Security: Network Admins vs. SQL Programmers

TheMSsForum.com: The Microsoft Software Forum

I'm not 100% sure where I need to post this, but to me, this is a
security question, so I'll start here.

I have just started working for a new company and came in a huge
scuffle between Network Admins and SQL Programmers. The problem is the
programmers want full administrator control on the sql server, but the
network admins refuse to give it to them stating they don't need it.
My question for the group is, what (if any) kind of access do SQL
programmers need on the SQL server? (Ie: do they need administrator
priv, power users, std. user, etc) This question is not related to
database access, that is a different issue. This is about thier domain
account rights to the SQL server.
Top

Re: Security: Network Admins vs. SQL Programmers by Robert

Robert
Tue May 23 16:09:43 CDT 2006

RAlcant wrote:
> I'm not 100% sure where I need to post this, but to me, this is a
> security question, so I'll start here.
>
> I have just started working for a new company and came in a huge
> scuffle between Network Admins and SQL Programmers. The problem is
> the programmers want full administrator control on the sql server,
> but the network admins refuse to give it to them stating they don't
> need it. My question for the group is, what (if any) kind of access
> do SQL programmers need on the SQL server? (Ie: do they need
> administrator priv, power users, std. user, etc) This question is
> not related to database access, that is a different issue. This is
> about thier domain account rights to the SQL server.

This very much depends on what the developers are doing with the server,
doesn't it?

I'm leaning towards agreeing with your network admins, because I strongly
believe that as few people as possible should have admin rights on
production servers, but rather than just tell the developers "No!", I would
try hard to understand what the devs are trying to do and why they think
that requires admin rights, and do what I could to solve their problem in a
way that makes everyone happy.

For example, If they're constantly needing to fiddle with stuff as they test
code then this is an argument for a seperate "dev" server, not admin access
to the production server.

--
--
Rob Moir, Microsoft MVP
Blog Site - http://www.robertmoir.com
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
I'm always surprised at "professionals" who STILL have to be asked "Have you
checked (event viewer / syslog)".


Top

Re: Security: Network Admins vs. SQL Programmers by Seeker

Seeker
Tue May 23 16:32:50 CDT 2006

RAlcant wrote:
> I'm not 100% sure where I need to post this, but to me, this is a
> security question, so I'll start here.
>
> I have just started working for a new company and came in a huge
> scuffle between Network Admins and SQL Programmers. The problem is the
> programmers want full administrator control on the sql server, but the
> network admins refuse to give it to them stating they don't need it.
> My question for the group is, what (if any) kind of access do SQL
> programmers need on the SQL server? (Ie: do they need administrator
> priv, power users, std. user, etc) This question is not related to
> database access, that is a different issue. This is about thier domain
> account rights to the SQL server.
>

Ask the SQL programmers why they feel they need to administer the
server. Of course, they don't but they think limited user rights will
keep them from performing their job. I would investigate which rights
really are necessary and do a trial. If there is something they can't
do that they should be able to, such as restarting a particular service,
grant that right granularly. It sounds to me like the network admins
are making use of separation of duties, need-to-know, least privilege
and some other core security principles. They are right.
Top

Re: Security: Network Admins vs. SQL Programmers by Roger

Roger
Tue May 23 20:22:55 CDT 2006

If you look at the new certifications for SQL you will notice that
(finally) there is recognized a distinction between SQL development
and SQL Server administration. Also, SQL administration does not
necessarily include or imply awareness of the issues of Windows
Server administration.

To answer your question as stated, and believing SQL Programmers
to mean just what it say, then they only need DBO over the databases
with which they are programming.
Now, if they are doing tasks beyond "SQL programming", such as
defining new databases, establishing the backup regime, programming
to automate SQL services tasks (ex. health monitoring of an SQL
Server cluster, or of a distributed SQL replication or mirroring env)
then obviously DBO to the used databases is insufficient. In those
cases use of some of the Server Roles defined in SQL Server may
be warranted for a select subset of the "SQL Programmers".

I have a number of different dev teams that live fully within containment
to dbo for their databases. In turn SQL admin has responsibility for
all aspects of server and SQL Server health, tuning, recoverability,
etc. as well as for defining new databases upon justified need.

I might, if pressed (only a little), even argue that having SQL
programmers contained to dbo can be a good thing to make sure
that their resulting code is not "undeployable" and/or hazardous to
the SQL Server.

But, why do they need the ability to alter the settings of the nics?,
the IPsec policy?, the existing local accounts?, the . . . list is large.

As others have stated, ask for use cases in their work tasks that
show what DBO access to the predefined databases does not allow.

For each such case presented, establish that it is an appropriate task
for their job and then how to effect provisioning with the least excess
priv grants. For each such allocation that seems needed and that you
feel impinges on the responsibility/accountability of the server and/or
SQL admins, have them and your management accept their being
accountable for the potential impacts to your service agreements
before they are given the capabilities.



"RAlcant" <texcel@arsemis.homelinux.com> wrote in message
news:1148413622.833585.20720@38g2000cwa.googlegroups.com...
> I'm not 100% sure where I need to post this, but to me, this is a
> security question, so I'll start here.
>
> I have just started working for a new company and came in a huge
> scuffle between Network Admins and SQL Programmers. The problem is the
> programmers want full administrator control on the sql server, but the
> network admins refuse to give it to them stating they don't need it.
> My question for the group is, what (if any) kind of access do SQL
> programmers need on the SQL server? (Ie: do they need administrator
> priv, power users, std. user, etc) This question is not related to
> database access, that is a different issue. This is about thier domain
> account rights to the SQL server.
>


Top