首先创建锁定概要文件:
SQL> create lockdown profile APP_DBA_PROFILE;
Lockdown Profile created.
SQL> select PROFILE_NAME,status from dba_lockdown_profiles;
PROFILE_NAME STATUS
----------------- -------
APP_DBA_PROFILE EMPTY
PRIVATE_DBAAS EMPTY
PUBLIC_DBAAS EMPTY
SAAS EMPTY
1、禁用数据库选项
通过概要文件,可以控制对某些数据库特性的访问,从而只能使用许可的选项。例如,禁用分区选项:
SQL> alter lockdown profile APP_DBA_PROFILE disable option=('Partitioning');
Lockdown Profile altered.
此时,在未将该概要文件APP_DBA_PROFILE应用到orclpdb2之前,orclpdb2中可以正常创建分区表:
SQL> alter session set container=orclpdb2;
Session altered.
SQL> create table test (id int) partition by hash(id) partitions 4;
Table created.
将该概要文件APP_DBA_PROFILE应用到orclpdb2之后,orclpdb2中不可以创建分区表:
SQL> alter system set pdb_lockdown=APP_DBA_PROFILE;
System altered.
SQL> create table test2 (id int) partition by hash(id) partitions 4;
create table test2 (id int) partition by hash(id) partitions 4
*
ERROR at line 1:
ORA-00439: feature not enabled: Partitioning
还可以为alter lockdown profile语句中的enable和disable字句指定ALL选项:
alter lockdown profile APP_DBA_PROFILE disable option all;
alter lockdown profile APP_DBA_PROFILE disable option all except=('Oracle Data Guard');
2、禁用alter system
在CDB$ROOT中添加如下规则:
SQL> alter lockdown profile APP_DBA_PROFILE disable statement=('ALTER SYSTEM') clause all except=('KILL SESSION');
Lockdown Profile altered.
SQL> select PROFILE_NAME,RULE_TYPE,RULE,CLAUSE,status from dba_lockdown_profiles;
PROFILE_NAME RULE_TYPE RULE CLAUSE STATUS
--------------- ---------- -------------------- --------------- -------
APP_DBA_PROFILE OPTION PARTITIONING DISABLE
APP_DBA_PROFILE STATEMENT ALTER SYSTEM DISABLE
APP_DBA_PROFILE STATEMENT ALTER SYSTEM KILL SESSION ENABLE
PRIVATE_DBAAS EMPTY
PUBLIC_DBAAS EMPTY
SAAS EMPTY
6 rows selected.
此时使用alter system修改参数会报权限不足,但可以正常执行alter system kill session命令:
SQL> alter session set container=orclpdb2;
Session altered.
SQL> alter system set db_files=2001 scope=spfile;
alter system set db_files=2001 scope=spfile
*
ERROR at line 1:
ORA-01031: insufficient privileges
锁定概要文件所能控制的范围,远不止alter system set命令,因为还可以控制哪些参数是否启用。例如,如下例子就定义了只能够在PDB级别进行设置的参数:
alter lockdown profile APP_DBA_PROFILE disable statement=('ALTER SYSTEM') clause=('SET');
alter lockdown profile APP_DBA_PROFILE disable statement=('ALTER SYSTEM') clause=('SET') option=('ubdo_retention','resumable_timeout');
在禁止对参数进行修改的同时,也可以为参数设置一个值,即当设置PDB_LOCKDOWN参数时:
alter lockdown profile APP_DBA_PROFILE disable statement=('ALTER SYSTEM') clause=('SET') option=('cursor_sharing') values=('EXACT');