[ajug-members] Do Developers need Administrator rights

Rutherford, Robert rrutherf at intercall.com
Thu Dec 21 11:25:00 EST 2006 

In an MS environment developers need access to the admin account, or an
account with administrator priveleges. But per Dean's comment, actual
coding should be done with reduced access. This means devs shoud have 2
accounts on their dev boxes.  This is rarely the case. The dev usually
gets one account with admin priveleges.  On the other hand devs rarely
need to be able to add or remove machines from the corporate domain.  If
there is a need I recommend giving the devs their own network.

In the UNIX/Linux world its not as big a deal. Its easy to give a
developer enough access to develop on a box with an unpriveleges
account. Sometimes they will need more access, for instance when setting
up the actual app servers,  chown/chmod quickly takes care of most
privilege issues. Then the actual development is done with unprivileged
accounts, the app server itself runs in an unprivileged account.

Rob


-----Original Message-----
From: ajug-members-bounces at ajug.org
[mailto:ajug-members-bounces at ajug.org] On Behalf Of tooger at bellsouth.net
Sent: Thursday, December 21, 2006 10:45 AM
To: ajug-members at www.ajug.org
Subject: [ajug-members] Do Developers need Administrator rights

Fellow Developers

I need your input on the topic of administrator priveleges. The public
network is a dangerous place. To protect the interests of the business,
a network administrator has to put in place significant defenses. One of
these defenses is to impose a policy that restricts a user from
installing whatever they want onto their desktop/laptop. 

In the Windows world, this typically means that the user has no
administrator priveleges. This policy works well for the typical user
and certainly prevents them from installing all sorts of rubbish on
their corporate desktop exposing the business in many different ways.
The larger the company, the greater the risk, the more restrictive the
policy. I have found though that this policy doesn't work too well for
Developers (or is it just me).

Developers need to be able to install versions of tools and products at
will. At times, they may need to have access to the registry. They may
need to install and run desktop editions of some pretty advanced
software e.g. Oracle XE or SQL Server 2005 Express as part of building
their development environment. Trying to do our jobs without
Administrator priveleges is like being forced to paint a room with a
toothbrush and your hands tied behind your back. (Of course, I would say
the Windows security model is the root issue - can I do sudo in
Windows?)

However, I also recognise the need for a network administrator to secure
the network.

What is the solution to providing a flexible development environment for
developers without exposing the network? One solution may be to have a
dedicated development network separate to the corporate network. What
are your thoughts on this solution? What about other solutions (virtual
environments)? How do you cope with such restrictive policies
(personally, I've had to resort to using my own laptop and private
network at work)?

Jason

_______________________________________________
ajug-members mailing list
ajug-members at ajug.org
http://www.ajug.org/mailman/listinfo/ajug-members

More information about the ajug-members mailing list