Lockdown or Let Them Free

  • Comments posted to this topic are about the item Lockdown or Let Them Free

  • Im in favor of giving them as much access as possible. "As possible" contains a lot of variables of course, but it's why when a DBA is hired they should find out what is really wanted - do they want data rigidly protected, or a slightly looser approach?

  • Likely the biggest management problem I have dealt with in my career is the false presumption by various IT workers that technologies and data are "theirs". That somehow they were hired to "oversee" these company assets. In fact, they were hired to serve. Thats what IT workers do. In virtually all cases, we are secondary in our work to the front-line business. Our job is essentially to help other people do their job - to serve their needs for data, and the things they need to get done with data.

    I have run into DBA's with (what I call) a "Caesar complex" and these people don't last long. I am not interested in excuses as to why a staff member cant have data or software they need to get their work done, and I have watched a number of times as egocentric DBA's seem shocked when I dress them down reminding them that our "clients" are in fact, our coworkers, and our primary goal is to serve them and enhance their abilities to do their jobs.

    Data, software, hardware, and most technologies in the work place are assets of the company NOT the DBA or any IT worker. Those assets are there to assist those who need them to get work done and make profit for the company. Security concerns are not without importance, but at the bottom the line, any company has an IT staff to serve - not to conquer and hold.

    If you work for my IT department, leave your ego and your "power" at the door and come in and serve our company staff. Otherwise, keep your resume up to date because you're going to need it.

    There's no such thing as dumb questions, only poorly thought-out answers...
  • It's not just a question of ego, it's more a question of matching things up properly. I've seen many people say they need access to get their job done. Developers have done this for years, claming the app won't work without "sa" access. 99% of the time it's BS because they don't realize what rights are needed, or are too lazy to check.

    My point was that we might need to check access and privileges more often. Not set it and forget it. As someone grows, give them more responsibility. And take it away if they prove they can't handle it.

  • blandry (9/21/2009)

    If you work for my IT department, leave your ego and your "power" at the door and come in and serve our company staff.

    Well said. That's the goal, or should be, of every support team. Lots of gray in the decisions, but if you try to serve that expectation I find things tend to work out pretty well.

  • "The best way to handle rights and access is to selectively apply permissions to individuals, matching up their skills with their rights. If a user has problems creating indexes or adding tables, remove those rights. If they are a model DBA, then perhaps they deserve sysadmin rights. You can either loosely apply security and then tighten it up or lightly apply it and loosen it as people prove themselves."

    But Steve, that's fine in a small to mid-sized company, where you know all the workers... but what about an enterprise sized corporation (let's say a Microsoft, IBM or EMC...) How do you manage this sort of tailoring in organizations that large?

    Random Technical Stuff[/url]

  • Having worked as a Systems and Network Admin in support of many types of businesses, developers, and DBA's, I have to say that security is a risk versus value proposition. Everyone needs to get their work done within an acceptable amount of risk.

    For most users, and I consider everyone a user, doing the simple things like not running with Admin permissions, being aware of the potential risks involved with running software on your desktop/laptop/server, and understanding what the software does in your environment is critical. Running with normal, base user permissions, and in the case of any Windows OS, using an antivirus and spyware solution, can eliminate most security concerns.

    With the boiler plate commentary out of the way, I would like to address the issue of Ego and the responsibilities of IT workers in general. The post was absolutely correct that IT's function is to serve the business and not our personal egos or goals. However, taking ownership of any system, whether that is your own desktop, a server, an entire network, database, etc. is a requirement of an IT worker. I have never worked in a place where there wasn't some form or process, verbal or heavily documented, where a user could request that new software be installed to meet their business needs. The idea that anyone can simply demand the permissions to install anything they want at any time is ludicrous within a business. You can do that stuff at home on your own systems. When a user installs software without understanding the impact it can have, not only on their computer or server, but within a network of systems, it puts everything at a potential risk. I have been privileged to work with some very senior developers and DBA's with skills I can only hope to have, and yet they too have installed and broken their systems and servers and caused hours of unnecessary work for themselves and others. I know it's not intential, but when the best and brightest of us can make mistakes, what is the potential risk for the average user who isn't knowledgable about their computing environment? IT professionals have to take ownership of their areas of expertise in order to serve the greater good of the business and all of the users rather than just the needs of the one. IT professionals must take ownership because they're the ones who must fix the issues and maintain availability of computing resources for everyone. In most operations, IT is a department serving the whole of the business or multiple businesses. IT is often a shared resource established to centralize Information Systems management to cut costs within the organization. So yes, IT can be a bottleneck, but it is most often one of choice and necessity within the orgainization.

    If you work for a place without a process to address your computing needs, be proactive, develop a process. Take ownership and responsibility of your work and your needs and create or improve the processes you work within and realize that there are more than just your needs to be addressed. As a Systems and Network Admin, I serve, but I serve to the best of my abilities to keep everything available in order to run the business, not serve the ego of those who believe they have a right to administer their own computers.

  • There are many issues with no real black and white solutions.

    If anyone can install whatever software they chose, them you end up with enormous cost supporting applications. If user A installs a little known programming language, develops an application, and them moves on to a different job, you may be stuck trying to support a language that no one knows or sending people to training to support it. What it the cost of supporting 10 different programming languages?

    I worked for a small company (200 users) that had 4 different word processing programs, 5 different spreadsheet programs, and 4 different desktop database programs. Of course, each set of users expected prompt support from the 5 person IT department for their favorite program. You can say that people were empowered, but was there really any additional value to the company from this confusion of software?

  • You can still do it in a large company, just need to use groups and spend a little more time on it. Or lock things down and take requests for additional permissions. Then handle those as people seem to have more knowledge.

  • An old supervisor of mine used to say "it is better to lock them down in the beginning, because you can always get them more permissions but it becomes nearly impossible to take them a way".

    I find that to be true more often then not.

  • I live in a world where if a table is deleted or any data for that matter, that it is my butt not the one that did it. Until the day i can say to the person that asks me about the missing data "go see so and so and ask them why they deleted that data that you find so important, and by the way tell them to restore it, and to it correctly" I cannot give out permissions. As long as I am responsible for the data to management I will limit my exposure to missing data and other things by limiting the permissions users get. It is always bare minimum.


    "I'm still learning the things i thought i knew!"
  • Heh... visit the world of SOX and let me know if you folks still think not locking down the production server is the right way to go.

    Have some dummy wipe out a whole table of data on a Tera-Byte database because (s)he fogot to include a WHERE clause on a delete and also forgot to do a begin transaction and let me know if you folks still think not locking down the production server is the right way to go.

    I realize DBA's are hired to "serve" and one of the most important services they provide is to protect the data from users and some developers that just don't know any better. Let them do their job.

    The best of both worlds is to create a nightly snapshot of the database on a different server and let people have a go at it. If it's a snapshot using the SAN software, it takes only minutes to build a new snapshot on the "reporting" server. This gives developers and users as much access as they need. Any data cleanup scripts can be thoroughly tested before submittal to the DBA to be executed in production.

    --Jeff Moden

    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • for years, i let the users do what they want with their laptops and desktops. the costs of hardware and support maintenance were high.

    when i got to implement a strict IT policy, the costs and support time dramatically went below 50%.

    in essence, the computers given to users are not their property but the company's. when the unit is due for replacement, then they can buy it. if they want to do anything with a computer, do it on their own personally-bought computers.

    a great side effect was, if they cannot install anything, neither could viruses install themselves automatically.

    in sql 2005, i was able to give better restrictions to staff using it.


    i read the slate article but it used extreme examples. i guess there are IT managers who shouldn't be, but it happens.

  • Well said. We have a very small IT dept (3 people) and our primary role here to serve the others (about 50) in our orginization and make their work more efficient and productive, but we are also entrusted with a stewardship role over the data. They would never give me the keys to the company back hoe because I don't have the proper training and it should not be my responsibility to operate it. But ocassionally I get the keys to the Chevy Lumina for comapany related travel. We often have special data projects especially as winter comes in and slows down field work activities that require permissions change for individuals. Once the project is complete the permissions should be removed. The Key is to give the users access to the resources they need.

    As a developer, I like knowing I can't mess with the production data. It gives me comfort and the freedom I need to do my job better. Even though all I have to do is log in with different credentials to have access to the production data, It still makes the data safer than it would be without this step. I honestly wish they would change the login password after I worked with the data so that I would have plausible denyablity.

    I also have been given the combo to a safe to store backup tapes. The problem is that cash is also stored in this safe so if anything is ever stolen from the safe. I will be a suspect, because I come in before any one else and have access to the safe.

  • "The grass is always greener on the other side of the monitor"

    This is clearly a case of human/person to person communication then technological needs and responsabilities. Those who have been on both sides like myself are able to see both sides of this argument and therefore know that what really needs to happen is for each side to talk to the other and in person and not via email or IM; both fo which lack true emotion even with emoticons.

    End users need to understand why IT has the restrictions in place that they do, IT needs to understand the users needs & frustrations with these restrictions and both most of all need to realize that there is no solution that will make both sides %100 happy. This is just the nature of our digital world. Even if there were no hackers, script kiddies or other digital scum of the universe out there, it would still be unreasonable to simply let every user have full acces to do whatever they want.

    Imagine if every driver on the road had the flexability to determine the "safe" speed for a particular section of road; it would be a mess waiting to happen. Those who want to go fast would push those who don;t off the road thru intimidation and those who want to go slow and who aren't initimidated would grealty P off those who want to go faster.

    There has to be some level of management in everything that involves many working together in where the decisions one makes will affect others. If End users were allowed to download and use whatever they want then as sure as the government will put you in jail for not paying them off each year (the IRS), some one will download and infect the system with something that will inturn affect others in a negative way. And when that happens you can bet that the end user who complained about not being able to do what they wanted with tehir system will now be mad with IT for letting someone else infect the system and mess up everyone elses work.

    On the flip side of that you also have the situation where sometimes IT's policies and enforcement are counter productive to the end user. This really depends on how the IT leader leads their department. It can be easier to simply lock down everything and give no one any flexability however that would then promote hate & distruct of the IT by the end users. You have to come to some middle ground where users, who have a vaild need and can show competence get some flexability to do what they need to within reason.

    Until the day where everyone using a computer is smart enough to know what NOT to do we will have a need for some level of restriction and control in the work environment. I'm not advocating computer licenses but it does sound crazy to imagine if the driving lawas were changed so that there were no restrictions or training required and that anyone & everyone could drive that wanted to and that had a care whether they had insurance or not. Would you want to drive in a world like that? Same goes with computing.

    Kindest Regards,

    Just say No to Facebook!

Viewing 15 posts - 1 through 15 (of 17 total)

You must be logged in to reply to this topic. Login to reply