Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase «««34567»»

No DBAs allowed access to Production DB Servers... Expand / Collapse
Author
Message
Posted Tuesday, October 2, 2007 10:24 PM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Yesterday @ 1:33 PM
Points: 32, Visits: 157
The director is correct in implementing the security model.
This will be the case in typical banking environment. No DBA will be given acess to server inturn to the data, without a prior issue to work. In the environment which I am currently working a DBA has to raise a token if any issue occurs, say a backup has failed.

The escalation manager in you case the key-keeper will add you user id to appropriate role for a specified duration..typically an hour. After that you are no longer sysadmin.

That means that no one is allowed to try any junk on the system.

Thanks,
Harris/
Post #406024
Posted Tuesday, October 2, 2007 10:29 PM


SSC-Insane

SSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-Insane

Group: General Forum Members
Last Login: Today @ 11:14 AM
Points: 21,385, Visits: 9,603
Just curious on how you guys proceed...

if for exemple something more major happened and that it takes more than 1 hour to correct the situation, do you re-issue access, re-extend the key, assign someone else?

What's the procedure in this case?
Post #406026
Posted Thursday, October 4, 2007 2:59 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Today @ 11:25 AM
Points: 360, Visits: 1,951
In our environment, we have folks called DBA's whose main role is to check out a privileged ID from an automated ID control system, run the scripts they are given, then check the ID back in. All of the testing and such is done on a test server, with the results approved by the system or data owner (you DO have specific owners for all of the systems and data, don't you). The privileged ID management system changes the passwords every time an ID is checked in. All actions are audited. The DBA's will not run a script that is not approved by an owner.

After using this for a couple of years, I can't really see a scenario where a devlopment or resolution person needs any access to the production data other than read.
Post #406652
Posted Thursday, October 4, 2007 7:27 AM


SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Friday, July 25, 2014 6:56 AM
Points: 497, Visits: 1,969
They have done the same thing at my job and it doesn't work. We've outsourced our network operations, and the "other guys" have all the access to all the test and production machines. It takes a long time to get anything done.

The customers are not happy.
Post #406761
Posted Thursday, October 4, 2007 7:30 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Wednesday, May 8, 2013 5:29 AM
Points: 18, Visits: 21
if the customers are not happy, and / or you are unable to do your job, then Sarbanes-Oxley has succeeded. :D


Post #406768
Posted Thursday, October 4, 2007 7:36 PM
SSCarpal Tunnel

SSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal Tunnel

Group: General Forum Members
Last Login: Today @ 4:39 PM
Points: 4,576, Visits: 8,342
Ninja's_RGR'us (10/2/2007)
Just curious on how you guys proceed...

if for exemple something more major happened and that it takes more than 1 hour to correct the situation, do you re-issue access, re-extend the key, assign someone else?

What's the procedure in this case?


Just curios:
how do you proceed if your car is broken?
Do you call the factory to get the guy from over there within one hour?

When we all become PROFESSIONALS not to allow anything major happen on our systems?

Are you a programmer or not?
Why you cannot program your thing to work without major failures?
Post #407166
Posted Friday, October 5, 2007 11:29 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Thursday, August 15, 2013 6:15 PM
Points: 110, Visits: 730
I had an intuition prior to this that Sergiy might be from a non-US locale, but now I'm wondering what planet he is from.

If you are lucky enough to walk into an IT shop where you are running more than a few applications and all of them run without needing production intervention of any kind, then production must consist only of numerous copies of solitaire on the client machines or exist at some extraterrestrial location. You don't have to be part of a large organization to have inherited applications (via mergers, homegrown, whatever) dating back 25+ years that are considered to be mission-critical that need daily care and feeding. The same management that decides these applications are too expensive to rewrite are the same ones who won't hire a dedicated DBA to comply with separation of duties but are willing to hire SOX auditors, and the IT people keeping the lights on are caught in the middle. Part of the increased pressure on the developer\DBA's as a result of SOX is that they are often expected by this same management to produce the same results in the same timeframe with the addition of the extra oversight overhead and red tape.



maddog
Post #407499
Posted Sunday, October 7, 2007 4:12 PM
SSCarpal Tunnel

SSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal Tunnel

Group: General Forum Members
Last Login: Today @ 4:39 PM
Points: 4,576, Visits: 8,342
Maddogs,
I was talking about MY PROJECTS.

Projects I designed, built and told developers what to do.

Of course, there are plenty of other projects around, designed by normal simple-mind developers.
Of course, we have 3-4 minor issues per day and 1-2 major crashes per week with those applications.

Of course, there was a suggestion to rewrite at least most critical parts of those projects, and of course management ruled them out.
All projects but two, where desperation was too high because of too significant cost of those projects.

And because it was absolute disaster they gave me Cart Blanche for any changes.
Now nothing reminds those projects are in production.
There are some operational guys who are watching the servers (SQL and WEB), doing backups, but they don't have an idea about internal functionality.
And there are users which send us notifications about new customers connected to the network.
That's how it works in real life.

If it's another planet - sorry for you.
It means that your planet is a sand box for childish amateurs who cannot build anything actually working.

On my planet there are organizations with strict rules about confidentiality, mental health clinics, banks, credit cards, other organisations which don't let anybody to access their data.
Do they exist on your planet?

What do you think programmers should do?
I think they should make programs, automatic procedures to work with data.
If human intrusion is required then programmers failed. They appeared to be unprofessional.
That simple.

P.S.
Does MS team have access to you Windows Registry? Or to system tables on your production SQL Server?
Do these application work without their intrusions?
Can you create anything with about the same level of reliability?
Or it's also another planet for you?
Post #407803
Posted Thursday, October 11, 2007 1:22 PM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Friday, July 25, 2014 12:34 PM
Points: 60, Visits: 336
Well, well, well...

Sergiy's world is certainly Sergiy-centeric - he has inherited no malformed, non-normalized, mission-critical databases with thousands of users and no badly designed legacy apps running as the UIs to the DBs.

Sergiy, by your own admission, you are a developer. So, develop. And leave the database administration to the DBAs.

And, yes, Sergiy, you ARE the best developer and DBA to have EVER walked this planet (Earth). You said so, yourself.
Post #409712
Posted Thursday, October 11, 2007 2:11 PM
Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Today @ 12:55 PM
Points: 3,194, Visits: 2,292
I wish that I had worn my brown boots today instead of my brown shoes ...
It is getting pretty deep in this thread today :D ...




Regards
Rudy Komacsar
Senior Database Administrator

"Ave Caesar! - Morituri te salutamus."
Post #409728
« Prev Topic | Next Topic »

Add to briefcase «««34567»»

Permissions Expand / Collapse