Recently at a company I work for they started rolling our new Windows 8 boxes to the developers, sans local administration authority for the developer on the box. This of course is for the safety and security of the organization as a whole, what if the developer downloads a virus or other malicious software.
The fact that this is still happening to developers in 2015 amazes me. Developers and IT should be a force for good in side a company but too many times I see these absurd lines drawn in the sand that just create a “us verses them” mentality, inhibit productivity, cause numerous issues and just overall create increased stress and friction for no good reason.
Let me be clear this isn’t domain admin rights, elevated rights to servers or infrastructure, just local administration rights on the developers computer. The days of developers, and frankly any IT worker, running around with domain admin/su/sa all the time for their primary account are long, long gone.
So why should you give your developers local admin rights on their development workstations, well here are my reasons.
- Drivers, Software, Tools, Environments and more almost all require admin permissions to install. Developers almost always have to install tools in a ad-hoc fashion. I recently needed to look inside a compiled .Net DLL to ensure it matched the emit of a build process. This required me to install Telerik’s JustDecompile to do this. Without local admin I couldn’t do this on the fly and the delay could have halted a production deployment. The toolset developers need today, will be different tomorrow, the world we work in advances too fast.
- Debugging is a dark art, not cut and dry. This is the most difficult thing to explain to non-developers and the business. Debugging is as much as on feel, trial and error or random chance as it is on pure knowledge or process. We’ve all been at the end of our ropes debugging an issue, tried something random and that lead to the discovery of the issue. A lot of debugging, like when attaching to other processes (i.e. IIS worker processes) requires elevation. I currently work on mobile applications, which means I use Fiddler to debug network traffic between a mobile device and our service stack. Can’t install Fiddler without local admin.
- Configuration Changes, Process\System Changes and Testing. We’ve all changed system settings to try and figure out an issue, for example giving ‘Everyone’ write access to a temp folder to ensure a log file get created, or trying to figure out other permission issues. I’ve changed IIS Settings/Modified Registry keys, etc. It’s impossible to properly convey all the things you may possibly need to do to get things to work or get around an issue.
- Every developer is different. Oh boy is every developer different. Developers are not factory workers or even IT workers, what we do is so very creative and tied to flow and proper mindset. To create an environment conductive to being creative it needs to feel like your space. That includes your system and hows it’s setup past just the colors of the desktop.
- It’s Insulting to most developers. Developers are usually intelligent, technical, skilled, passionate and opinionated. Most take pride in what they produce and how it’s produced. Locking them out of their own local machines or severely hampering won’t go over well, moral will drop, discontent will grow and your output will drop and turnover will increase.
- Chances are there is no law or regulations affecting the private sector that can be applied local admin. I’m sure there are some IT guys out there right now screaming “SOX” at their monitors, but no, that doesn’t apply to a developers local workstation. You find me a law or regulation for a private sector company that expressly limits local workstation administrator rights and I’ll buy you a shot of Macallan.
- If your worried about those evil developers installing bad software you’ve hired wrong. A developer can cause far, far more damage to your company. There is no control you can put in place that will prevent a developer from completely running a system if they wanted to. If you don’t trust a developer to use local admin properly why would you trust them with your product, or IP?
If there truly is a requirement then find a way that doesn’t involve adding more friction to a developers life. We deal with a lot of performance sapping, flow crippling, joy eating friction in general, to then be chained and inhibited from working to our full capacity is straw that should never end up on our backs, especially when so much rides on what we produce.