Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Granting DBA to all developers
6 views
Skip to first unread message
red_valsen
Jan 30, 2012, 6:15:57 PM1/30/12
to
Why is it a bad idea to grant DBA to all developers? On one project I
support, the programmers all use the same project-level account
'projectXdba' to develop and run queries, but whine because they're
not able to differentiate easily the multiple running sessions by
name. The final queries are also run in production as user
'projectXdba.' So they all now want DBA privilege for their
individual logins. Why should I tell them to pound sand?
support, the programmers all use the same project-level account
'projectXdba' to develop and run queries, but whine because they're
not able to differentiate easily the multiple running sessions by
name. The final queries are also run in production as user
'projectXdba.' So they all now want DBA privilege for their
individual logins. Why should I tell them to pound sand?
Jonathan Leffler
Jan 30, 2012, 7:43:38 PM1/30/12
to red_valsen, inform...@iiug.org
DBA privileges should be granted sparingly. Are you sure it has to be DBA privilege and not RESOURCE privilege? In theory, RESOURCE privilege is sufficient for much development work, though if all objects have to be owned by a specified user (or small subset of users), then only a DBA can create objects on behalf of those users.
However, just as with root (and informix), you are far better off letting multiple people connect with individual traceablity than sharing a non-traceable single account. People don't care as much when their actions can't automatically and reliably be traced to them.
If people with DBA privilege show themselves to be unsuited for the privilege, or under-trained for the privilege, you can revoke the privilege and get them the training they need to become responsible and educated enough for the job.
There is also a difference between production systems and development systems. You can be more lax on development systems if you have a good separation between development and production.
Also, for the purposes of this discussion, I am distinguishing between DBA privileges (which apply to the controls of one database within an instance) and DBSA (database system administrator) privileges. The DBSA privileges - operations which otherwise require 'informix' privileges - should be kept under careful control, even in a development environment if the DBMS instance is shared. If the environment is the developers 'own' (a local instance on their own machine), you can decide whether they have full control of that, but it would be good to let them have it, so they can learn without affecting others.
--
Jonathan Leffler <jonathan...@gmail.com> #include <disclaimer.h>
Guardian of DBD::Informix - v2011.0612 - http://dbi.perl.org
"Blessed are we who can laugh at ourselves, for we shall never cease to be amused."
0 new messages