CREATE PROFILE
CREATE PROFILE — define a new profile
Synopsis
CREATE PROFILE [ IF NOT EXISTS ]name
[ LIMITparameter
value
[ ... ] ] whereparameter
can be: FAILED_LOGIN_ATTEMPTS | PASSWORD_REUSE_TIME | PASSWORD_REUSE_MAX | PASSWORD_LIFE_TIME | PASSWORD_GRACE_TIME | USER_INACTIVE_TIME | FAILED_AUTH_KEEP_TIME | PASSWORD_MIN_UNIQUE_CHARS | PASSWORD_MIN_LEN | PASSWORD_REQUIRE_COMPLEX CREATE PROFILE [ IF NOT EXISTS ]name
FROMexisting_profile
Description
The CREATE PROFILE
command adds a new profile for the Postgres Pro database cluster. You must be a database superuser or have the privileges of the pg_manage_profiles
role to use this command.
A profile defines a set of parameters that restrict database usage. In particular, Postgres Pro profiles enforce password management policy for the roles assigned to them. Profiles are defined at the database cluster level, so they apply to all databases in the cluster.
By default, all parameter values of a new profile are set to DEFAULT
, which inherits the actual values from the built-in default
profile. Initially, the default
profile provides no usage restrictions, but it can be changed by the ALTER PROFILE
command. The UNLIMITED
value indicates that no restrictions apply to a particular parameter.
Once a profile is assigned to a role, all restrictions of this profile apply to this role. All newly created roles have the default
profile, unless you explicitly assign a different profile to this role.
Parameters
name
The name of the new profile.
FAILED_LOGIN_ATTEMPTS
value
Specifies the number of failed login attempts before the role is locked. A superuser can unlock the locked role by running the ALTER ROLE command with the
ACCOUNT UNLOCK
clause.Note that there can be several actual login attempts made behind each user-perceived login attempt. For example, when the user tries to log in with SSL enabled, libpq-based clients by default also make a non-SSL connection attempt if an SSL connection fails.
Possible values are integers greater than
0
,DEFAULT
, orUNLIMITED
.PASSWORD_REUSE_TIME
value
Specifies for how long an old password cannot be reused. Measured in days. Possible values are real numbers greater than or equal to
0
,interval
values,DEFAULT
, orUNLIMITED
.Set this parameter together with
PASSWORD_REUSE_MAX
as its effect depends on the combination. If both these parameters are set toUNLIMITED
, there are no restrictions on password reuse. If only one of them is set toUNLIMITED
, password reuse is always forbidden.PASSWORD_REUSE_MAX
value
Specifies the number of password changes required before the current password can be reused. Possible values are integers greater than or equal to
0
,DEFAULT
, orUNLIMITED
.Set this parameter together with
PASSWORD_REUSE_TIME
as its effect depends on the combination. If both these parameters are set toUNLIMITED
, there are no restrictions on password reuse. If only one of them is set toUNLIMITED
, password reuse is always forbidden.PASSWORD_LIFE_TIME
value
Specifies for how long the password can be used for authentication on the primary server. Measured in days. Possible values are real numbers,
interval
values,DEFAULT
, orUNLIMITED
. The resulting value in seconds must be greater than0
. Once the password expires, all further connections of the corresponding role are rejected. The role can be unlocked with the ALTER ROLE command.However, if the LDAP authentication is configured, this role still can connect to standby servers, unless it is locked in LDAP too.
If
PASSWORD_GRACE_TIME
parameter is also set, the specified grace period is added to the password lifetime. During the grace period, the role is prompted to change the password while still allowed to log in.PASSWORD_GRACE_TIME
value
Specifies for how long a warning is raised that the password is going to expire while login is still allowed, measured in days. You can set the password life time in the
VALID UNTIL
attribute of the role or in thePASSWORD_LIFE_TIME
parameter of the profile.Possible values are real numbers greater than or equal to
0
,interval
values,DEFAULT
, orUNLIMITED
. If thePASSWORD_GRACE_TIME
parameter is set toUNLIMITED
, the password life time effectively becomes unlimited.USER_INACTIVE_TIME
value
Specifies for how long the user can be inactive since the last login before the role is locked. Measured in days. A superuser can unlock the locked role by running the ALTER ROLE command with the
ACCOUNT UNLOCK
clause. Possible values are real numbers,interval
values,DEFAULT
, orUNLIMITED
. The resulting value in seconds must be greater than0
.FAILED_AUTH_KEEP_TIME
value
Specifies for how long the information on the user's first authentication failure is kept. Measured in days. Possible values are real numbers,
interval
values,DEFAULT
, orUNLIMITED
. The resulting value in seconds must be greater than0
. When the user attempts to log in after this time interval expires, the failed login attempts counter (seeFAILED_LOGIN_ATTEMPTS
parameter) is reset and the user is unlocked if they were locked previously due to authentication failures.PASSWORD_MIN_UNIQUE_CHARS
value
Specifies minimum number of unique characters for a password. Possible values are integers greater than
0
,DEFAULT
, orUNLIMITED
.PASSWORD_MIN_LEN
value
Specifies minimum number of characters for a password. Possible values are positive integers,
DEFAULT
, orUNLIMITED
.PASSWORD_REQUIRE_COMPLEX
[value
]Specifies whether password complexity is checked. If this check is enabled, a password must meet the following requirements:
Password contains both letters and non-letter characters
Password doesn't contain the user name
Possible values are booleans or
DEFAULT
. If the parameter is used without a value, it is set astrue
.IF NOT EXISTS
Do not throw an error if a profile with the same name already exists.
existing_profile
The name of an existing profile to copy. The new profile will have the same properties as the existing one, but it will be an independent object.
Notes
Use ALTER PROFILE to change the parameter values of a profile, and DROP PROFILE to remove a profile. All the parameters specified by CREATE PROFILE
can be modified later by running the ALTER PROFILE
command.
Warning
PASSWORD_REUSE_TIME
and PASSWORD_REUSE_MAX
parameters might not work if the password is passed in an encrypted form during the password change. The \password
command of psql encrypts the password (see the section called “Meta-Commands” for details). If the password is MD5 encrypted, it can be checked for equivalence, and PASSWORD_REUSE_TIME
or PASSWORD_REUSE_MAX
parameters can be applied. But there is no way to check for equivalence for SCRAM-SHA-256 encrypted passwords.
Warning
PASSWORD_MIN_UNIQUE_CHARS
, PASSWORD_MIN_LEN
, and PASSWORD_REQUIRE_COMPLEX
parameters don't work if the password is passed in an encrypted form during the password change.
Examples
Create a profile admin_profile
:
CREATE PROFILE admin_profile LIMIT PASSWORD_REUSE_MAX 10 PASSWORD_REUSE_TIME 30;
Create a role having admin_profile
:
CREATE ROLE admin WITH PROFILE admin_profile;
Create a profile from an existing profile:
CREATE PROFILE administrator FROM admin_profile;
This can be convenient to be able to use an existing profile as a template for a new one.