I've seen situations where everyone on the engineering team have direct SSH access to the production database and other cases where practically no one does, and everything is done through GitOps or similar peer-reviewed migrations. Curious what have you seen when it comes to production access?
It varies, and it can ebb and flow at a single company, in a single business unit even.<p>Some of the… more permissive arrangements have been rather… fascinating.<p>Some of the supposedly well regulated ones were more like cults. Bring your completed forms, receive your foolishly named certification. Oh the things the forms are asking about? Nah it doesn’t really matter. Understand the requirements? You bet. There’s only one. Complete those forms. Get that star.<p>Not sure I have ever seen it done well. Certainly some places far better than others.
I work in a highly regulated environment. Big company.<p>The DBA team sets up databases and service accounts. They give those accounts to the developers. The two can’t do each others’ jobs. It helps that we are regularly audited.<p>Have also worked at a startup where things where as you described. I ended that immediately. It took us some time to figure out who needed what and how we could accommodate proper controls.<p>It really depends on circumstances, but start thinking in terms of “blast radius”.
I work at a bigtech company, and, depending on how you look at it, either everyone in a technologist role has prod access or nobody does. You have to get peer approval to access your team's sliver of prod, and some team's take this very seriously, while others act as rubber stamps for each other.
We've had very segmented access for all of our Ops people. It took a while to get used to and made alot of sense at the time.<p>Any privileged access is done through our jump boxes.<p>However there are times where we need full access to production like some of our applications would which makes us question the whole point of the excerise.
Company with hundreds of engineers, we all have access, but we need to (a) raise a ticket explaining why we need it and (b) have a peer (note: peer, not manager or something) confirm. And if you're on-call this doesn't aply.
2/5 engineers. SOC 2 compliance forces us to use automation and peer reviewed actions as much as possible, which may slow you down in the short term, but improves reliability and security in the long run.
Define 'engineers'. Are you going to use the specific meaning or the inaccurate, wider usage of the term? (as in the meaningless, poorly-specified 'software engineers')