tags:

views:

200

answers:

8
+1  Q: 

Granting SA privileges for Developers on the development box

In spite of our vehement protests, our management has decided that the development team must be granted 'sa' rights on the development server. The catch is that we, the DB support group are still responsible for maintaining this box.

We have now been entrusted the task of coming up with a list of Dos and Don'ts for the development teams with these enhanced privileges.

Please add to this list:

DO -- confine activities to the DB under development

DO NOT --

  • change any SQL instance settings
  • sp_configure (including cmdshell)
  • add/change/delete any security settings
  • add/change/delete database objects
  • add/change/delete server objects like backup devices and linked servers
  • add/change/delete replication
  • add/change/delete maintenance plans
  • touch any database that doesn't belong to your team

Any pointers to tools available for tracking these users activities will be greatly appreciated.

+1  A: 

I do not think that they need SA privileges on the Development box. In almost all cases, they can do without.

I think a good option is to have local dev edition installed.

question:

You do not want developers to add/change/delete database objects?!! How are they going to develop?

Raj More  2009-10-23 19:00:12
Sorry about the confusion. What I meant by that bullet point was that developers must not change database settings or drop databases.
Raj  2009-10-23 19:24:04
A: 

SQL Server Auditing is what you want, but, if you will do all the database object creation for them, why do devs need sa?

http://msdn.microsoft.com/en-us/library/cc280526.aspx

Vinko Vrsalovic  2009-10-23 19:00:19
+5  A: 
Joel Coehoorn  2009-10-23 19:03:30
+1: Excellent alternative approach!
John Sansom  2009-10-23 19:16:41
A: 

On suggestion I have is to set up Policy-Based Management and enforce all your 'do' and 'don't' as policy rules. This would go a long way to protect the instance.

I would also deploy DDL change auditing, see Auditing in SQL Server 2008, not so much as a deterrent, but mostly as a change tracking system so when something is screwed, at least you'll know what changed.

Remus Rusanu  2009-10-23 19:06:34
+3  A: 

It says here (MSDN) you need sysadmin (sa) to debug on SQL Server 2005.

However, this SO question shows another way without sa , which is what I thought initially. Simply allow them to run sp_sidedebug

I'd also suggest giving them local SQL Express which also solves other issues...

(edited with more info)

Edit, after W. Craig Trader's answer

Other issues with "sa" rights, in the worst case:

  • developers will create untrusted CLR assemblies
  • they will use xp_cmdshell
  • all actions are in the context of the sql server service account
  • they will assume sa rights for the client connection
  • etc etc

eg xp_cmdshell 'scm -Action 6 -Server PRODSERVER'

gbn  2009-10-23 19:20:58
+2  A: 

If it's the DEVELOPMENT server, what's the problem with the DEVELOPERS being able to have full access? Telling developers that you can't add/remove/change database objects (eg: tables, columns, indexes) is like telling them "You can have a compiler, but you aren't allowed to run it". It would seem to me that the developers want/need access to their own database instance specifically to allow them to test different methods of solving problems WITHOUT having to muck with the PRODUCTION or TEST databases. You should be encouraging that sort of behavior, not discouraging it.

Some might suggest that developers work with local instances of SQL Express, but while SQL Express for each developer can solve certain problems, it has different limitations and performance characteristics than full SQL Server on a separate server.

What you SHOULD do is institute a regular backup schedule (at least nightly) and work with the developers to ensure that they know how to initiate unscheduled backups, and restore from backups, so that downtime is minimized in the event of problems.

Craig Trader  2009-10-23 19:24:06
Your analogy is completely wrong. What happens is they muck around and then whinge when they can't migrate their mucking around to locked down servers. I'm a developer DBA of course :-)
gbn  2009-10-23 19:28:58
Then a little education is in order. I'm a developer whose been a DBA all too frequently. With a foot in both worlds, it's usually been my job to teach both sides to coexist. After all, it's the USERs who are the enemy, not the DBAs or Developers...
Craig Trader  2009-10-23 20:05:33
There's also things like maintenance plans that they shouldn't have access to.
Joel Coehoorn  2009-10-23 20:17:54
Put another way: when he says "database objects" in his question, he's _not_ talking about tables or columns or stored procedures. He's talking about user logins. And maintenance plans. And profile traces. Jobs. Maybe indexes, depending on where you draw the line. These are things that the dev side shouldn't touch.
Joel Coehoorn  2009-10-23 20:19:51
The problem is, we have multiple Dev groups and this server host all their DBs. This group that requires 'sa' rights own only 33% of the Dbs. The concern is that they may screw around and bring the server down, impacting other groups as well. The company does not want to get seperate hardware for them, unless we are able to prove that they screwed up.
Raj  2009-10-23 20:28:53
That's ridiculous. Each development group should have their own server, so that no one steps on anyone elses toes. Hardware these days is practically free, and software almost as cheap as hardware. And if your organization is large enough to have multiple development groups, it should be using server virtualization, which would make all of this even easier.
Craig Trader  2009-10-23 20:52:11
+1  A: 

Its the dev server, not the DB support group server, or the production server. Keep a good backup/image and let the devs hack away. Letting DBA's control the devbox is like letting the tail wag the dog. Its there for developers to do developer work on. This involves breaking things sometimes and dropping tables, and then putting them back with different settings. Dev boxes are always going to be in a state of disrepair after awhile, that's what we do. If we don't know where a problem is occurring, we try different things out. Some of them are easy to undo, some not so much.

Steve  2009-10-23 20:18:25
A: 

We require all database structure changes to be done with scripts (even on dev) and saved in subversion. Then on a set schedule we refresh dev from prod and they have to rerun their scripts to get back to where they were in the development cycle. This helps ensure that everything is done through scripts and that they have scripts ready when it's time for deployment.

I know in 2008 you can set up DDL Triggers to track database structural changes, can you do this in 2005? This way at least you can find out when someone changes a setting who did it and find out why.

HLGEM  2009-10-23 20:27:47

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?