Re: Application Admins with Local Admin on Servers



My last two jobs have been with ASP web-based companies, so I've seen quite a lot of developer<->sysadmin interaction in developing and supporting sites and servers.

I think the majority of people here will say the separation of duties is more important than giving admin rights to the developers. If you do give them server rights, you essentially should be telling developers they are managing the servers. Too many hands make for badly managed servers, especially when developers tend to not make very sound sysadmin decisions. Likewise, sysadmins likely shouldn't be changing or updating code they don't write.

I've only given developers enough access to the servers to place files where they need to go, so basically share level access to some locations. Typically this is never directly into the web roots, but rather into staging areas where they can then control the pushing of code up through a process or request that a sysadmin perform the deployment.

There is plenty of leeway in this, especially when you start talking about whose responsibility is it to troubleshoot problems, enforce restrictions/requirements, and evaluate performance. There can be a lot of friction between both teams in those cases, so make sure the dev and sysadmin teams play nicely and sit down together in a meeting room to hash out those problems together. That way each can still do their duties without having to compromise and make devs admins, for instance.

There is also plenty of leeway depending on the size of your company and the two teams. The larger it is, the less people you can tolerate to be updating things on their own. Small companies with small teams may have to settle with developers having some access and admin rights on servers if that's what it takes to Get Things Done.

If you have any further specific questions, feel free to post them here for even more specific answers! :)


<- snip ->
I am trying to get a feel for what other companies do with regard to
application developers needing local admin privileges on servers. I am
specifically working in a Windows environment but believe that the
same principles would apply in any environment. Here are my questions:

Do you grant admin privileges to application developers?
If not, do you grant them specific access or do you take care of the
work for them?

I do understand that it is a violation of separation of duties to
allow application developers to have local admin or root on systems, I
am simply try to get an idea of what the rest of the community does in
practice.

Thanks!



Relevant Pages

  • Re: Should users be local admins?
    ... If your environment is one where you maintain a corporate desktop, ... > virtually universal practice to give engineers local admin rights. ... > developers, and they shouldn't be developing on their 'work' PCs. ...
    (microsoft.public.windows.server.security)
  • Re: Local Admin rights - debug users
    ... > As network administrator I disallow any non-admins local admin rights. ... > Recently I've had to install Visual Studio .Net and developers ... > allows a malicious programmer to launch any application he desires ...
    (microsoft.public.windowsxp.security_admin)
  • Application Admins with Local Admin on Servers
    ... System Administrators - ... application developers needing local admin privileges on servers. ...
    (Security-Basics)
  • RE: Application Admins with Local Admin on Servers
    ... happening on the production server that could easily be fixed on the ... will be deployed on our VMWare sandbox server for our own testing before ... Application Admins with Local Admin on Servers ... application developers needing local admin privileges on servers. ...
    (Security-Basics)
  • Re: Windows XP Professional x64 Edition ---> Delphi 2005 x64 Edition?
    ... Will DeWitt Jr. ... > Developers with 32-bit skills will be comfortable and quickly ... > productive in the 64-bit Windows environment, ...
    (borland.public.delphi.non-technical)