June 30, 2014 at 1:45 pm
Because I'm in a small company I am doing .NET and SQL development as well as database administration. It took me over six months to get the privileges I need to do my job as a DBA on our two servers but today I found out that the new company policy is to remove administrative privileges on our own workstations. Yet they let me have it on the server. My manager (as well as all the leaders) is non-technical. When I noticed right away that I am unable to do things I could do yesterday on my old box he said everyone (business and IT) lost privileges because he asked the Windows system admin to lock everything down. I got a new laptop and about all I can do is fire up the MS Office suite. I couldn't even add the network printer or map a drive. The system administrator thinks a DBA is the same as a developer and it seems that she thinks developers are rather "low on technical knowledge" possibly because she doesn't code.
I asked my boss about this. He said everyone (mostly business users) lost privileges. He asked me to document everything I couldn't do and then he and the leadership would look it over with the system admin. I said I could note what I've noticed so far but it's going to be a long list and that I wouldn't know everything I couldn't do for some time. I don't have Visual Studio or SSMS on the new laptop yet so I cannot see what all I won't be able to do now. Anywhere else I've worked the DBA had workstation administrative access, perhaps via a separate account that I would log into when I needed. I cannot install updates to Visual Studio and the UAC nag screen comes up asking me to log in for almost anything I try to do. Then most of the time it doesn't allow me to do it.
Could you all help me list some of the reasons I should list for admin access on my workstation? If I use any technical details to explain to management their eyes glaze over and I get the vibe that they think that I am speaking with "forked tongue".
Thanks if you've read all this. I have googled and found lots of discussion of how challenging lack of these privileges are to a developer but the reasons might be lost on my management.
July 1, 2014 at 2:03 am
Oh, the joys of company politics!
I certainly would not like to have a work computer where I don't have admin rights. But the only advice I can give is that you keep notes when the lack of admin rights make your work take longer time - either because you have to use some slower workaround, or because you have to wait for the system administrator to make installations or whatever you need on your machine. I also recommend that you make an honest attempt to work without admin rights before you complain too much.
[font="Times New Roman"]Erland Sommarskog, SQL Server MVP, www.sommarskog.se[/font]
July 1, 2014 at 2:19 am
Like you we do DBA, .NET and SQL development and working for the government we have to jump through these hoops too and our server guys keep taking privileges away.
We've just moved to Windows 7 virtual pc and gone through the what software do we need and what permissions are needed business again.
We found we need admin permissions on our local PC for Visual Studio to work properly as it needs to read and write the C drive and registry. All our user data is held on network shares and we can write to those OK but VS also needs C drive and registry modify rights. Otherwise we just can't work.
We have separate admin accounts for logging on to servers and these don't have internet, email etc . Only by logging on to a server (use Remote Desktop Connection Manager - it's so easy) can I find out who is in a Windows group or what groups exist!. The admin account is in the administrators group on each sql server to enable us to DBA manage the server.
We don't install the updates ourselves - server team or local desktop team do that when we raise a helpdesk call. The more calls you raise for others to do things, the more likely they will get fed up and give you the permissions and the task.
Also telling managers you can't complete their urgent task because you are waiting for someone else to do a bit as you don't have permission to do it, will often get your permissions increased! It can be a pain at first but it all settles down after a while.
July 1, 2014 at 5:57 am
I can understand the compartamentalisation of access rights in a large company, however in a small company surely there's just not the manpower?!
My cousin worked on a secure project recently. One of the security recommendations was that no-one, including DBA's, could use SSMS.
July 1, 2014 at 6:50 am
Gazareth,
What did you think of the policy that not even DBAs could use SSMS? Did your cousin suggest the DBAs use scripts and the command line?
July 1, 2014 at 12:10 pm
I found this excellent link that answers part of my original question. At least the part specifying why a .NET developer would need admin rights sometimes.
It's going to be really rough persuading them though because when I explain about what should be done on the workstation versus the server I am met with huge resistance. They wanted me to develop using Visual Studio on the server. I explained that this actually increases the attack surface area, slows down development, etc. versus developing locally and deploying to test and then prod servers. Our sys admin doesn't understand that there is a builtin web server in Visual Studio and that's why I have it on my workstation. Her mind is closed on this one.
I just thought I'd share the link in case anyone else needs it.
July 1, 2014 at 12:40 pm
pharmkittie (7/1/2014)
They wanted me to develop using Visual Studio on the server.
Now, that is completely crazy! Many Windows admins would say flat no to having a Visual Studio on a production server. And, yes, they should.
What is a reasonable option, is that you would have virtual machine on your laptop which is not joined to the domain and only can interact with your workstation networkwise (this is controlled on the host computer). You would be admin on the VM and this is where you would have Visual Studio.
Or maybe it's time for a new job?
[font="Times New Roman"]Erland Sommarskog, SQL Server MVP, www.sommarskog.se[/font]
July 1, 2014 at 1:29 pm
Erland Sommarskog (7/1/2014)
pharmkittie (7/1/2014)
They wanted me to develop using Visual Studio on the server.Now, that is completely crazy! Many Windows admins would say flat no to having a Visual Studio on a production server. And, yes, they should.
What is a reasonable option, is that you would have virtual machine on your laptop which is not joined to the domain and only can interact with your workstation networkwise (this is controlled on the host computer). You would be admin on the VM and this is where you would have Visual Studio.
If I had this setup could I deploy to a server in the domain once I was ready to do QA or publish to production? Thanks.
Or maybe it's time for a new job?
<---this. Oh this has been PAINFUL for the last eight months. EVERYTHING is a major fight. It's like preparing the defense in a murder trial very other day.
July 1, 2014 at 1:42 pm
pharmkittie (7/1/2014)
I assume here that you mean web server? That's not really my realm, but yes, I think that would be possible.
Virtual machines are very powerful tools - just make sure that your laptop has plenty of memory!
[font="Times New Roman"]Erland Sommarskog, SQL Server MVP, www.sommarskog.se[/font]
July 1, 2014 at 3:50 pm
Erland Sommarskog (7/1/2014)
pharmkittie (7/1/2014)
I assume here that you mean web server? That's not really my realm, but yes, I think that would be possible.
Virtual machines are very powerful tools - just make sure that your laptop has plenty of memory!
Thanks! Yes, I did mean to the web server.
July 2, 2014 at 4:15 am
pharmkittie (7/1/2014)
Gazareth,What did you think of the policy that not even DBAs could use SSMS? Did your cousin suggest the DBAs use scripts and the command line?
It got shouted down in the end - similar to your VS issue above it was suggested that SSMS could be used directly on the server.
Of course, another security lockdown item was that DBA's didn't have access to the servers... :blink:
July 2, 2014 at 8:43 am
Gazareth (7/2/2014)
It got shouted down in the end - similar to your VS issue above it was suggested that SSMS could be used directly on the server.Of course, another security lockdown item was that DBA's didn't have access to the servers... :blink:
So, how is the job search? 😀
July 3, 2014 at 4:59 am
djj (7/2/2014)
Gazareth (7/2/2014)
It got shouted down in the end - similar to your VS issue above it was suggested that SSMS could be used directly on the server.Of course, another security lockdown item was that DBA's didn't have access to the servers... :blink:
So, how is the job search? 😀
Are you kidding? A job in which it's stated company policy that you're not allowed to do anything? Cushy! 😀
July 3, 2014 at 6:24 am
I'm afraid it usually doesn't work out that way my friend. In my case, the fact that the leaders are very non-technical* translates to expecting a .NET/SQL Server based enterprise system being developed in a week or two without interviewing stakeholders and users more than once to gather requirements (and some not at all) and the main user being totally resistant to having an automated system at all. So I have to win her over somehow but she has the personality of a wolverine on double espresso.
So, in other words, more difficult scenarios with less time and all these permissions and privileges roadblocks.
*what is very non-technical versus just non-technical? Not being able to learn basic facts despite hearing them half a dozen times, not being able to install Microsoft Office on their home computer (have to call "geek squad"). My boss thinks he's become "quasi-technical" (his description) though. He goes to IT strategic direction meetings as the only IT person. He told our team that he can "speak IT". One of his friends who he hired into our group has a great sense of humor so he said, "Uh, pigeon". No one else got it because I don't think they knew that many years ago pigeon English was what it was called if someone from another country knew a bit of English when they came over to the U.S. My boss didn't get it so he wasn't insulted. This is my first "pointy-haired" boss (Dilbert).
July 3, 2014 at 6:39 am
That's a funny story, but just to point out, the term is 'pidgin' English, not 'pigeon'!
Regards
Lempster
Viewing 15 posts - 1 through 15 (of 18 total)
You must be logged in to reply to this topic. Login to reply