Why do end users have direct access to a database? What do they do with it? Copy and paste from their Excel sheets into a GUI database client? Why is there no layer of software in between?
Situations where you have enterprise setups have users measured in the 10s of thousands.
There will be existing tooling around ACL management (typically AD). User Access Management groups, geo-separated local account manager, multiple help-desks to allow for disaster plans (pandemics, fires, localized grid failures).
Access can be as simple as:
- my application will use a system-account, and we'll manage access
- my application will pass user credentials (based on AD), these are the groups (based on AD) that have read/write/delete access; regional team leaders will request access using existing UAM, regional managers will authorize requests, your existing tooling will process those requests as you are the designated authority over those groups
Changing this requires either exceptional levels of observable returns on effort, or extreme will-power and political power.
During evaluation of MS SQL / PostgreSQL / whatever, fitting into existing UAM will be a requirement.
Because the world and especially the enterprise world is full of smart analysts who aren't programmers but who are pretty hot shots with SQL and Excel. They can answer a LOT of ad-hoc business queries just with those two tools and don't need expensive slow programmers to spend 3 months twiddling JIRA tickets when they could get the same answer in a few hours, when they have direct database access.
There will be existing tooling around ACL management (typically AD). User Access Management groups, geo-separated local account manager, multiple help-desks to allow for disaster plans (pandemics, fires, localized grid failures).
Access can be as simple as:
- my application will use a system-account, and we'll manage access
- my application will pass user credentials (based on AD), these are the groups (based on AD) that have read/write/delete access; regional team leaders will request access using existing UAM, regional managers will authorize requests, your existing tooling will process those requests as you are the designated authority over those groups
Changing this requires either exceptional levels of observable returns on effort, or extreme will-power and political power.
During evaluation of MS SQL / PostgreSQL / whatever, fitting into existing UAM will be a requirement.