new password requirements. To enforce immediate compliance with new profile requirements, use ALTER USER…PASSWORD EXPIRE
to force immediate expiration of the user's current password. On the user's next login, Vertica prompts this user to supply a new password, which must comply with the new policy.
Default Profile
Each database contains a DEFAULT
profile. Vertica assigns the default profile to users who are not explicitly assigned a profile. The default profile also sets parameters of non-default profiles in two cases:
- Profile parameters that are not explicitly set by
CREATE PROFILE
- Parameters that
ALTER PROFILE
sets toDEFAULT
All parameters in the default profile are initially set to unlimited
. You can use ALTER PROFILE
to change these settings. For example, the following statement modifies the default profile parameter PASSWORD_MIN_SYMBOLS
. The change requires passwords to contain at least one symbol, such as $, #, @. This change affects all profiles where PASSWORD_MIN_SYMBOLS
is set to default
:
ALTER PROFILE DEFAULT LIMIT PASSWORD_MIN_SYMBOLS 1;
Profile Settings and Client Authentication
The following profile settings affect client authentication methods, such as LDAP or GSS:
FAILED_LOGIN_ATTEMPTS
PASSWORD_LOCK_TIME
All other profile settings are used only by Vertica to manage its passwords.