No DBAs allowed access to Production DB Servers...

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » SQL Server 7,2000 » Sarbanes-Oxley » No DBAs allowed access to Production DB...

63 posts, Page 6 of 7

«««3 4 5 6 7 »»

No DBAs allowed access to Production DB Servers...

Rate Topic

Display Mode

Topic Options

Author

Message

Harris-358031

Posted Tuesday, October 02, 2007 10:24 PM

SSC Rookie

Group: General Forum Members
Last Login: Friday, April 26, 2013 1:16 AM
Points: 32, Visits: 101

The director is correct in implementing the security model.
This will be the case in typical banking environment. No DBA will be given acess to server inturn to the data, without a prior issue to work. In the environment which I am currently working a DBA has to raise a token if any issue occurs, say a backup has failed.

The escalation manager in you case the key-keeper will add you user id to appropriate role for a specified duration..typically an hour. After that you are no longer sysadmin.

That means that no one is allowed to try any junk on the system.

Thanks,
Harris/

Post #406024

Ninja's_RGR'us

Posted Tuesday, October 02, 2007 10:29 PM

SSC-Insane

Group: General Forum Members
Last Login: Yesterday @ 7:02 PM
Points: 21,376, Visits: 9,584

Just curious on how you guys proceed...

if for exemple something more major happened and that it takes more than 1 hour to correct the situation, do you re-issue access, re-extend the key, assign someone else?

What's the procedure in this case?

Post #406026

Ross McMicken

Posted Thursday, October 04, 2007 2:59 AM

Old Hand

Group: General Forum Members
Last Login: Today @ 7:44 AM
Points: 349, Visits: 1,842

In our environment, we have folks called DBA's whose main role is to check out a privileged ID from an automated ID control system, run the scripts they are given, then check the ID back in. All of the testing and such is done on a test server, with the results approved by the system or data owner (you DO have specific owners for all of the systems and data, don't you). The privileged ID management system changes the passwords every time an ID is checked in. All actions are audited. The DBA's will not run a script that is not approved by an owner.

After using this for a couple of years, I can't really see a scenario where a devlopment or resolution person needs any access to the production data other than read.

Post #406652

sing4you

Posted Thursday, October 04, 2007 7:27 AM

SSC-Addicted

Group: General Forum Members
Last Login: Yesterday @ 9:07 AM
Points: 447, Visits: 1,699

They have done the same thing at my job and it doesn't work. We've outsourced our network operations, and the "other guys" have all the access to all the test and production machines. It takes a long time to get anything done.

The customers are not happy. Crying

Post #406761

ndeangelo

Posted Thursday, October 04, 2007 7:30 AM

Grasshopper

Group: General Forum Members
Last Login: Wednesday, May 08, 2013 5:29 AM
Points: 18, Visits: 21

if the customers are not happy, and / or you are unable to do your job, then Sarbanes-Oxley has succeeded. :D

Post #406768

Sergiy

Posted Thursday, October 04, 2007 7:36 PM

SSCarpal Tunnel

Group: General Forum Members
Last Login: Today @ 8:01 AM
Points: 4,557, Visits: 8,237

Ninja's_RGR'us (10/2/2007)

Just curios:
how do you proceed if your car is broken?
Do you call the factory to get the guy from over there within one hour?

When we all become PROFESSIONALS not to allow anything major happen on our systems?

Are you a programmer or not?
Why you cannot program your thing to work without major failures?

Post #407166

maddogs

Posted Friday, October 05, 2007 11:29 AM

SSC-Enthusiastic

Group: General Forum Members
Last Login: Thursday, May 30, 2013 10:38 AM
Points: 110, Visits: 728

I had an intuition prior to this that Sergiy might be from a non-US locale, but now I'm wondering what planet he is from.

If you are lucky enough to walk into an IT shop where you are running more than a few applications and all of them run without needing production intervention of any kind, then production must consist only of numerous copies of solitaire on the client machines or exist at some extraterrestrial location. You don't have to be part of a large organization to have inherited applications (via mergers, homegrown, whatever) dating back 25+ years that are considered to be mission-critical that need daily care and feeding. The same management that decides these applications are too expensive to rewrite are the same ones who won't hire a dedicated DBA to comply with separation of duties but are willing to hire SOX auditors, and the IT people keeping the lights on are caught in the middle. Part of the increased pressure on the developer\DBA's as a result of SOX is that they are often expected by this same management to produce the same results in the same timeframe with the addition of the extra oversight overhead and red tape.

maddog

Post #407499

Sergiy

Posted Sunday, October 07, 2007 4:12 PM

SSCarpal Tunnel

Group: General Forum Members
Last Login: Today @ 8:01 AM
Points: 4,557, Visits: 8,237

Maddogs,
I was talking about MY PROJECTS.

Projects I designed, built and told developers what to do.

Of course, there are plenty of other projects around, designed by normal simple-mind developers.
Of course, we have 3-4 minor issues per day and 1-2 major crashes per week with those applications.

Of course, there was a suggestion to rewrite at least most critical parts of those projects, and of course management ruled them out.
All projects but two, where desperation was too high because of too significant cost of those projects.

And because it was absolute disaster they gave me Cart Blanche for any changes.
Now nothing reminds those projects are in production.
There are some operational guys who are watching the servers (SQL and WEB), doing backups, but they don't have an idea about internal functionality.
And there are users which send us notifications about new customers connected to the network.
That's how it works in real life.

If it's another planet - sorry for you.
It means that your planet is a sand box for childish amateurs who cannot build anything actually working.

On my planet there are organizations with strict rules about confidentiality, mental health clinics, banks, credit cards, other organisations which don't let anybody to access their data.
Do they exist on your planet?

What do you think programmers should do?
I think they should make programs, automatic procedures to work with data.
If human intrusion is required then programmers failed. They appeared to be unprofessional.
That simple.

P.S.
Does MS team have access to you Windows Registry? Or to system tables on your production SQL Server?
Do these application work without their intrusions?
Can you create anything with about the same level of reliability?
Or it's also another planet for you?

Post #407803

John Hick-456673

Posted Thursday, October 11, 2007 1:22 PM

Valued Member

Group: General Forum Members
Last Login: Thursday, May 30, 2013 9:18 AM
Points: 53, Visits: 271

Well, well, well...

Sergiy's world is certainly Sergiy-centeric - he has inherited no malformed, non-normalized, mission-critical databases with thousands of users and no badly designed legacy apps running as the UIs to the DBs.

Sergiy, by your own admission, you are a developer. So, develop. And leave the database administration to the DBAs.

And, yes, Sergiy, you ARE the best developer and DBA to have EVER walked this planet (Earth). You said so, yourself.

Post #409712

rudy - Doctor "X"

Posted Thursday, October 11, 2007 2:11 PM

Hall of Fame

Group: General Forum Members
Last Login: Friday, May 17, 2013 2:11 PM
Points: 3,108, Visits: 2,114

I wish that I had worn my brown boots today instead of my brown shoes Sick

...
It is getting pretty deep in this thread today :D ...

Regards
Rudy Komacsar
Senior Database Administrator

"Ave Caesar! - Morituri te salutamus."

Post #409728

« Prev Topic | Next Topic »

63 posts, Page 6 of 7

«««3 4 5 6 7 »»

Permissions