Re: How do you feel about allowing non-DBA's on your database servers?

• From: Joey D'Antoni <jdanton1@xxxxxxxxx>
• To: david.barbour1@xxxxxxxxx, robertgfreeman@xxxxxxxxx
• Date: Mon, 27 Jul 2009 09:16:16 -0700 (PDT)

I've been in situations where the app group had an extremely limited access on 
the box, in this case they had an operational account that ran scripts and 
moved flat files from app to database server, where the flat files were loaded 
into Oracle as external tables.

As far as Oracle level access, it just shouldn't happen.




________________________________
From: David Barbour <david.barbour1@xxxxxxxxx>
To: robertgfreeman@xxxxxxxxx
Cc: Oracle L <oracle-l@xxxxxxxxxxxxx>
Sent: Monday, July 27, 2009 12:13:39 PM
Subject: Re: How do you feel about allowing non-DBA's on your database servers?

This topic/debate is one of the oldest repeating threads I can remember.  
Everybody thinks they absolutely cannot do their job without access to 
production servers, whether it be through administrative control of the 
application or, as you're facing here, access to the server at the operating 
system level.

No.

Developers are paid to develop.  They try new things and break stuff.  It's 
their job.  That's why we have development boxes.  They can do whatever they 
want on those servers.  If they break it, it gets restored.  That's where they 
create stuff and do unit testing before it gets sent to ......

A QA server where integration and probably user acceptance testing occurs.  If 
developers are part of the QA environment in the organization, they may require 
some user permissions, but they don't fix anything in QA.  If it doesn't work, 
they fix it in development and put it back into QA for testing.  When it passes 
muster, then it gets put into production.  Developers need little or no access 
to production.  If there's a problem, they should be able to replicate it on 
QA.  If they can't, that's where the DAB and Sys Admin get ninvolved to see if 
there's something different with the data or OS.

Support personnel might have limited access to production for some tasks 
(re-setting printers comes to mind), but that is carefully controlled by the 
Sys Admin(s).  Support personnel have no business looking at the data or the 
database.  Usually, most of the problems support people encountered can and 
should be fixed at the application level.  

If folks are worried about monitoring, there are a variety of user-friendly 
(pretty picture) products out there that can provide system-level monitoring to 
interested personnel with them having access to the production server.  Some 
are free, some cost money.  

Bottom line is that the decision rests with management.  There are SOX 
implications if you are dealing with a public company.  There are business 
issues regardless.  Production is called that for a reason.  We process $1M 
/hour in orders through our systems..  Believe me, nobody from the development 
side of the house has any access, system or application, to any of the 
servers.  For certain issues, support people have 'firefighter' access to the 
application, but they have to request it, it's approved by a manager, and their 
actions are logged.  For other issues where advice from the development teams 
is need or wanted, an application administrator, DBA or Sys Admin sits with 
them while they have access.  

There's a reason production is called production.  It's generally the lifeblood 
of the firm.  It needs to be as secure as possible.  


On Mon, Jul 27, 2009 at 11:31 AM, Robert Freeman <robertgfreeman@xxxxxxxxx> 
wrote:

So, I've got a client that is being pressured by development and support types 
to allow access to their database servers. They claim that it's so they can use 
tools like ps, sar, topas, etc.... to monitor performance and deal with support 
issues.
>
>My position is that this is a huge risk and that I would want an very limited 
>population of users (read DBA's and SYSADMIN's only) to have access to these 
>servers.
>
>Anyone have an opinion on this?
>
>RF
>
>
>Robert G. Freeman
>Oracle ACE
>Author:
>Oracle Database 11g RMAN Backup and Recovery (Oracle Press) - ON IT'S WAY SOON!
>OCP: Oracle Database 11g Administrator Certified Professional Study Guide 
>(Sybex)
>Oracle Database 11g New Features (Oracle Press)
>Portable DBA: Oracle (Oracle Press)
>Oracle Database 10g New Features (Oracle Press)
>Oracle9i RMAN Backup and Recovery (Oracle Press)
>Oracle9i New Features (Oracle Press)
>Other various titles out of print now...
>Blog: http://robertgfreeman.blogspot.com 
>The LDS Church is looking for DBA's. You do have to be a Church member in
>good standing. A lot of kind people write me, concerned I may be breaking
>the law by saying you have to be a Church member. It's legal I promise! :-)
>http://pages.sssnet.com/messndal/church/parachurch.pdf 
>
>
>
>



      

• References:
  • Downgrading to Standard Edition
    • From: Schauss, R. Peter (IT Solutions)
  • Re: Downgrading to Standard Edition
    • From: Mathias Magnusson
  • How do you feel about allowing non-DBA's on your database servers?
    • From: Robert Freeman
  • Re: How do you feel about allowing non-DBA's on your database servers?
    • From: David Barbour

Other related posts:

• » How do you feel about allowing non-DBA's on your database servers?- Robert Freeman
• » RE: How do you feel about allowing non-DBA's on your database servers?- SHEEHAN, JEREMY
• » Re: How do you feel about allowing non-DBA's on your database servers?- Andrew Kerber
• » Re: How do you feel about allowing non-DBA's on your database servers?- Janine Sisk
• » RE: How do you feel about allowing non-DBA's on your database servers?- Zelli, Brian
• » RE: How do you feel about allowing non-DBA's on your database servers?- Clarke, Andrew
• » Re: How do you feel about allowing non-DBA's on your database servers?- David Barbour
• » Re: How do you feel about allowing non-DBA's on your database servers? - Joey D'Antoni
• » RE: How do you feel about allowing non-DBA's on your database servers?- Roberts, David (GSD - UK)
• » RE: How do you feel about allowing non-DBA's on your database servers?- Michael . Coll-Barth
• » Re: How do you feel about allowing non-DBA's on your database servers?- Michael Moore
• » RE: How do you feel about allowing non-DBA's on your database servers?- Joel.Patterson
• » Re: How do you feel about allowing non-DBA's on your database servers?- Rich Jesse
• » Re: How do you feel about allowing non-DBA's on your database servers?- Martin Berger
• » Re: How do you feel about allowing non-DBA's on your database servers?- dave
• » Re: How do you feel about allowing non-DBA's on your database servers?- Michael Moore
• » Re: How do you feel about allowing non-DBA's on your database servers?- Jonathan Intner
• » Re: How do you feel about allowing non-DBA's on your database servers?- Subodh Deshpande
• » Re: How do you feel about allowing non-DBA's on your database servers?- Nuno Souto
• » RE: How do you feel about allowing non-DBA's on your database servers?- Johnson, George
• » RE: How do you feel about allowing non-DBA's on your database servers?- Michael . Coll-Barth
• » Re: How do you feel about allowing non-DBA's on your database servers?- Subodh Deshpande
• » Re: How do you feel about allowing non-DBA's on your database servers?- Jared Still
• » Re: How do you feel about allowing non-DBA's on your database servers?- Rich Jesse
• » Re: How do you feel about allowing non-DBA's on your database servers?- Jared Still
• » Re: How do you feel about allowing non-DBA's on your database servers?- Niall Litchfield
• » Re: How do you feel about allowing non-DBA's on your database servers?- Tony van Lingen
• » Re: How do you feel about allowing non-DBA's on your database servers?- Jonathan Intner

1. Home
2. oracle-l
3. Archive
4. 07-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---