User Account Status 在CDB 和PDB不一致的情况 OPEN & IN ROLLOVER

PDB: OPEN & IN ROLLOVER

CDB: OPEN

解决办法

alter user C## expire password rollover period;

select pdb.NAME, pdb.CREATION_TIME  pdbcreated,du.username,du.account_status,du.LOCK_DATE,du.EXPIRY_DATE,du.CREATED,du.LAST_LOGIN,du.profile,du.password_change_date ,RESOURCE_NAME,limit
 from v$containers pdb, cdb_users du ,cdb_profiles dp
where du.profile=dp.profile and dp.RESOURCE_NAME='PASSWORD_ROLLOVER_TIME' 
and du.CON_ID=dp.CON_ID  and pdb.CON_ID=du.CON_ID  and du.USERN='XXX'

如果是clone 的pdb 中的XXX用户的状态也可能不对的

Account Status Is Not Displayed Correctly In PDBs for Common users After locked per FAILED_LOGIN_ATTEMPTS or Gradual Password Rollover (Doc ID 2947289.1) ​编辑To Bottom

User Account Status 在CDB 和PDB不一致的情况 OPEN & IN ROLLOVER_第1张图片


User Account Status 在CDB 和PDB不一致的情况 OPEN & IN ROLLOVER_第2张图片

In this Document

Symptoms
Changes
Cause
Solution
References

APPLIES TO:

Oracle Database - Enterprise Edition - Version 19.16.0.0.0 and later
Information in this document applies to any platform.

SYMPTOMS

Changing the password of common user from CDB with GPR set present this behavior.

  • From Dba_users view account_status shows “OPEN & IN ROLLOVER” in CDB and PDB.
  • After the password rollover periods ends then get connected with this common user to CDB and PDB and ..
           Result in CDB Account_status shows: OPEN
           Result in PDB Account_status shows: OPEN & IN ROLLOVER    (This status is not displayed Correctly In PDB)

 Note: Also this status is not displayed Correctly if the Account  has been locked per FAILED_LOGIN_ATTEMPTS and get it unlocked the Status on PDB may not be displayed correctly.

CHANGES

CAUSE

Basically it was not considered as a bug because by Design, the Common users are always created from the Root/CDB (NOT from PDB level) so DBA_users is updated well in the CDB but in the PDBs it is not updated in the same way and this is expected (by design).


Also, this issue is not particular for using GPR. if the common user is locked (by GPR or by FAILED_LOGIN_ATTEMPTS) the correct status is not expected to be displayed in DBA_users from the PDB. The correct status can be consulted from the CDB.
 

SOLUTION

There is Enhacement request for this matter.

Enh 35342785 - DBA_USERS SHOULD DISPLAY THE ACCOUNT_STATUS VALUE FROM THE ROOT

You can follow its tracking performing the steps provided on the below reference ...
  "Tracking Bugs in My Oracle Support when a Service Request Is Closed "Defect Pending" (Doc ID 1564933.1)"

你可能感兴趣的:(oracle)