Allowing effective developer access to SQL Server
When creating a new application, after going through the entire business analysis & requirements gathering process, normally you wind up with a datamodel that includes many tables and relationships. By this time, depending on the size of the datamodel/system there has been considerable amounts of time invested on all sides. We need a way of preserving this investment of time while still allowing developers to do their thing!
Deploy
Most shops have policies in place for what level of access developers can have in each environment. In many places I've seen, developers are allowed DBO access in development, and some lesser access in the higher environments (read only usually).
After you've deployed the datamodel to the physical database in a development environment, before you grant the developer group dbo access consider all of the time/effort that has been spent making the datamodel what it is. In order to allow the developers to do their jobs but not allow them to modify the actual table/schema layout you can grant a combinations of privileges.
Grant Alter Schema on the schemas where the developers will need to modify database objects (for instance stored procedures and functions)
Grant db_datareader --to allow read access
Grant db_datawriter --to allow write access
Grant Create Procedure, Function, Default, Etc -- Allow developers to do whatever you are comfortable with
Deny Create Table in the database --This restricts all Table based DDL
Optional** Deny Create View, Function, Default, in the database -- Restrict any create/alter permissions as needed.
Important** Alter Schema permissions will allow Alter of ANY object type in the schema that you havent explicitly used a Deny on
Principle of least privilege
This method has proven effective to allow developers to write Stored procs, Functions & Views while still keeping the actual datamodel (tables and relationships usually) in pristine shape. You could also mix and match your own grants/denys on certain object types to allow for unlimited configuration without granting the almighty DBO. Yes, you might say that I'm a paranoid DBA who restricts permissions even in DEV! Of course my great developers would never change a modeled database thereby forcing my hand into figuring out this lockdown of privileges
Delicious
Digg
Facebook
Furl
Google Bookmarks
Live Favorites
Magnolia
Reddit
Slashdot
Stumbleupon
Technorati Favorites
Twitter
Yahoo! Buzz
1 comment
No trackbacks
RSS 2.0
Bloglines
MyYahoo
Netvibes
Newsgator
Rojo
1 comment
15 days ago
Another approach I use:
Be generous in granting privileges in the DEV database (but still lock down the server environment), but don't let Devs promote any DDL to the next environment. Only the DBAs can deliver/apply DDL to the next (usually QA) environment. So if the devs modify their tables/columns without the architect approving/knowing about it, their deployment to QA will fail.
I use tools that automatically compare the Dev database to the modeled database, then report on differences, so I'm not surprised when changes are coming.
I find this is a nice trade-off - it lets Devs do some what-iffing/testing/research, but also provides a strong incentive for them to still co-ordinate with the people who do the modeling.
The do sometimes still manage to try to sneak things in. If this dysfunction gets out of hand, then we go back to a locked down dev environment.
Write a comment
If you want to add your comment on this post, simply fill out the next form:
* Required fields
You can use these XHTML tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>.
No trackbacks
To notify a mention on this post in your blog, enable automated notification (Options > Discussion in WordPress) or specify this trackback url: http://www.allenkinsel.com/archive/2010/04/allowing-effective-developer-access-to-sql-server/trackback/