January 31, 2011 at 11:20 am
Ladies and Gents I have a bit of a conundrum, I work @ a University that is still graduating from the "way we've always done it" syndrome. Recently they hired (or were suckered into hiring) a 'consultant' from a company that doesn't have a great reputation as consultants.
Anywho here are the facts:
This consultant was hired to upgrade his company's software
This consultant is quite literally just going through setup wizards to do this
This consultant hit a snag in one of these wizards and said it was a permissions problem
This consultant was clueless when asked what permissions he needed to complete the step
This consultant proceeded to insist on it being permissions despite his general lack of knowledge of what permissions he actually needed
This consultant is now insisting he needs full sysadmin rights to every server he touches
This DBA is very reluctant to give that consultant Windows & SQL sysadmin rights to the University's SQL cluster that is housing their sensitive DB's, on account that said consultant has yet to give us any documentation or specifics in what permissions he needs, aside from his company's standard consulting contract which states the following (emphasis mine):
Grant full access to client's servers, network, and workstations
I could be way off in my thinking, but this seems a little extreme to request full control over our entire infrastructure just to upgrade their company's crappy, bloated and overpriced software.
I apologize for the lengthiness but I've become a wee bit agitated in dealing with said consultant.
Tips, thoughts correlating tails of utter frustration are all very much appreciated.
(I apologize if this is in the wrong forum or if it is just painful to read)
UPDATE: In the likelihood that I wasn't very clear, I am looking for general reasonings or best practices that support the fact that it is plain silly for a software upgrade consultant to need this kind of access to our infrastructure and more importantly our SQL cluster.
January 31, 2011 at 11:32 am
the Borch
Grant full access to client's servers, network, and workstations
For many years I was a consultant, usually called in after a clown such as this, and would never put such a global statement in a contract. Even today, I grant dbo access to a database for the length of time it takes to do the upgrade, and only with supervion. I happen to have one that is going in today with a vendor for a new system. I create the database shell and login. The login has dbo access for the installation.
Steve Jimmo
Sr DBA
“If we ever forget that we are One Nation Under God, then we will be a Nation gone under." - Ronald Reagan
January 31, 2011 at 11:35 am
I would still hear his side of the story.
It's possible that sa rights are required to install the packages (yes I know bad practice). In THAT case, have someone in the room with him to login as SA whenever needed.
But I'd never grant SA on the whole network to anyone, ever.
Not even
especially not my own mother :w00t:.
Then if / when it still fails, you start pilling arguments that he doesn't really know what he's doing (or the cie setup is flawed at best).
However I wouldn't confront anyone with this. Just keep a safe copy for future refferences.
Then whenever the meeting to upgrade or hire them again comes up you can take out your notes to protect yourself and your boss(es).
Unfortunately you can't really play God in this spot unless he's blatantly hacking or stealing the system.
January 31, 2011 at 11:42 am
theBorch (1/31/2011)
@SSCommittedThanks for the reply Steve, that is the line of thinking I was on too, dbo access with a temp account and a time frame.
dbo is even better than SA but if the install still fails with dbo you'll have to give SA to "hear" him out.
In any case, BE IN THE ROOM WITH HIM. Temp access only. Change SA password as soon as he's out the door.
I'd even go as far as saving the default trace for future refferences.
I'd also setup a trace to see whatever SA is running on the systems while the upgrade is going on.
January 31, 2011 at 11:43 am
@ninja thanks for the reply.
Yeah, at first we tried to be very accommodating, but would prefer an honest "I don't know" over a reasonless "just give me access"
The hard thing is, he is working from his home, vpn'd to his company computer, then gotomypc'd to a temp vm we setup for him to work from. So security is already a touchy subject. So we offered to run the wizard that he insisted needed SA rights for him since we watched him go through it and any new to IT helpdesk rep could figure it out (server,credentials,database type of thing).
January 31, 2011 at 11:47 am
theBorch (1/31/2011)
@ninja thanks for the reply.Yeah, at first we tried to be very accommodating, but would prefer an honest "I don't know" over a reasonless "just give me access"
The hard thing is, he is working from his home, vpn'd to his company computer, then gotomypc'd to a temp vm we setup for him to work from. So security is already a touchy subject. So we offered to run the wizard that he insisted needed SA rights for him since we watched him go through it and any new to IT helpdesk rep could figure it out (server,credentials,database type of thing).
My first reply would be thanks for but thanks. I'll run the wizard and call you if anything goes wrong.
After all if the script is well made it should be just that simple...
In any case, make sure you are tracing what's going on... especially on double VPN with SA.
Moreover, do you have to be SOX compliant??? That could give you strong ammo to kick him out...
January 31, 2011 at 12:01 pm
theBorch (1/31/2011)
This consultant hit a snag in one of these wizards and said it was a permissions problemThis consultant was clueless when asked what permissions he needed to complete the step
This consultant proceeded to insist on it being permissions despite his general lack of knowledge of what permissions he actually needed
This consultant is now insisting he needs full sysadmin rights to every server he touches
This is not as unheard of as you might think, especially when dealing with vendor systems. I've been at many places where we have a dedicated VM install for Vendor software because of the rights they usually insist on to 'maintain' their software. Yes, an entire server for one database. Imagine the cost of that for a moment if there wasn't VM. Would you like to know how many places I've been at that have 5 or more of these atrocities? I wish I didn't know.
Anyway, this consultant is some low man on totem pole that the vendor hired to do the trained monkey work (as you mentioned, any beginning IT person could run the wizard). Usually though to stay in warranty and compliance you have to let 'their staff' do the upgrades, or they can write off any problems as a failure on your part to properly do the installs.
Don't chuck this poor, obviously unexperienced, fellow right on his ear. He's simply following orders. The sysadmin thing is to reduce cost, in theory. However, if you're paying him, I don't see why they care about how long it takes him to do his job. You do still need to read the contracts though to find out about compliance and culpability if they don't do all upgrades. You usually pay these vendors a small fortune to upkeep and support their system, and blowing it all over this could be painful.
I do feel for your problem. I just don't want you to see you shoot yourself in the feet a few times. These decisions usually come from business, not IT, but we're stuck with the contracts they sign.
Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA
January 31, 2011 at 12:07 pm
@craig-2 thanks for the reply and insight and the concern for my feet 😛
Sadly the consultant touted his years of experience with the software, which is what in turn frustrated us when we asked him somewhat basic questions about it and he said he'd have to talk to customer support to find out.
I will definitely look over the agreement and see if we couldn't get away with contractually running the wizard ourselves.
January 31, 2011 at 12:10 pm
Another [drastic] option might be to ask for another consultant form the vendor's firm stating that you don't see eye to eye (try finding a good way to put this... not easy to do).
January 31, 2011 at 12:11 pm
Craig,
I agree with everything that you said, but many times when pushed these vendors can use dbo access. They prefer SA because it is easier for them. I have had them back down when they realize that someone is onto them and not willing to give in without good reason.
In one case I found a vendor that actually insisted that they did need to use sa, and we gave it to then until they were done and then changed the password. (Unfortunately this called for them to create a process for us to be able to change the password.) Again, it was a convenience thing as they were setting up multiple systems to run together and were using the sa loging for them to talk to each other.
Steve Jimmo
Sr DBA
“If we ever forget that we are One Nation Under God, then we will be a Nation gone under." - Ronald Reagan
January 31, 2011 at 12:17 pm
sjimmo (1/31/2011)
Craig,I agree with everything that you said, but many times when pushed these vendors can use dbo access. They prefer SA because it is easier for them. I have had them back down when they realize that someone is onto them and not willing to give in without good reason.
Yes and no. In three cases I can think of off the top of my head it was because they wanted to make sure they couldn't lose rights to double check security between the front and back ends, and for troubleshooting purposes if we whined. Good cases in theory, annoying in reality. Couple that with if you're not high enough (or respected enough) in your company, your boss is more likely to decide it's not a fight worth having, or time worth wasting, on an already done deal with a signed contract.
Being a consultant, I run into that constantly. Something I've learned in contracting: You're there to fix a problem, not rock the boat or change the world. You state your case, and move on. They need to deal with it when you're gone, not you.
In one case I found a vendor that actually insisted that they did need to use sa, and we gave it to then until they were done and then changed the password. (Unfortunately this called for them to create a process for us to be able to change the password.) Again, it was a convenience thing as they were setting up multiple systems to run together and were using the sa loging for them to talk to each other.
The thing with this is you still need to dedicate a system to them since they're outside your internal NDAs. This kind of vendor case seems to happen most often, in my perspective, in Health Care. A lot of little systems all over the place. HIPAA tends to frown on 'accidental access'. Thus, cough up SA, dedicate the system. It's a royal PITA.
Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA
January 31, 2011 at 12:19 pm
theBorch (1/31/2011)
@craig-2 thanks for the reply and insight and the concern for my feet 😛Sadly the consultant touted his years of experience with the software, which is what in turn frustrated us when we asked him somewhat basic questions about it and he said he'd have to talk to customer support to find out.
Of course, ignorance is bliss so he has no idea what he doesn't know. Besides that, if you asked him the color of the sky, he'd probably have to check with Customer Support about it. Most likely he's not 'authorized' to have any significant discussions with a client except about the specific upgrades and even then he's probably trying to confirm what he's allowed to say about it.
Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA
January 31, 2011 at 1:56 pm
theBorch (1/31/2011)...
This DBA is very reluctant to give that consultant Windows & SQL sysadmin rights to the University's SQL cluster that is housing their sensitive DB's, on account that said consultant has yet to give us any documentation or specifics in what permissions he needs, aside from his company's standard consulting contract which states the following (emphasis mine):
Grant full access to client's servers, network, and workstations
...
Just say that your company agreed to that with the understanding that they would be granting access to someone who had some idea what they were doing.
Viewing 15 posts - 1 through 15 (of 15 total)
You must be logged in to reply to this topic. Login to reply