I’m the new DBA, and I’m locking down development servers

by No comment(s) , , , , ,
1029

Lock it Down
Lock it Down
Many times, I’ve started with a company as one of their first, if not the first DBA. They’ve acquired enough servers now, with enough data moving around, that they just can’t continue as they are.

There’s no shortage of developers to can write stored procedures or SSIS packages, or to write a new page for the website, but things just seem to be going further and further downhill. Pages take longer to load, SSIS packages take longer to run, production issues spring up all over the place, and so on. Above all, they want the environment locked down. Way too many people have way too many permissions to the databases… and that’s one of the main reasons for the problems.

So, they decide to bring in a DBA to help them sort it all out.

The DBA enters the scene

Ok, here I am. I’m the new DBA and things are exactly what they said they were. I start with the first task: limiting permissions. I mean, if you’re bleeding to death, you want to prevent new cuts, right? It’s a good place to start.

Start by asking all the teams what permissions they need to do their jobs. What a surprise! Everyone who response, reports that they need sysadmin! Weird, right?  There’s also a whole bunch of people that don’t even reply.

Next, I go to each one of them and ask what they actually do in the database. I get varied answers, but most of them amount to 1, running some kind of query to look up customer data, or 2, to run a report for something.  I manage to hold back my rant about the huge disparity between sysadmin and read permissions, quietly decide on read permissions for them, and move on.

Then I come to a development system. I find the main developer on that box and ask what it is that he does. He currently has sysadmin, and he doesn’t need that. The dev starts to get a little irate. He tells me that it’s his box and he needs sysadmin because who else would do all the stuff he does on it? Well, I will. That’s what DBA means. “But it’s a dev box,” he says. “I can’t see any reason why I can’t have sysadmin on a dev box. I understand why you took it away from me in production, but in dev? Give me one good reason!”

The road to giving up sysadmin

Ahhh, one good reason. Ok, here we go then. Now is my opportunity to take away his excuses to have sysadmin. So, I start with a short series of questions.

Continue reading on MinionWare.net.

54321
(1 vote. Average 4 of 5)