[protomyth]

I think I almost cried - after that I simply ignored them and deployed stuff when I wanted... :-)

Yeah, great. I'm sure nothing ever happened and if an outside audit showed up, the organization would have failed. Never mind if something bad happened, its not only you getting axed.

[arethuza]

The systems that needed that level of auditing were carefully controlled and I wasn't daft enough to modify those without CAB approval (in fact, I couldn't modify them).

One of the problems I have with these kind of processes is that it often applies the same level of process to all systems when some systems really don't need that level of control.

[rwj]

This is a really tricky thing to get right. If you put too many controls in place, people route around and you lose control. If you place too few in place, you lose control. If you try to make the rules flexible, people don't understand the rules, and you lose control.

[olau]

Maybe it would work better if you educate people instead of insisting on controlling them?

[protomyth]

Maybe, but one thing I've found is the normal developer often doesn't have visibility into the financial or legal side of the company that often mandate things. Liability is often a problem and they don't often come for the developer when problems arise.