Password expiration

You can specify the number of days that a database user account password is valid as a system-wide setting. You can also specify the password expiration rate on a per-user and per-group basis. You can also expire an account password immediately.

To set a system-wide control for expiring database user account passwords, use the SET SYSTEM DEFAULT SQL command:

SYSTEM.ADMIN(ADMIN)=> SET SYSTEM DEFAULT PASSWORDEXPIRY TO days;
SET VARIABLE

The days value specifies the number of days that the password is valid, since the last date when the password changed. If you do not want passwords to expire, specify a value of 0. The default system setting is 0.

You can specify the account password expiration by using the PASSWORDEXPIRY option of the [CREATE|ALTER] USER and [CREATE|ALTER] GROUP SQL commands. Some example commands follow.

To create a group that has a password expiration rate of 45 days:
```
MYDB.SCH1(USER)=> CREATE GROUP staff WITH PASSWORDEXPIRY 45;
```
To change the expiration setting for the user sales_user to 30 days:
```
MYDB.SCH1(USER)=> ALTER USER sales_user WITH PASSWORDEXPIRY 30;
```

When a database user account expires, the user has limited access to the system. The user can connect to the Netezza Performance Server database, but the only query that the user is allowed to run is the following ALTER USER command, where newPassword represents the new account password:

SYSTEM.ADMIN(myuser)=> ALTER USER myuseracct WITH PASSWORD 'newPassword';
ALTER USER

The admin user, the owner of the user, or a user who has Alter privilege for the user can immediately expire the user account password by using the following command:

SYSTEM.ADMIN(ADMIN)=> ALTER USER myuseracct EXPIRE PASSWORD;
ALTER USER

If the user is connected to a database, the expiration does not affect the current session. The next time that the user connects to a database, the user has a restricted-access session and must change the password by using the ALTER USER command.