June 30, 2015 at 2:24 pm
I work at a small company (about 20 people 7 of whom are in the IT Dept). One of the 7 is the Director of IT, two others are SMEs for user training and use of the Disease Registry and the EMR. Two others are technical at the Microsoft Access (no coding) level with one being trained by me to do SSRS reporting.
Besides me, there is a technical person who is acting as Network and System administrator, among a lot of other things. This person is the only one who is allowed to know the domain administrator passwords, the server admin passwords (Windows Servers), and many other admin accounts.
I am the DBA. I have been system administrator and network administrator in certain prior roles. I have asked management if we could cross train so that we have backup (or a secondary person) for the network admin, system admin, DBA, etc.
My manager calls this redundancy. He thinks it's a good thing but a luxury. I also think using the word "redundancy" is not a good word to use to upper management if he tries to sell it that way.
I prefer calling the roles "primary" and "secondary" or "DBA" and Backup DBA".
At a minimum I have advised that all the admin passwords should be stored in a safe, or my manager's locked cabinet. I can't even sell that idea. I said that the passwords should be tried by my manager periodically to make sure they're current. I've explained, when questioned, that regardless of how well trusted the one person is who has all the passwords, something could happen. I haven't worked any where that didn't at least have the passwords stored in a management safe in case of an emergency.
What do you think? Has anyone worked in a situation like this? Any advice?
June 30, 2015 at 2:42 pm
It really isn't a trust issue (but it could be). What happens if the only person with the keys to kingdom gets hit by the proverbial bus? Leaves without any notice? Goes on vacation?
June 30, 2015 at 3:31 pm
Well when you say your sys admin is the only person allowed to have that information is that actual company policy or just that noone has taken the time to learn what he does.
If it's not company policy to restrict that information there's nothing wrong with taking the time to learn without being explicitly told to, even if that means just knowing the basics in case something blows up.
June 30, 2015 at 4:16 pm
Actually it isn't related to someone not being willing to be a backup sys or network admin. I have pretty deep experience in both. The person who's doing it is on maternity leave now and was also on the same last year. She's fiercely protective of everything and does not let anyone else providing checks and balances. Management does whatever she wants.
I believe that she's "afraid" of someone having any access beyond the user level. When I came on board as a DBA, she wiould only give me access to a shared drive to store my "work" on. I said that a DBA cannot do their job with just that. It tooks 8 months to get access. The database servers remained idle until she finally granted access. These were new servers so we didn't have a user base for SQL Server yet. In the meantime I used my laptop as a "server" for proof of concept. I lost a lot of time. She's still grumbling about it and throwing nasty looks. But this is a whole other headache.
At this point I just wanted my boss to have those passwords stored somewhere. I don't need to access them but someone needs to in case of an emergency. I believe this is a pretty minimal standard but I was just checking to see if anyone else has a similar situation.
So, in summary, I'm wondering if someone has a persuasive argument or a reference that would appeal to business (not IT) people as to why it would be wise for one of them to have all the passwords in a safe and test that they're all up-to-date. Or another business-person-palatable solution. Thanks
Thanks.
July 1, 2015 at 7:59 am
If you don't have the capabilities to do disaster recovery, your company can go under.[/url] That's the number one argument for me. We have to be able to do disaster recovery.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
July 1, 2015 at 8:10 am
I believe that she's "afraid" of someone having any access beyond the user level. When I came on board as a DBA, she wiould only give me access to a shared drive to store my "work" on. I said that a DBA cannot do their job with just that. It tooks 8 months to get access. The database servers remained idle until she finally granted access. These were new servers so we didn't have a user base for SQL Server yet. In the meantime I used my laptop as a "server" for proof of concept. I lost a lot of time. She's still grumbling about it and throwing nasty looks. But this is a whole other headache.
That's really not a whole other headache, that headache is just another symptom of a larger problem. It sounds like she's relying on being the only go to person for job security and management is okay with that.
July 1, 2015 at 8:22 am
Lynn Pettis (6/30/2015)
It really isn't a trust issue (but it could be). What happens if the only person with the keys to kingdom gets hit by the proverbial bus? Leaves without any notice? Goes on vacation?
I worked at on company where I too often heard managers say: "What would we do if Alvin got hit by a bus?"
I got tired of hearing that, knowing that the management of my department was doing nothing to train someone to handle some of my duties. Well, one day I gave them two weeks to train someone, because I was leaving the company. I got tired of hearing what if and not doing anything about it.
For best practices on asking questions, please read the following article: Forum Etiquette: How to post data/code on a forum to get the best help[/url]
July 2, 2015 at 1:30 am
Having worked in a similar small situation and now in a slightly larger but more regulated organisation, I definitely prefer the latter. We aim to cover each other's tasks so between the five of us there's a backup DBA and backup for each specialist area and the two DBAs don't take holidays at the same time.
Documentaion and assistance notes for each project are stored on the team SharePoint area, so any of us can access that and use it in support. Cross training is minimal but is targetted - we know what projects we each need to cover. We also know we can go on leave and the phone is unlikely to ring with problems at work, so we can relax.
All this was driven by the team manager and his superiors who have to carry the can if something can't be supported due to absence.
Passwords are stored in an online password safe with a backup on another site plus a printout in the fireproof tape safe and three of us have the "key" password.
July 2, 2015 at 6:41 am
pharmkittie (6/30/2015)
So, in summary, I'm wondering if someone has a persuasive argument or a reference that would appeal to business (not IT) people as to why it would be wise for one of them to have all the passwords in a safe and test that they're all up-to-date. Or another business-person-palatable solution. Thanks
Thanks.
Personally, I'd frame as something like "Are you willing to lose your paychecks (either through lost revenue or shutdown of the entire company) if our systems go down and we can't fix them because we don't have the proper access in an emergency?"
Business people understand $$$. If the management isn't willing to change, leave. I wouldn't bet my paycheck on it.
____________
Just my $0.02 from over here in the cheap seats of the peanut gallery - please adjust for inflation and/or your local currency.
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply