- Why do programmers need access to production environments?
- Should we have all programmers log what they do on production environments to know where we are?
- How often do programmers have to find answers or information from production data for end users?
- Can we duplicate errors, both batch and interactive?
This is an IT based blog focused around the system i & ECM.
Monday, August 8, 2011
Locking down our System i from programmers for purpose of segragation of duties.
In our initial meeting to discuss how we shall go about the lock down I will share why we need/want to keep programmers off the production box. Before we lock down programmer access, we need to provide them with all the tools they need to do their job like they do today. Next, I will ask the following to start the "teaming" process:
Subscribe to:
Post Comments (Atom)
As expected, lots of push-back from our developers. Not only are our developers programmers but many are analysts as well so they interact with the business much more than the average programmer.
ReplyDeleteThe path that I'm going to recommend today is multi-tiered and multi-phased:
Phase 1
1) Supply developers with a full set of production data in real-time on the development system (PRD layer).
2) Remove compilers from production system.
Phase 2
1) Provide a programmatic mechanism to update/refresh programmer test data with the PRD data.
2) Provide a way for legacy programs (mostly Cold Fusion) that have production libraries hard-coded to test against test data rather than PRD.
3) Create a mechanism for programmers to access the production system from the development system in the event there is an emergency. The access would be logged and be such that the programmer never types a password on Production.
Phase 3
1) Mask sensative data on the development system. Phase 3 may be the last sequential phase but we will start working on it immediately after Phase 1.