For account management, perform the actions below.
To prevent unauthorized use of accounts, such as spoofing, implement the measures below when creating an account:
Select the required account
Specify the user privileges
Create database administrator accounts and general user accounts separately according to the privileges
Point
Accounts are created using the CREATE ROLE statement. Refer to "CREATE ROLE" in the PostgreSQL Documentation for details.
Remove accounts not used on a daily basis, such as unused accounts and accounts not needed for operations that are created by default during product installation.
Point
Accounts are deleted using the DROP ROLE statement. Refer to "DROP ROLE" in the PostgreSQL Documentation for details.
The usage frequency of accounts is to be checked periodically, and if there are any accounts that have not been used for a long period, lock those accounts. Set a limit for failed login attempts, and if this limit is exceeded, lock the account. Additionally, set the period until a locked account is reenabled.
Point
Account locking can be performed by using LDAP authentication. Refer to "LDAP Authentication" in the PostgreSQL Documentation for details.
Manage database administrator accounts in accordance with the account management policy formulated by the manager.
To prevent unauthorized use of accounts used in a development environment, delete accounts used in the development environment before operation starts in the production environment. In cases where it is unavoidable to use an account used in the development environment in the production environment, use different passwords in each environment.
If a temporary user will use the system, either provide a shared account with a temporary password for each use, or create a temporary account.
