[paranoidrobot]

Lets go back to the original core assertion for the thread -

> > Every developer needs access to some servers for example to check the application logs.

> I fundamentally disagree with this.

So,

Developers shouldn't be reaching for SSH access to check logs.

If you're encountering problems that you can't diagnose through the existing logs, then you should probably be involving at least one other person - someone who has that production experience, who might have some additional knowledge about the problem.

If, and only if you've exhausted other avenues - then reach out for SSH access. But it should be a last resort, not the first resort. Plus, anyone SSHing into production boxes should really be very familiar with how production is configured. You can do more harm than good by poking around on a production box being completely unaware that you're causing alarms and outages elsewhere because you taking a memory dump of nginx caused in-flight requests to get timeouts and so-forth. The people with that experience are generally the DevOps/Infrastructrue folks since they're the ones who deal with production all day, and are going to get the pages if something goes wrong with that.

[shawnz]

Some of your developers might have that experience even if they were not hired as devops engineers, or they might be able to consult with their colleagues who are developers who have that experience but aren't devops engineers. I think it is usually better to let people work in the way that is most efficient for them. Also, this doesn't necessarily have to apply to production systems.

[paranoidrobot]

> Some of your developers might have that experience even if they were not hired as devops engineers, or they might be able to consult with their colleagues who are developers who have that experience but aren't devops engineers. I think it is usually better to let people work in the way that is most efficient for them.

Yeah, perhaps. It'll depend on the circumstances, right.

I've got a reasonable amount of GSuite and Exchange experience, and same for Active Directory. I'm reasonably confident that I can work my way around those and do most of what I need to do without breaking it.

I needed some GSuite groups set up, some folks added to them, and a GSuite OAuth application set up and some values passed back and forth to do some integration. The only way to do all of that is with full GSuite Administrator rights.

Now, I could ask why they don't just give all Devops folks GSuite admin rights, it'd be much easier (for me) and I could do my job more efficiently.

The response is going to be something along the lines of:

> You don't need that access most of the time. > The times you do need that access it's often for a limited time or scope, and to resolve a specific problem. > For now, It's better that you work with someone who is responsible for that stuff on a day to day basis to do those things.

This is, in my opinion, pretty reasonable. Sure, it meant more delay until someone was available to do the GSuite configuration, and we needed to jump on a call to pass IDs back and forth and test it out. But it got done, and it wasn't overly burdonsome.

They didn't hire me as a GSuite, Exchange or AD Admin - they already have folks to handle that. That I have that knowledge and experience is still useful for the company - I know exactly what to request is done, and we can talk on the same level about it. Heck, if it turns out that I need this every day and I'm constantly going back and forth with them on setting things up - then I might get that access, but it'll probably come with an explicit requirement that I use it in specific ways, that I follow their processes/procedures, and keep them informed on when I'm using it and why