PDB Lockdown profiles allow, on a multitenant database, to limit what a user can do inside a PDB.
One use case is when we want to avoid high privileged users (like Application DBAs) to perform ALTER SYSTEM or ALTER SESSION commands.
Quickly we would think we can do a PDB Lockdown profile like:
SQL> create lockdown profile lock_test; SQL> alter lockdown profile lock_test disable statement=('ALTER SESSION'); SQL> alter lockdown profile lock_test disable statement=('ALTER SYSTEM');
The problem of this simple profile is that we can lock ourselves, also as common user, inside the lock profile.
Image that you want to enable this profile on several PDBs:
SQL> alter session set container=pdb01; Session altered. SQL> alter system set pdb_lockdown=lock_test; System altered. SQL> alter session set container=samplepdb; ERROR: ORA-01031: insufficient privileges
Oups, you cannot anymore change the active container!(more…)