A lock-down of some or all of the services of a database can occur if all administrative users with the MANAGE ANY USER system privilege are locked out of the database due to failed login attempts.
A user account is automatically locked if the user exceeds the maximum failed login attempts limit (max_failed_login_attempts) value defined in the login policy. Once locked, the user account must be manually unlocked by a user granted the MANAGE ANY USER system privilege. However, if all users with the MANAGE ANY USER system privilege are themselves locked out due to failed login attempts, a potential lock-down of some or all the services of a database can occur.
To prevent this scenario, two login policy options are available:
root_auto_lock_time Defines automatic unlocking period for users with the MANAGE ANY USER system privilege. Set this option to a small value (for example, 15 minutes). There is a server imposed upper limit of a few hours on this value. This option can be set in the root login policy only.
auto_unlock_time Defines the automatic unlocking period for all other users. The auto_unlock_time option should be set to UNLIMITED (default value) and can be set in any login policy, including the root login policy.
Configuration of these values requires the MANAGE ANY LOGIN POLICY system privilege.
Based on the permissions granted a user, one of the two login policy options is verified at the time of unlocking. Automatic unlocking is applicable only to locked accounts due to failed login attempts and not to accounts locked for any other reason. The locked status of a user is verified during login, and if the user has equaled or exceeded the specified automatic unlock period, the user is allowed to log in and the failed_login_attempts counter is reset to zero.
Discuss this page in DocCommentXchange.
|Copyright © 2014, SAP AG or an SAP affiliate company. - SAP Sybase SQL Anywhere 16.0|