All Products
Search

This Product

    PolarDB:Create a new configuration file

    Document Center

    PolarDB:Create a new configuration file

    Last Updated:Mar 30, 2026

    Use CREATE PROFILE to define a named set of password and login security rules that can be enforced on database accounts.

    Syntax

    CREATE PROFILE profile_name
  [LIMIT {parameter value} ... ];

    Use the LIMIT clause with one or more space-delimited parameter-value pairs to specify the rules enforced by PolarDB for PostgreSQL (Compatible with Oracle).

    Parameters

    Parameter

    Description

    profile_name

    The name of the profile.

    parameter

    The attribute the profile limits.

    value

    The limit applied to the parameter.

    Supported parameters

    FAILED_LOGIN_ATTEMPTS

    Specifies the number of consecutive failed logon attempts before the server locks the account.

    Supported values:

    • An INTEGER value greater than 0.

    • DEFAULT — uses the value of FAILED_LOGIN_ATTEMPTS from the DEFAULT profile.

    • UNLIMITED — allows unlimited failed logon attempts.

    PASSWORD_LOCK_TIME

    Specifies how long an account stays locked after exceeding FAILED_LOGIN_ATTEMPTS.

    Supported values:

    • A NUMERIC value greater than or equal to 0. Use a decimal to represent a fraction of a day — for example, 4.5 means 4 days and 12 hours.

    • DEFAULT — uses the value of PASSWORD_LOCK_TIME from the DEFAULT profile.

    • UNLIMITED — the account stays locked until a database superuser manually unlocks it.

    PASSWORD_LIFE_TIME

    Specifies how many days a password can be used before the user must set a new one.

    If PASSWORD_LIFE_TIME is set, use PASSWORD_GRACE_TIME to define a grace period after expiration. If PASSWORD_GRACE_TIME is not specified, the default grace period applies — the account cannot execute any statements until the user changes the password.

    Supported values:

    • A NUMERIC value greater than or equal to 0. Use a decimal to represent a fraction of a day.

    • DEFAULT — uses the value of PASSWORD_LIFE_TIME from the DEFAULT profile.

    • UNLIMITED — the password never expires.

    PASSWORD_GRACE_TIME

    Specifies the number of days between password expiration and forced password change. During the grace period, the user can connect but cannot execute statements until the password is updated.

    Supported values:

    • A NUMERIC value greater than or equal to 0. Use a decimal to represent a fraction of a day.

    • DEFAULT — uses the value of PASSWORD_GRACE_TIME from the DEFAULT profile.

    • UNLIMITED — the grace period never ends.

    PASSWORD_REUSE_TIME

    Specifies the minimum number of days that must pass before a password can be reused.

    PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX work together:

    • If one parameter has a finite value and the other is UNLIMITED, old passwords can never be reused.

    • If both are UNLIMITED, passwords can be reused without restriction.

    Supported values:

    • A NUMERIC value greater than or equal to 0. Use a decimal to represent a fraction of a day.

    • DEFAULT — uses the value of PASSWORD_REUSE_TIME from the DEFAULT profile.

    • UNLIMITED — password can be reused without restriction.

    PASSWORD_REUSE_MAX

    Specifies the minimum number of password changes required before a password can be reused. See PASSWORD_REUSE_TIME for how these two parameters interact.

    Supported values:

    • An INTEGER value greater than or equal to 0.

    • DEFAULT — uses the value of PASSWORD_REUSE_MAX from the DEFAULT profile.

    • UNLIMITED — password can be reused without restriction.

    PASSWORD_VERIFY_FUNCTION

    Specifies a PL/SQL function that validates password complexity before accepting a new password.

    Supported values:

    • The name of a PL/SQL function.

    • DEFAULT — uses the function specified in the DEFAULT profile.

    • NULL

    PASSWORD_ALLOW_HASHED

    Specifies whether the server accepts pre-hashed (client-side encrypted) passwords.

    • TRUE — accepts a hash-computed password submitted by the client.

    • FALSE — requires passwords in plain-text form. If the server receives a hashed password, it returns an error.

    Supported values:

    • A Boolean value: TRUE, ON, YES, 1, FALSE, OFF, NO, or 0.

    • DEFAULT — uses the value of PASSWORD_ALLOW_HASHED from the DEFAULT profile.

    Note

    PASSWORD_ALLOW_HASHED is not compatible with Oracle.

    Examples

    Lock an account after repeated logon failures

    The following profile locks an account for 1 day after 5 consecutive failed logon attempts.

    CREATE PROFILE acctg LIMIT
       FAILED_LOGIN_ATTEMPTS 5
       PASSWORD_LOCK_TIME 1;

    Require periodic password changes

    The following profile requires users to change their password every 90 days, with a 3-day grace period.

    CREATE PROFILE sales LIMIT
       PASSWORD_LIFE_TIME 90
       PASSWORD_GRACE_TIME 3;

    After the 90-day period, users see an error on their next logon attempt but can still connect during the 3-day grace period. Once the grace period ends, the account cannot execute any statements until the user sets a new password.

    Restrict password reuse

    The following profile prevents users from reusing a password within 180 days and requires at least 5 password changes before a previous password can be reused.

    CREATE PROFILE accts LIMIT
       PASSWORD_REUSE_TIME 180
       PASSWORD_REUSE_MAX 5;

    Enforce password complexity

    The following profile calls a user-defined function, password_rules, to validate that new passwords meet your complexity requirements.

    CREATE PROFILE resources LIMIT
       PASSWORD_VERIFY_FUNCTION password_rules;

    Related statements

    To remove a profile, use DROP PROFILE.