Developer\DBA access to production DBs

  • Our company has 2 project development teams. For the past several years each team has written front-ends in PowerBuilder and developed the corresponding back-ends (including stored procedures) on SQL (6.5/7). The developers know the “sa’ passwords for both development and production servers. They “have to” because if a production emergency arises they are the ones most knowledgeable about how to fix it.

    Here’s the problem: the boss is now telling us that from a security perspective this approach is no longer acceptable. Developers should not have “sa”, or any access to production databases, especially those related to checks!

    I’m a new DBA. I hardly know our databases. The database documentation IS the database. If I changed the “sa” password, and a production emergency arose, I don’t know that I could fix it in a timely manner (our developers probably could). Furthermore, the developers are concerned that if 1 person (say the DBA) is the only one with “sa” access to the production boxes then what happens while the DBA is on vacation? We don’t have 2 DBAs.

    How would you address this situation?

    Bill Salkin

  • Bill,

    Your boss is right and what a perfect opportunity to get control of what is going on in the databases. Normally you as the DBA have to force this issues causing emnity between you and the developers. This time you can actually place the blame on the boss. Just kidding.

    Seriously though, you mentioned that you don't know the databases, well what a great opportunity to find out what is going on as you review their work and promote the developers work from test to production.

    As for the worry about you being the only DBA, place the sa password on a piece of paper, put it in an envelope, seal it and give it to someone who will be there in the event that you are off. Then, if the development team has to back you up, they can have the sa password when the time is right. Obviously if they do have to use it, then you can change it when you get back.

    Hope this helps.

    David

    David

    @SQLTentmaker

    “He is no fool who gives what he cannot keep to gain that which he cannot lose” - Jim Elliot

  • First of all, the sa password is your only weapon for keeping your job.Allowing developers have the sa password is a risky business and would expose you to alot of security loopholes.

    You can have your sa password written down in an envelope and given to your manager. You don't need to have a second DBA to maintain a password.

    My take in the matter is that you should be the DBA period.

    BTW what type of production emergency are you referring to? As a DBA, you should be able to troublshoot problems in the server. This is why you would not want to mess around with the sa password. To succeed as a DBA, you must begin to understand your server.

    Do the following:

    -Check and document the server settings.

    -Have a list of to do on a daily, weekly and monthly basis.

    -Check all the logins and determine those that belong to system admins fixed server roles.

    -The developers must have been doing some check and balance game by creating some accounts that have the sys admin privileges just in case.

    - You also need to do alot of work by justifying why you are a DBA. That is your source of income and you must spend hours and hours in studying and doing research.

    Sonnie

  • Also take issue with the idea that the only way they can fix things is with the SA password. There are alternatives. One is to give a "senior" developer SA access via NT login/membership in SysAdmins - that way you don't have to deal with the password being passed around. Another is to give a senior developer or team lead dbowner access, not sysadmin.

    Especially in a small company, things tend to be more informal than in larger companies. Thats not all bad. You don't want to be the roadblock or get into a situation where you cant take a vacation uninterrupted.

    Stop using an SA password period. Set it, secure it somewhere, access the server using it RARELY!

    I'll be honest I dont understand why developers have such a hard time with the concept. Ask them if they had YOUR job, would they be comfortable giving every one the same level of access they are asking for? Or ask if you can have admin rights to their source control system!

    Andy

  • Andy has a good point. If your developers have such a hard time with relinquishing "the power and control" of the sa login, bring the concept home to them by asking them if you have access to the source code they are working on. Chances are the answer is "no", so now you have an analogy to draw for them. And if the answer is "yes", I would recommend requesting that you have that authority revoked unless you absolutely need it. Far too often, security policies are too loose, and that can open the door to unneeded anxiety and paranioa.

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply