Use the ALTER LOCKDOWN PROFILE statement to alter a PDB lockdown profile. You can use PDB lockdown profiles in a multitenant environment to restrict user operations in pluggable databases (PDBs).

Pluggable databases bring a new separation of database administrator roles. The DBA administers the container database, the CDB, but can then delegate the administration of individual pluggable databases.
Let’s take an example of a CDB that is a dedicated development environment. The fast and thin provisioning features (snapshot clones) make it possible to give a PDB to each developer. Because it is their database, the CDB administrator can grant them the DBA role for the PDB, so that they can do whatever they wish there, as long as their privileges are limited to this pluggable database.

Now we are going to create LockDown Profile and test this feature.

Create a lockdown profile:

Connect in PDB database and check the default pdb_lockdown setting:

We can now apply the lockdown profile to the pluggable database PDB1, simply by setting the pdb_lockdown parameter for that container:

Now from this PDB, fire ALTER SYSTEM statement.

It is throwing an error as expected because ALTER SYSTEM is disabled due to the PDB_LOCKDOWN setting.

Leave a Reply