Managing login policies

A login policy is a named object in a database that consists of a set of rules that are applied when you create a database connection for a user. All new databases include a root login policy. You can modify the root login policy values, but you cannot delete the policy. Login policies govern only the rules for user login and are separate from authorities and permissions. Login policies are not inherited through group memberships.

The following table lists the settings that are governed by a login policy and includes the default settings for the root login policy:

Policy-option-name	Description	Default value	Applies to
password_life_time	The maximum number of days before a password must be changed.	Unlimited	All users including those with DBA authority
password_grace_time	The number of days before the password expires during which login is allowed, but the default post_login procedure issues warnings.	0	All users including those with DBA authority
password_expiry_on_next_login	If the value for this option is ON, the user's password will expire after the next login.	OFF	All users including those with DBA authority
locked	If the value for this option is ON, users are not allowed to establish new connections. Users with DBA authority cannot be locked. The reason_locked column of the sa_get_user_status system procedure returns a string generated by the database server that shows why a user is locked.	OFF	Users without DBA authority
max_connections	The maximum number of concurrent connections allowed for a user.	Unlimited	Users without DBA authority
max_failed_login_attempts	The maximum number of failed attempts, since the last successful attempt, to login before the user is locked.	Unlimited	Users without DBA authority
max_days_since_login	The maximum number of days that can elapse between two successive logins by the same user.	Unlimited	Users without DBA authority
max_non_dba_connections	The maximum number of concurrent connections that users without DBA authority can make. This option is only supported in the root login policy.	Unlimited	Users without DBA authority and only to the default login policy

A user is assigned the root login policy when:

you create a new user and do not specify a login policy
you use the Unload utility (dbunload) to rebuild a database created by a previous version of SQL Anywhere
you upgrade a SQL Anywhere version 10 database using the Upgrade utility (dbupgrad) or the ALTER DATABASE UPGRADE statement

You can create, alter, and drop login policies. As well, you can create, alter, and drop users, and assign login policies to them. The sa_get_user_status system procedure lets you get information about the current status of a user. See sa_get_user_status system procedure.

Inheritance of login policy settings

A default login policy called root is stored in the database and contains the default option values for all policies. If you want to use different settings than the defaults, you can either alter the root policy, or create a policy and then alter it to contain overrides for the defaults. A policy inherits its default settings from the root policy, unless it is altered to contain overrides.

For example, suppose the root policy value for max_connections is 5. You create a policy called myPolicy and alter it to set max_connections to Unlimited. Then, you create a user and assign the myPolicy login policy. When the user logs in, their login policy option settings are inherited from the root login policy with the exception of max_connections, which is set to Unlimited.

Inheritance of default values from the root policy is important to understand because if you subsequently change the value of an option setting in the root policy, you impact users of policies that rely on the default value for that setting. Similarly, if a root value is changed, it does not impact any users of policies that contain an override for that setting.

Managing login policies

Inheritance of login policy settings

See also