Other User-Related Security Features
Besides subject privileges, user objects can be assigned an expiration date and a password.
User Expiration Dates
An expiration date for a user can be specified as any valid Ingres date or as a date or time interval. For example, you might specify an interval of '1 month' or '1 year,' or an absolute date, such as '5�jan�2004.'
The user's expiration date is checked each time the user connects to the Ingres DBMS Server. If the expiration date has passed, then access is denied. To enable an expired user to connect, the associated user (or profile) object must be modified to reset the expiration date.
User Passwords
A password can be specified for a user as part of their associated user object. The password can be assigned when the user object is created or by modifying an existing user object, as discussed in the chapter "Authorizing User Access."
Note: This password is in addition to the login password or installation password that the user must specify as part of the vnode definition if the Ingres DBMS Server is located on a remote node. For more information on managing remote nodes, see the System Administrator Guide.
When a session requires a password and one has not been specified, a prompt requesting a password is issued anytime Ingres makes a connection between an Ingres tool and the DBMS. For security reasons, a password prompt is issued if either a required password is missing or the user name is unknown or illegal. This behavior is consistent with that of operating systems during logon.
No prompt is issued if the connection specifies a password directly, as is the case with an application. This must be done if the application cannot prompt for a password. If the application can prompt for a password, it does. Then it passes the value entered using the dbms_password clause of the connect statement.
User passwords are validated directly by the Ingres DBMS Server or by an external authentication mechanism, depending on how the user object is configured.
Note: If a user with the security privilege starts a session using the –u flag to impersonate another user, the real user's password—not the impersonater's—is required.
Any user is permitted to change their own password, although they must supply their old password in order to do so. Any user with the maintain_users privilege can change the password of another user, in addition to changing the method of password validation or removing the password altogether.
Note: Passwords also apply to roles, which are discussed in Groups and Roles in the chapter "Authorizing User Access."
© 2007 Ingres Corporation.
All rights reserved.
