Re: Application Admins with Local Admin on Servers

[krymson () gmail com]

My last two jobs have been with ASP web-based companies, so I've seen quite a lot of developer<->sysadmin interaction 
in developing and supporting sites and servers.

I think the majority of people here will say the separation of duties is more important than giving admin rights to the 
developers. If you do give them server rights, you essentially should be telling developers they are managing the 
servers. Too many hands make for badly managed servers, especially when developers tend to not make very sound sysadmin 
decisions. Likewise, sysadmins likely shouldn't be changing or updating code they don't write.

I've only given developers enough access to the servers to place files where they need to go, so basically share level 
access to some locations. Typically this is never directly into the web roots, but rather into staging areas where they 
can then control the pushing of code up through a process or request that a sysadmin perform the deployment.

There is plenty of leeway in this, especially when you start talking about whose responsibility is it to troubleshoot 
problems, enforce restrictions/requirements, and evaluate performance. There can be a lot of friction between both 
teams in those cases, so make sure the dev and sysadmin teams play nicely and sit down together in a meeting room to 
hash out those problems together. That way each can still do their duties without having to compromise and make devs 
admins, for instance.

There is also plenty of leeway depending on the size of your company and the two teams. The larger it is, the less 
people you can tolerate to be updating things on their own. Small companies with small teams may have to settle with 
developers having some access and admin rights on servers if that's what it takes to Get Things Done.

If you have any further specific questions, feel free to post them here for even more specific answers! :)


<- snip ->
I am trying to get a feel for what other companies do with regard to
application developers needing local admin privileges on servers. I am
specifically working in a Windows environment but believe that the
same principles would apply in any environment. Here are my questions:

Do you grant admin privileges to application developers?
If not, do you grant them specific access or do you take care of the
work for them?

I do understand that it is a violation of separation of duties to
allow application developers to have local admin or root on systems, I
am simply try to get an idea of what the rest of the community does in
practice.

Thanks!