DBA Contract without Local Admin priveleges

O what a place to be

I started this Contract as an (Interim) for a new DBA role, for an application support Company last month & all was going well.

The User Application is run via Citrix against multiple Hosted Sybase ASA Databases.

I introduced SQL 2005 with Reporting Services as a mixed Data Mart Remote Query via ODBC Linked Servers setup.

Because they had never had a DBA before the Data I was able to pull from over thirty seperate databases into one and present via Reporting Services has blown them away.

And then one day the Senior Support Analyst told me he had put the main most important Sybase Database on a completely seperate domain he had created(with no Trust between the two) , because he was unable to secure the existing domain against unauhorized remote internet intrusion & Viruses.

(I never liked the idea that hosted customers were domain\users on the Corporate network)

To add insult to injury he then told me to install & maintain another SQL Box on the new domain, OK so far.

I logged into the supoposed new box via citrix & then remote desktop, and to my disbelief he had the desktop locked down - no access to control panel or anything - he asked me why i needed access - I told him - he asked me why I need to have reboot priveleges - I told him.

So now he's installed 2005 himself in the vain hope I can work without Local Admin privelages or need to unlock the Desktop - he certainly won't give me Domain Admin.

I Just cannot believe I'm unable to persuade him to Unlock the Desktop & have even threatened to walk out unless he lets me do my Job.

He probably does'nt like me but there can be absolutely no question about my abilities or accessing data that i should'nt.

He's basically read a Deny by Default article and expects me to start of as a user with a locked desktop and then request & justify escalating my security from there.

Is this possible ?

Good Grief :eek: Any ideas what I should do ?

Thanks

GW& have even threatened to walk out unless he lets me do my Job.

I say do that! :p

Or tell him that if the server needs a reboot then he has to do it - point out to him that if the server goes down (day or night) he will have to remote connect to work and sort it out - rather than having one of his capable "drones" doing it. Tell him to expect to be on-call 24/7/365 (that is assuming that he wants his customers server to be online 99.9% of the time)

If he's so uppity about security then maybe you should suggest signing some disclaimer saying that you're not going to prat about with the server or any sensitive data in contains?

You can't do your job without the access, period.

Alternatively, simply tell him to "[expletive] off" when he asks you anything about that server :D|||I would just pester him with emails (cc'd to appropriate folks) that you need various tasks done on the server. Be good and vague about the actual details. For example: "Please be sure that daily backups are taken of these databases." If he is worth dealing with, he will figure out SQL Agent quickly enough. If not, well, just sit back and laugh as he does the backups manually. Escalate as necessary (Make sure the backups are not on the same physical disk as the database).

Once he has all that squared away, if you are not satisfied, hit him up with profiler trace requests. This should be accompanied by a stream of SQL scripts that are "tweaks to existing code".

Polish the whole thing off with requests to load data from various sources (implementation details left to him, of course).

And of course, most importantly, sprinkle liberally with thanks, and politeness.|||Ahh, the old scaremongering tactics - hadn't even crossed my mind!|||Who is your manager? They should be fighting this battle with/for you. If you where hired to do a job and are unable to it will reflect badly on the whole chain.

Alternatively I think goergev's first approach is best. Getting into a p_ssing contest with a Senior employee when you are new is not a wise path.

Changing culture is never an easy task. Good luck.|||MMMmmmmm tehe - U Monkeys !!

Such a shame though this is going to slow my dev progress to a crawl & I take pride in my work.

I'm happy as a contractor and would'nt take a permie role anyway - hope the new DBA likes his new life.

I just wonder how he's (Senior Support Analyst) gonna secure his brave new world when he's not capable of purging the existing one.

Dunno loads about Citrix & Network Security best practices but Is it common to let Customers on to the Corporate Domain as Users, Is Citrix really that secure ?.

I figure he's set himself up as Domain Admins and does'nt want to share his power with the rest of IT.

GW|||I figure he's set himself up as Domain Admins and does'nt want to share his power with the rest of IT.
bingo! :)

If he's willing to take all the power, then he's gotta be willing to take all the responsibility that comes with it too.|||Sorry, I mis-understood your message of "interim for a New DBA role". I saw that as "contract for hire".

I am a contractor too so I understand the "no permies" feeling. But I will ask you the question. What were you hired to do? Write reports or prepare the way for a new DBA or both. Since you are a contractor you can be even bolder in dealing with culture. Tell them there is a helpful way and a non-helpful way to do things. Right now he, and by extension the company, is in a non-helpful mode.

As a contractor I would much rather come into a company where the previous contractors where helpful themselves because it makes my experience better.|||Sorry Bartron Maybe I was'nt quite Clear.

The company had never had a DBA before - they hired one but had to wait 3 Months for him to start - Thus I got the contract for 3 months to fill in.

(they have a 5 strong IT Application Support Dept with strong links to the Application Developers in the holding company)

The new DBA has since turned down the job & the Co. are now actively seeking someone else.

My Brief was simple "Consider us a Greenfield site and start from scratch doing what you think is Best - we need reports on all these seperate Sybase databases".

So I recommended and implemented a SQL 2005 Data Mart with reporting Services.

GW|||Sounds like a great approach to their original intent.

Good luck dealing with the new agenda. :-) Seems like "doing what you think is best" should give you some leverage. Of course they can always ignore it. Their peril.|||... expects me to start of as a user with a locked desktop and then request & justify escalating my security from there.

Seems pretty standard at face-value. I'm don't need domain or local admin on any of our production sql server boxes to do my job. It would help and it sure would be nice, but I don't need it. On the same token, our network engineers understand and take on responsibility for the server itself. This includes restarting it on my request, staying current with patches and feeding me requested wmi indicators.

The problem arises when someone is locking you down just because they can. If they still give you grief after you have clearly justified your requirements, take it to your contract admin and draw a picture for them of how this person is directly hindering your ability to perform.|||Thanks to everyone for your support.

Looks like I'm just gonna have to leave em with a less developed and less stable product.

Thanks Teddy for clarifying it is possible to be a DBA without Local Administrator security.
(Do they allow you to access the control panel or event logs ?)

Just seems ridiculous to me considering I'm the only DBA here & I recommended, designed & wrote the Bl**dy thing.

It's not even an OLTP it's a sodding homemade Data Mart.

The only thing on this new network for the next few months is one of the 30 Sybase DB's - I have Domain Admins to the current network.

:eek: A Contractors Life is not an easy one.

GW|||Thanks Teddy for clarifying it is possible to be a DBA without Local Administrator security.
(Do they allow you to access the control panel or event logs ?)


No, yes.

I'm in a highly responsive environment though so this works fine. If I OMGJUSTNEED to perform administrative tasks, I can tap an engineer and either guide them or have them over my shoulder as I do whatever it is I need to do. I get whatever general filesystem access I request and I can requisition whatever additional logging I need including exposing log files, setting up wmi logging or asking for a new package to be designed for one of our third-party performance monitoring applications.

If engineering wasn't as responsive as they are, I would be able to justify administrative rights on our servers. If you're in one of those "job security through obscurity" environments where one person is guarding the keys to the proverbial kingdom with their life, then you might want to go ahead and push for those admin rights.