"Hey, Kellyn answered on two threads today!" :)
Having worked on both sides of the house, as a SQL DBA and an Oracle DBA,
the one thing I learned was that server admins on the Linux/Unix side
rarely thought they were DBAs. Windows admins very often thought they
could do a SQL Server DBAs job because they could run the install...:) The
best administrators, no matter server, database or application, have some
control issues. They need to for security reasons to ensure the
environment they are responsible for is taken care of. These control
issues can get a bit out of control and that's what you're experiencing
here.
Jump box designs leads to DBAs working through critical issues on a host
that is not as familiar to them as their own workstation and tools. It
leads to human error and in my experience, leads to more critical outages
and longer outages. Having the right balance of security and letting
people be the best they can at their job is not something we in IT prevail
at very often. Egos and control issues just get in the way.
The best way to address this is to have an open conversation, not about
what they aren't letting you do, but to have management in the room, and
maybe even the business and discuss the risks around not having access to
the server- lacking ability to respond immediately to issues, missing
tools that provide more insight and how Oracle support is best when the DBA
is able to manage their database over a Windows admin. How many Windows
server admins would have no problem deleting a very large log from a
server- like one called redo02.log, etc? We don't expect them to be DBAs,
but they need to respect that our role is needed for a reason.
*Kellyn Pot'Vin-Gorman*
DBAKevlar Blog <http://dbakevlar.com>
President Denver SQL Server User Group <http://denversql.org/>
about.me/dbakevlar
On Thu, Apr 11, 2019 at 8:07 AM Scott Canaan <srcdco@xxxxxxx> wrote:
This is not so much of a technical question, but more of a procedural
question.
Here’s the back story. Yesterday, we were told by the Windows Sys Admins
that they’ve decided that we (DBAs) are no longer allowed to access
databases running on Windows servers directly from our PCs. We now have to
remote into another server, called dbatools, and only from there can we
directly access databases. They’ve loaded our tools (TOAD, PL/SQL
Developer, SQL Server Management Studio, etc.) on that server and are in
the process of removing our IP addresses from the firewalls on the Windows
servers, forcing us to use this one server for all of our access.
When I asked why, the only answer I got was “security”. What I read into
that is “We don’t trust you”. This is being done without any input from us
or any discussion, it’s just happening.
The question: Has anyone else run into this kind of setup? Is this a
common configuration?
Thank you,
*Scott Canaan ‘88*
*Sr Database Administrator *Information & Technology Services
Finance & Administration
*Rochester Institute of Technology *o: (585) 475-7886 | f: (585) 475-7520
*srcdco@xxxxxxx <srcdco@xxxxxxx>* | c: (585) 339-8659
*CONFIDENTIALITY NOTE*: The information transmitted, including
attachments, is intended only for the person(s) or entity to which it is
addressed and may contain confidential and/or privileged material. Any
review, retransmission, dissemination or other use of, or taking of any
action in reliance upon this information by persons or entities other than
the intended recipient is prohibited. If you received this in error, please
contact the sender and destroy any copies of this information.
