RE: How do you feel about allowing non-DBA's on your database servers?

From: Roberts, David (GSD - UK) <"Roberts,>
Date: Mon, 27 Jul 2009 17:16:04 +0100
Message-ID: <257FBD236721014D851163D8B68CAB1E054B72F4_at_UK-EX012.groupinfra.com>

I would say that there a 3 Scenarios.

Firstly, the historical scenario where for performance reasons, the application and Database are both implemented on the same server.

Here it is unfortunately necessary that developers have access to their application. However I would also suggest that it would probably be worth re-architecting to solution so that the database was segregated from the application, even if the only way to justify it would be to dangle to possibility of saving on Database license costs.

Secondly, there is the scenario where the DBA does not have root access, where the sysadmin is required to run root.sh on your behalf etc.

In this scenario, it is the ultimate responsibility of the sysadmin to either grant or deny access, although it is obviously appropriate for the DBA to advise (against).

Finally there is the scenario where the DBA has free access to root.

It is of critical importance that duhvelopers are not granted access in this scenario. I have seen many cases where DBAs have chmoded 777 /usr/local/bin, so they can copy in their scripts without resetting the permissions afterwards, or writing root crontab setups to flat files to edit them safely, and then after the new settings have been implemented not deleting the crontab file backup, so any user can then read the contents of the old root crontab file!

It is a given that the DBA is the expert in Oracle, they are unlikely to be an expert in all the underlying operating systems on which Oracle is implemented. In the area of the operating system, the developers are likely to have knowledge that the DBA lacks, and granting access is probably going to give the developers substantially more power than was anticipated or planned.

Dave

Please help Logica to respect the environment by not printing this email / Pour contribuer comme Logica au respect de l'environnement, merci de ne pas imprimer ce mail / Bitte drucken Sie diese Nachricht nicht aus und helfen Sie so Logica dabei, die Umwelt zu sch�tzen / Por favor ajude a Logica a respeitar o ambiente nao imprimindo este correio electronico.

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

--
http://www.freelists.org/webpage/oracle-l

Received on Mon Jul 27 2009 - 11:16:04 CDT

This message: [ Message body ]
Next message: Jared Still: "Re: ** high water mark for small tables"
Previous message: David Barbour: "Re: How do you feel about allowing non-DBA's on your database servers?"
In reply to: Robert Freeman: "How do you feel about allowing non-DBA's on your database servers?"
Next in thread: Zelli, Brian: "RE: How do you feel about allowing non-DBA's on your database servers?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message