A new profile parameter PASSWORD_ROLLOVER_TIME allows to change a database
account password, without a downtime for the application that needs to use
this password.
See also:
https://docs.oracle.com/en/database/oracle/oracle-database/21/nfcon/gradual-database-password-rollover-for-applications-222774864.html
This parameter was originally developed for 21c and was backported in
version 19.12. It can be set for a profile, but also the alter user syntax
was enhanced.
Essentially it means for a certain time a user can login with either the
old or with the new password. The maximum allowed time is 7 days.
Some accounts (administrative) can not use this, probably for security
reasons.
ORA-28227: Gradual password rollover is not supported for administrative
users.
Julian Dontcheff explains the parameter in more detail:
https://juliandontcheff.wordpress.com/2021/08/06/life-grace-and-rollover-time-of-passwords-in-the-oracle-database/
For security consideration check this post by Rodrigo Jorge:
https://www.dbarj.com.br/en/2020/12/21c-gradual-database-password-rollover-brings-new-backdoor-opportunities/
On Wed, Jan 5, 2022 at 3:50 PM Sweetser, Joe <JSweetser@xxxxxxxx> wrote:
Greetings Gurus,
I am scratching my head on this one. I have 2 v19 databases with the Oct
2021 RU installed. I am getting what (to me) is strange error in one of
them when I try to grant sysbackup to a user. I will open a call with
Oracle support but figured this list my provide a quicker
solution/explanation. Database ONE works as expected by me. Database TWO
throws an ORA-28227 when trying to grant sysbackup to a user. Something
must be different between the 2 databases but I cannot figure it out.
Any/all ideas on where to look are appreciated. Google and Metalink
(dating myself there, I know) are not helpful yet.
Thanks,
-joe
Database ONE (works)
SQL> select banner_full from v$version;
BANNER_FULL
--------------------------------------------------------------------------------
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.13.0.0.0
SQL> create user joe identified by "DFKLD_345345-sdfksdfsdk!#$blah";
User created.
SQL> grant connect to joe;
Grant succeeded.
SQL> grant sysbackup to joe;
Grant succeeded.
SQL> drop user joe cascade;
User dropped.
++++++++++++++++++++++++++
Database TWO (fails)
SQL> select banner_full from v$version;
BANNER_FULL
--------------------------------------------------------------------------------
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.13.0.0.0
SQL> create user joe identified by "DFKLD_345345-sdfksdfsdk!#$blah";
User created.
SQL> grant connect to joe;
Grant succeeded.
SQL> grant sysbackup to joe;
grant sysbackup to joe
*
ERROR at line 1:
ORA-28227: Gradual password rollover is not supported for administrative
users.
SQL> drop user joe cascade;
User dropped.
This e-mail transmission and any attachments that accompany it may contain
information that is privileged, confidential or otherwise exempt from
disclosure under applicable law and is intended solely for the use of the
individual's to whom it was intended to be addressed. If you have received
this e-mail by mistake, or you are not the intended recipient, any
disclosure, dissemination, distribution, copying or other use or retention
of this communication or its substance is prohibited. If you have received
this communication in error, please immediately reply to the author via
e-mail that you received this message by mistake and also permanently
delete the original and all copies of this e-mail and any attachments from
your computer. Please note that coverage cannot be bound or altered by
sending an email. You must receive written confirmation from a
representative of our firm to put coverage in force or make changes to an
existing policy.
--
//www.freelists.org/webpage/oracle-l
