PDB Lockdown Profiles In Oracle 12.2

ALTER LOCKDOWN PROFILE statement to alter a PDB lockdown profile. You can use PDB lockdown profiles in a multitenant environment to restrict user operations in pluggable databases (PDBs).

Create a lockdown profile:-

SQL> conn / as SYSDBA

SQL> create lockdown profile lock_profile;

Lockdown Profile created.

SQL> ALTER LOCKDOWN PROFILE lock_profile DISABLE STATEMENT = ('ALTER SYSTEM');

Lockdown Profile altered.

Connect in PDB database and check the default pdb_lockdown setting:-

SQL> ALTER SESSION SET CONTAINER = pdb1;

System altered.

SQL> SHOW PARAMETER PDB_LOCKDOWN

NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
pdb_lockdown string DEFAULT_PDB_LOCKDOWN
SQL> alter system checkpoint;

System altered.

We can now apply the lockdown profile to the pluggable database PDB1, 
simply by setting the pdb_lockdown parameter for that container.

SQL> ALTER SESSION SET CONTAINER = pdb1;

System altered.

SQL> SHOW PARAMETER PDB_LOCKDOWN

NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
pdb_lockdown string DEFAULT_PDB_LOCKDOWN

SQL> ALTER SYSTEM SET PDB_LOCKDOWN = lock_profile;

System altered.

SQL> SHOW PARAMETER PDB_LOCKDOWN;

NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
pdb_lockdown string lock_profile

Now from this PDB, fire ALTER SYSTEM statement:-

SQL> alter system checkpoint;
alter system checkpoint
*
ERROR at line 1:
ORA-01031: insufficient privileges

It is throwing an error as expected because ALTER SYSTEM is disabled due to the PDB_LOCKDOWN setting.

Abishek Srinivasan