ALTER USER
Use the ALTER USER command to change user settings.
Synopsis
Syntax for altering a user:
ALTER USER <user-name> [WITH] [<alter_user_clause>]...
<alter_user_clause> ::=
PASSWORD { <password> | NULL }
| IN GROUP { <group-name> },...
| VALID UNTIL <valid-date>
| ROWSETLIMIT <limit>
| SESSIONTIMEOUT <limit>
| QUERYTIMEOUT <limit>
| DEFPRIORITY <priority_type>
| MAXPRIORITY <priority_type>
| SYSID <id-number>
| IN RESOURCEGROUP <group-name>
| SECURITY LABEL <label-string>
| AUDIT CATEGORY { NONE | { <category> },... }
| RESET ACCOUNT
| OWNER TO <user-name>
| RENAME TO <group-name>
| COLLECT HISTORY { ON | OFF | DEFAULT }
| CONCURRENT SESSIONS <limit>
| ALLOW CROSS JOIN [TRUE|FALSE|NULL]
| ACCESS TIME { ALL | DEFAULT | ( <access-time>,... )
<access-time> ::= DAY { ALL | <day>, ... } [ <time-bound> ]
<time-bound> ::= START <time-literal> END <time-literal> ]
| AUTH [LOCAL|DEFAULT]
| EXPIRE PASSWORD
Inputs
The ALTER USER command has the following
additional inputs:
Input | Description |
---|---|
SECURITY LABEL <label> | Specifies the security label of the user. If a SECURITY LABEL is not specified, the default label ‘PUBLIC::’ is assigned. The label is surrounded by parentheses so that identifiers in the label do not conflict with keywords of the other user clauses. |
AUDIT CATEGORY <category> | Specifies the audit categories of the user. One or more audit categories can be specified. The categories are added to the security label during audit logging. |
COLLECT HISTORY [ ON | OFF | DEFAULT ] | Determines whether this session of the user collects history. ON indicates that history is collected for this user when connected to a database that also has COLLECT HISTORY ON. OFF indicates that history is not collected for this user. DEFAULT means to examine groups this user is a member of to determine whether to collect history. If any group has COLLECT HISTORY ON, then history is collected when connected to a database that also has COLLECT HISTORY ON. If no group has COLLECT HISTORY ON, but a group has COLLECT HISTORY OFF, then no history is collected. If all groups have DEFAULT history collection, the history is collected. DEFAULT is the default for a user, if the COLLECT HISTORY clause is not specified. |
CONCURRENT SESSIONS <limit> | Sets the maximum number of concurrent sessions this user can have. A value of 0 means no limit to the number of concurrent sessions, unless a limit is imposed by a group of which this user is a member. In that case, the minimum limit of concurrent sessions across all such groups is used. |
ALLOW CROSS JOIN [TRUE | FALSE | NULL] | Sets user or group permission to allow explicit cross joins.
If NULL is defined for a user, the system checks against the group
permission, and takes the lowest non-null value, where FALSE is lower
than TRUE. This setting involves a system-wide change, so notify all affected users before making this change. |
ACCESS TIME ALL | Indicates that this user can start sessions on the system at any time on any day. |
ACCESS TIME DEFAULT | Indicates that access time restrictions are taken from the groups this user is a member of. If no groups have access time restrictions, then the user can start sessions at any time on any day. The access time restriction is evaluated for every group that has one. If any group restricts access, the user cannot create a session. That is, the most restrictive access policy is applied. |
access-time | Specifies one access time subclause; several can be specified. An access time subclause defines one or more days by the standard SQL day number (1 = Sunday, 7 = Saturday). The keyword ALL can be use to specify all days of the week; it is equivalent to 1,2,3,4,5,6,7. An access time subclause optionally contains one time bound. If no time bound is specified, then the user can create a session at any time on the specified day. |
time-bound | Specifies a time range from a start time to an end time. The times can be specified as any valid SQL time literal. It is possible to repeat the same day specification multiple times with different time bounds. |
AUTH [LOCAL | DEFAULT] | Sets the overriding authentication for the user to LOCAL (checks the password against the local database/catalog), regardless of the connection setting. To revert this setting to the default setting, use AUTH DEFAULT. |
EXPIRE PASSWORD | If this value is set while the user is logged in, it does not affect the current session, but requires the user to change their password the next time they log in. |
Outputs
The ALTER USER command has the following
output:
Output | Description |
---|---|
ERROR: permission denied. | You must have Manage Security privilege to set the security group of a user. |
ERROR: invalid security label. | The security label is either incorrectly formatted or refers to a security level, cohort, or category that does not exist. |
ERROR: object <category-name> not found. | The specified audit category must exist to associate it with the user. |
Description
The ALTER USER command has the
following characteristics:
- Privileges required
- You must have Manage Security privilege to alter the security group of a user.
- Common tasks
- Use the ALTER USER command to change user settings.
Usage
The following provides sample usage:
ALTER USER BOB CONCURRENT SESIONS 3;