Profiles
You set password policies using profiles. A profile is a group of parameters that includes requirements for user passwords. A profile controls:
- How often users must change their passwords.
- How many times users must change their passwords before they can reuse an old password.
- How many times a user can fail to log in before the account is locked.
-
The required length and content of the password:
- Maximum and minimum number of characters
- Minimum number of capital letters, lowercase letters, digits, and symbols required in a password.
To set a user's password policy, assign the user to a profile. To enforce different password policies for different users, create multiple profiles. For example, you might create one profile for interactive users, requiring them to frequently change their passwords. You might create another profile for user accounts that are not required to change passwords.
Create and Modify Profiles
You create profiles using the CREATE PROFILE statement and change profiles using ALTER PROFILE. You can assign a user to a profile when you create the user (CREATE USER), or after, using the ALTER USER statement. A user can be assigned to only one profile at a time.
All newly created databases contain an initial profile named DEFAULT. Vertica assigns all users to the DEFAULT profile if:
- You do not explicitly assign users a profile when you create them.
- You drop the profile to which a user is currently assigned.
You can change the policy parameters in the DEFAULT profile, but you cannot delete it.
Important: During upgrades from versions of Vertica earlier than version 5.0, each database receives a DEFAULT profile. All users are then automatically assigned to that profile.
The profiles that you create can inherit some or all of their policy parameters from the DEFAULT profile. When you create a profile using CREATE PROFILE, a parameter inherits its value from the DEFAULT profile if:
- You set it to the DEFAULT value.
- You do not assign a value.
If you change a parameter in the DEFAULT profile, you also change that parameter's value in every profile that inherits the parameter from DEFAULT.
Changes to a profile's policies for password content do not have an immediate effect on the users. When Vertica does not test user's passwords to verify that they comply with the new password criteria. Instead, the changed settings only affect the users the next time they change their password. To make sure that users comply with the new password policy, use the ALTER USER statement to expire user passwords. Vertica prompts users with expired passwords to change their passwords when they next log in.
Note: Only the profile settings for how many failed login attempts trigger Account Locking. All password complexity, reuse, and lifetime settings affect only passwords that Vertica manages.
