Re: NT Named Pipes

 Why not go back to TCP but control security through roles....

1. Even if you can "see" (ping?) another instance they could only connect if they were included as a user in that instance's password file.
2. Even if included as a user in that instance you can prevent them doing anything by only activating a default role that has very limited permissions then in your applications use "SET ROLE" to switch on the "real" role with the required permissions...
3. Can even look at using OS_ROLES/REMOTE_OS_ROLES and control access through a local user group...

Although we only operate a (multi site) single domain ourselves I think that there is enough to enforce domain security, though Oracle really could do with improving the security integration with NT, firstly by documenting it clearly and then making it work as it really should (probably needs a change in philosphy at a corperate level <g>)

Rob

eek wrote in article <879972951.7557.0.nnrp-07.9e9892a8_at_news.demon.co.uk>...

>Our organisation has a security policy based on NT domains. We
>have found that SQL*Net configured to use TCP/IP allows users to see
>databases on machines outside their domains and in contravention of any
>trust relationships. We switched the configuration to use Named Pipes and
>security was restored, but at a cost. The network performance over a WAN
>slowed by a factor of two and we found that Enterprise Manager was not
>supported using Named Pipes. Is there a product, NT add-on which will
 allow
>use to use SQL*Net configured with TCP/IP and which will support NT domain
>security? Is there a product like Enterprise Manager which can run over
>SQL*Net using Named Pipes( CA-Unicentre, BMC Patrol, Ecosystems)? Any
>feedback on the memtion products greatly appreciated.
>
>
>
Received on Sat Nov 22 1997 - 00:00:00 CST