Set a Failed Login Attempt Lockout Policy
On this page
You can specify the number of times a user can enter an incorrect password before they are locked out of the system.
This feature can be enabled per user or per role, in which case every user belonging to that role will be subject to failed login attempt lockout.
To enable the lockout policy:
PASSWORD_ for the user or role.
FAILED_ is the number of failed attempts before the account is locked, for example:
PASSWORD_ is the number of seconds a locked out account must wait before reattempting to log in.
You must set both
PASSWORD_ to enable the feature.
Enable the lockout feature at 4 failed attempts, with a lockout time of 4 hours (14400 seconds) when creating a user:
CREATE USER user1 WITH FAILED_LOGIN_ATTEMPTS = 4 PASSWORD_LOCK_TIME = 14400;
Enabling the feature for a role:
CREATE ROLE general WITH FAILED_LOGIN_ATTEMPTS = 4 PASSWORD_LOCK_TIME = 14400;
If a user is associated with more than one role with different password lock times, the larger
PASSWORD_ value is applied.
If a user and a role the user is tied to have conflicting
FAILED_ settings, the lower value is applied.
PASSWORD_ value is updated for a role or user, the new setting applies to currently locked accounts.
PASSWORD_ is then set to 4 hours, the new limit is enforced and the account will be unlocked 4 hours after it was locked.
FAILED_ setting for a locked out user is updated to be higher than the current setting, the user is unlocked.
To unlock a locked account:
ALTER USER command and specify
ALTER USER user ACCOUNT UNLOCK;
If sync permissions is not enabled,
ACCOUNT UNLOCK should be issued on the aggregator where the user is to be unlocked.
sync_ is enabled,
ACCOUNT UNLOCK should be issued on the Master Aggregator since all user modifications will have to come from the Master.
Last modified: April 3, 2023