Re: Developers Access in PROD
From: lindawie (lindawie@my-deja.com)
Date: 05/31/02
- Next message: Chris Beardsley: "Not using SA - Then what?"
- Previous message: veronique dumon: "Application Role - aduseclient"
- In reply to: Dinky: "Developers Access in PROD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "lindawie" <lindawie@my-deja.com> Date: Fri, 31 May 2002 00:27:31 -0700
Dinky,
> In your SQL Server shop, what kind of access has been
> given to application developers? ie. db_reader,
> db_owner, public etc...
Developers should only have as many permissions as they need.
If the development organization owns the development servers,
then developers can be in the db_owner role. They should not
have the sa password. This just causes more problems than
it solves. The QA organization decide how much access they
want to give to developers for the servers they own.
If I'm in charge of production, developers will not have
any access at all to production servers. If they have done
their jobs properly they don't need it, anyway. I'm willing
to make production backups available on a share for them to
copy over to their own servers. If the database contains any
sensitive data (financial, personal, business intelligence),
then the database goes through a "scrambler" first to replace
the real data with nonsense stuff, or developers don't get it.
Developers are a significant security risk in any organization,
so network administrators and dbas need to factor that into
their security model.
Linda
- Next message: Chris Beardsley: "Not using SA - Then what?"
- Previous message: veronique dumon: "Application Role - aduseclient"
- In reply to: Dinky: "Developers Access in PROD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
