对dba_users视图中,account_status列的解释
参考原文:
How to Interpret the ACCOUNT_STATUS Column in DBA_USERS (Doc ID 260111.1)
适用于:
Oracle Server - Enterprise Edition - Version 9.2.0.1 to 11.2.0.3 [Release 9.2 to 11.2]
Information in this document applies to any platform.
Checked for relevance on 06-Jan-2013
目的:
本文解释了dba_users视图中,account_status列的意义。
细节:
DBA_USERS视图中的 ACCOUNT_STATUS 列 有如下的值:
select * from user_astatus_map; -->请注意这个视图。这个视图比较有价值。
STATUS# STATUS
---------- --------------------------------
0 OPEN
1 EXPIRED
2 EXPIRED(GRACE)
4 LOCKED(TIMED)
8 LOCKED
5 EXPIRED & LOCKED(TIMED)
6 EXPIRED(GRACE) & LOCKED(TIMED)
9 EXPIRED & LOCKED
10 EXPIRED(GRACE) & LOCKED
如上的这些值是与两个特性 'Account Locking' and 'Password Aging and Expiration' 直接相关,解释如下:
1. Account Locking - LOCKED / LOCKED(TIMED)
An account 可以被dba锁定,也可以在超过失败尝试次数之后被自动锁定。
当 PASSWORD_LOCK_TIME 被定义时,过了此时间之后,account 会被自动取消锁定:此种情况被标记为 LOCKED(TIMED).
LOCKED(TIMED) 只要出现了,就能说明:该account的锁定原因是 错误的登陆次数> FAILED_LOGIN_ATTEMPTS
如果该account在create or alter的时候被明确锁定,你只会看到LOCKED
你可能希望 在PASSWORD_LOCK_TIME 被设置为unlimited,并且account 被自动锁定时,account 的状态显示为LOCKED。
但是你希望的这个状态显示是不对的:该 account 的状态依然会显示 LOCKED(TIMED)
只不过该account永远不会自动unlock,原因是 the unlimited PASSWORD_LOCK_TIME ---也就是说 lock time 是无期限的(即:永久锁定)
To add to the confusion, at some point it was decided that even if the account is locked automatically,
we should not set it to LOCKED(TIMED) if the PASSWORD_LOCK_TIME is unlimited, since in that case the account would never automatically unlock,
this would give up on a crucial piece of information, namely if the account was locked manually or automatically, this change was introduced in 11.2.0.1.
However this change caused a regression in Bug 9693615 causing the lock_date to be NULL in dba_users in case the account was locked automatically, the fix to this bug backed out the change again and now we have the LOCKED(TIMED) for automatically locked accounts back with this fix.
因此,我们知道当 ACCOUNT_STATUS 的值是 LOCKED(TIMED) 时, lock是 失败登陆尝试的结果,即使lock will not expire
在11.2.0.1 (without the fix to Bug 9693615) 中,你可以验证 如果account被自动锁定,看dba_users视图中lock_date列是null的。
2. Password Expiration - EXPIRED / EXPIRED(GRACE)
无论有没有 grace period,一个password 都可以被设置为expire。当一个password expired 并且没有grace被定义时,该password被设置为EXPIRED,EXPIRED的含义是该user 在下一次登录时会被提示输入新的密码。
当grace被定义时,在grace period期间内,一个警告(warning)被发出,并且ACCOUNT_STATUS 会被置为EXPIRED(GRACE).
结论:
Password Expiration and Account Locking 是两个独立的特性:
一个account 不会由于 超过expire 或者 grace time 被 lock住。
一个既没有expired,也没有被lock的 account 显示是open(status#为0),因为account locking (基于错误的登陆次数)和 expiration (基于没有修改密码)从根本上说是没有关系的。
In addition to the EXPIRED (1,2) and LOCKED (4,8) bits being set, you can
have combinations of both with STATUS# 5,6,9 and 10: internally the
STATUS# are added for the combinations of expired and locked.
For example :
'EXPIRED' + 'LOCKED' = 1 + 8 = 9 = 'EXPIRED & LOCKED'