Re: Application Admins with Local Admin on Servers
- From: krymson@xxxxxxxxx
- Date: 11 Jul 2007 19:26:36 -0000
My last two jobs have been with ASP web-based companies, so I've seen quite a lot of developer<->sysadmin interaction in developing and supporting sites and servers.
I think the majority of people here will say the separation of duties is more important than giving admin rights to the developers. If you do give them server rights, you essentially should be telling developers they are managing the servers. Too many hands make for badly managed servers, especially when developers tend to not make very sound sysadmin decisions. Likewise, sysadmins likely shouldn't be changing or updating code they don't write.
I've only given developers enough access to the servers to place files where they need to go, so basically share level access to some locations. Typically this is never directly into the web roots, but rather into staging areas where they can then control the pushing of code up through a process or request that a sysadmin perform the deployment.
There is plenty of leeway in this, especially when you start talking about whose responsibility is it to troubleshoot problems, enforce restrictions/requirements, and evaluate performance. There can be a lot of friction between both teams in those cases, so make sure the dev and sysadmin teams play nicely and sit down together in a meeting room to hash out those problems together. That way each can still do their duties without having to compromise and make devs admins, for instance.
There is also plenty of leeway depending on the size of your company and the two teams. The larger it is, the less people you can tolerate to be updating things on their own. Small companies with small teams may have to settle with developers having some access and admin rights on servers if that's what it takes to Get Things Done.
If you have any further specific questions, feel free to post them here for even more specific answers! :)
<- snip ->
I am trying to get a feel for what other companies do with regard to
application developers needing local admin privileges on servers. I am
specifically working in a Windows environment but believe that the
same principles would apply in any environment. Here are my questions:
Do you grant admin privileges to application developers?
If not, do you grant them specific access or do you take care of the
work for them?
I do understand that it is a violation of separation of duties to
allow application developers to have local admin or root on systems, I
am simply try to get an idea of what the rest of the community does in
- Prev by Date: Least privilege vs Windows server security
- Next by Date: RE: Least privilege vs Windows server security
- Previous by thread: Re: Application Admins with Local Admin on Servers
- Next by thread: Fingerprint 2-factor authentication in a domain?