Re: How do you feel about allowing non-DBA's on your database servers?
- From: dave <david.best@xxxxxxxxx>
- To: michaeljmoore@xxxxxxxxx, Oracle L <oracle-l@xxxxxxxxxxxxx>
- Date: Mon, 27 Jul 2009 16:18:55 -0400
I work with EBS and I have rarely seen a problem in prod that wasn't
reproducible in test or dev. For those problems most were
reproducible in test/dev once we figured out the root cause.
For data related issues I refresh an environment nightly which devs
have full access to. Sometimes its difficult to get a user to
reproduce a prob, especially over the phone. Devs can rerquest a
refresh or wait until the next day and login as the user to work on
the issue. They can also test other prod issues there instead of dev
since the data isn't as stale.
Our devs have full control of their dev environment and read access to
both test and prod. In small shops where there are no 'superusers'
they may also have limited application accounts.
This setup has worked pretty good for us.. With respect to SOX it is
not entirely related to access. Locking down an environment won't get
you a pass on a SOX audit. In my experience its just as much about
process and actions being auditable. Its ok to grant temp access to
prod for developers or admin staff if the proper approvals have been
obtained..
On 7/27/09, Michael Moore <michaeljmoore@xxxxxxxxx> wrote:
> If you can provide a TEST system that is identical to your PROD system, then
> sure, keep the developers off. HOWEVER, I have never, in my 30 years as a
> developer seen a TEST system that was identical to the PROD system. If you
> don't allow developers on the PROD system, how are they going to
> trouble-shoot problems which surface in the PROD system but not the TEST
> system?
>
> The question is not if you should grant developers access to prod, it is HOW
> you should grant access. Access should be granted only on an "as needed"
> basis.
>
> Remember, the safest, most secure system is one that you unplug from the
> wall. Very safe, NOT very effective and accomplishing the goals of the
> company.
>
> Mike
>
>
> On Mon, Jul 27, 2009 at 8:31 AM, Robert Freeman
> <robertgfreeman@xxxxxxxxx>wrote:
>
>> So, I've got a client that is being pressured by development and support
>> types to allow access to their database servers. They claim that it's so
>> they can use tools like ps, sar, topas, etc.... to monitor performance and
>> deal with support issues.
>>
>> My position is that this is a huge risk and that I would want an very
>> limited population of users (read DBA's and SYSADMIN's only) to have
>> access
>> to these servers.
>>
>> Anyone have an opinion on this?
>>
>> RF
>>
>>
>> Robert G. Freeman
>> Oracle ACE
>> Author:
>> Oracle Database 11g RMAN Backup and Recovery (Oracle Press) - ON IT'S WAY
>> SOON!
>> OCP: Oracle Database 11g Administrator Certified Professional Study Guide
>> (Sybex)
>> Oracle Database 11g New Features (Oracle Press)
>> Portable DBA: Oracle (Oracle Press)
>> Oracle Database 10g New Features (Oracle Press)
>> Oracle9i RMAN Backup and Recovery (Oracle Press)
>> Oracle9i New Features (Oracle Press)
>> Other various titles out of print now...
>> Blog: http://robertgfreeman.blogspot.com
>> The LDS Church is looking for DBA's. You do have to be a Church member in
>> good standing. A lot of kind people write me, concerned I may be breaking
>> the law by saying you have to be a Church member. It's legal I promise!
>> :-)
>> http://pages.sssnet.com/messndal/church/parachurch.pdf
>>
>>
>
--
Sent from my mobile device
--
//www.freelists.org/webpage/oracle-l
Other related posts:
