Why is it a bad idea to grant DBA to all developers? On one project I
support, the programmers all use the same project-level account
'projectXdba' to develop and run queries, but whine because they're
not able to differentiate easily the multiple running sessions by
name. The final queries are also run in production as user
'projectXdba.' So they all now want DBA privilege for their
individual logins. Why should I tell them to pound sand?

On Mon, Jan 30, 2012 at 15:15, red_valsen <red_valsen (AT) yahoo (DOT) com> wrote:

If they are equipped to be the DBA, then having separate user accounts with
their own passwords for each DBA is far better than the non-accountability
of a single login that everyone uses.

DBA privileges should be granted sparingly. Are you sure it has to be DBA
privilege and not RESOURCE privilege? In theory, RESOURCE privilege is
sufficient for much development work, though if all objects have to be
owned by a specified user (or small subset of users), then only a DBA can
create objects on behalf of those users.

However, just as with root (and informix), you are far better off letting
multiple people connect with individual traceablity than sharing a
non-traceable single account. People don't care as much when their actions
can't automatically and reliably be traced to them.

If people with DBA privilege show themselves to be unsuited for the
privilege, or under-trained for the privilege, you can revoke the privilege
and get them the training they need to become responsible and educated
enough for the job.

There is also a difference between production systems and development
systems. You can be more lax on development systems if you have a good
separation between development and production.


Also, for the purposes of this discussion, I am distinguishing between DBA
privileges (which apply to the controls of one database within an instance)
and DBSA (database system administrator) privileges. The DBSA privileges -
operations which otherwise require 'informix' privileges - should be kept
under careful control, even in a development environment if the DBMS
instance is shared. If the environment is the developers 'own' (a local
instance on their own machine), you can decide whether they have full
control of that, but it would be good to let them have it, so they can
learn without affecting others.


--
Jonathan Leffler <jonathan.leffler (AT) gmail (DOT) com> #include <disclaimer.h>
Guardian of DBD::Informix - v2011.0612 - http://dbi.perl.org
"Blessed are we who can laugh at ourselves, for we shall never cease to be
amused."