CodeBetter.Com
Sign in | Join | Help
in Search
CodeBetter.Com
RSS 2.0 via Feedburner
           Do you Twitter? Follow us @CodeBetter

Eric Wise

Business & .NET

Politics and Role Based Security

I spent my afternoon yesterday justifying a role based security system for the application I'm heading up.  Why would I have to do such a thing?  Well, I had an encounter with one of the most fearsome beasts of the business world.  That beast is called:

The DBA who thinks they are a programmer

Now, let me say that I have nothing against the typical DBA.  In fact, I find the involvement of a professional DBA on a project to be a great help when it comes to normalization exercises, complex stored procedures, and triggers.  Being that I've worn both the DBA and programmer hats I am able to do these things myself, but frankly they aren't my favorite things in the world to spend time on so I'd just as soon pass these duties off to someone who specializes in it.

So why is this non-typical DBA such a fearsome beast?  It is simply because they constantly attempt to involve themselves in the logic and structure of the programming needs rather then taking the requirements and building the database to best meet those requirements.  Case in point with the meeting yesterday.  The application we are building is going to have at minimum eight different security groups that users will need to be placed in.  Each of these groups is to have a mix and match of rights in the system.  In addition, group members who misbehave in certain areas of the software need to be able to have their rights to those areas revoked without losing access to the other areas they do have.

A situation such as this is a perfect fit for role based security.  I proposed that we create security groups, assign roles to the groups, and assign users to those groups.  (We don't feel the need to go all the way down to assigning roles to individual users for various reasons I'm not going to go into.)  I mocked up the table structure we'd need to support this in Visio and approached the DBA with the design and met a hard line of resistance.  The conversation went something like this:

DBA: You're adding like 6 tables to the database, that adds too much complexity.

Me: That is the minimum number of tables it takes to properly implement role based security.

DBA: You should use an access level system instead.

Me: Huh?

DBA: There are 8 roles, so give each user an access level from 1 to 8 and give them increasing priviliges based on that number.  Then you can just do a less than or equal query on the security level to grab all the roles.

Me: You're assuming that the roles in this system are sequential, they are not.  In addition, what do we do if we have to insert a role?

DBA: Remember back in the days of old BASIC, you spaced your lines by 10 so that you could insert lines later.  Make the access levels 10, 20, 30, ... 80

Me: That still assumes that roles are sequential, they aren't.

DBA: You can't tell me that you can't order those roles in a logical manner.

Me: We don't even have a complete spec yet so we don't know how many roles we will have.  You access level idea just won't work, think about it this way:

We have roles A B C D E F.  In your world we would have access level 1 with roles A B C   Access level 10 has A B C D E F.  Now lets say we want to add a level that has A B C E, where would be put it?

DBA: You'd put access level 5 in with roles A B C E.

Me: Right, now lets say we suddenly need a role with A B C F, where would we put that?  If we put it at level 7 then your less than or equal query would give level 7 the E role which we didn't intend.  If we put it at level 3 then level 5 would get the F role that we didn't intend.

DBA: I disagree.  (Actually he went into this big discussion that made no logical sense, but I'm not going to post that here)

So in the end I had to develop a presentation and call a meeting with the business managers.  I had to justify using role based security, the security style that is probably most pervasive in the software world today because of its flexibility.  Having to do this wasted 4 hours of my time, and another 8 man hours of time from the people forced to attend a meeting so that I could overrule the DBA.

All of this could have been avoided if the DBA had done their job of accepting the logic that the development team had come up with and building the database accordingly instead of digging their heels in resisting a commonly used pattern that since the days of Windows NT has proven to be best practice.

DBAs - Be DBAs, optimize the crap out of that database, make sure my sql is good, make sure the relations are in place and enforced.  Don't try to design my application though, it's not your speciality and in the case above you got made to look like a bad team player and pretty silly on a logical level.  I certainly don't tell you how to design your triggers.


Published Mar 11 2005, 06:02 AM by Eric Wise
Filed under:

Comments

Raymond Lewallen said:

It goes both ways. Its much more common to find programmers who think they are DBAs rather than vice-versa. So many times I've been told that my database design sucks because the query "select * from TableA, TableB, TableC where TableA.NonIndexedColumn = 1 and TableB.NonIndexedColumn = TableA.NonIndexedColumn" takes forever and they get back 1000's of rows. Too many programmers write queries and haven't the first clue the difference in a merge join versus hash join versus loop joins, nor do they understand the difference in a table scan versus index scan versus index seek.

I certainly agree with you, DBA's should stay in the database, but programmers should stay in the program too.
# March 11, 2005 7:25 AM

Eric Wise said:

I'm in agreement with you, that's why at the bottom I mentioned the duty of the DBA to "make sure my sql is good". I expect and embrace the idea that all my stored procedures and dynamic sql should be reviewed by a member of the DBA team.
# March 11, 2005 7:29 AM

Raymond Lewallen said:

Unfortunately, in my experience, I've seen too many times where the 2 sides didn't respect eachothers knowledge. At least you respect the DBAs ability to help you out with your sql code... too bad he doesn't respect your ability to design the application correctly per the business plan and make his modifications to adjust. Its a totally different mindset from both points of view and its hard to overcome and get everybody to look at a problem and solution through the same set of glasses. Maybe you've changed his attitude... yet to be seen whether for better or worse ;) Its always a big give and take from all sides and everybody has to adjust. I'm lucky that in my current position I am both a DBA and design our application framework logic. Sounds like you might have your hands full with future implementations if his attitude and willingness to adjust doesn't improve.
# March 11, 2005 7:39 AM

Sahil Malik said:

I have never been in an organization where programmers didn't clash with either infrastructure, or dbas.

I kinda agree with Ray here, it doesn't matter how bad you think your Dba team is at a certain job, democracy doesn't value expert opinion. At times, to get along, you have to adjust and let the other prove his concept. Then when it fails on it's nose - as you had already told him it would, he will learn to respect your opinion better next time. But he would have been given an opportunity to speak out - so he won't be so negative. As a co-worker, he does deserve a chance right? Even if you think he is wrong. Even if I think he is wrong.

Now your presentation is in front of the business managers. Their forte isn't role based security table design, so who knows, they might agree with the Dba. What do you do then? I'm not saying they are dumb, just that they know different things and probably are not the right judges for application design. That is between you and the Dba, who unfortunately is antagonized and has a mental sheild with you by now that he won't listen to even your valid arguments.

If it helps, tell them Sahil Malik said - the Access level 10,20,30...80 based table design for role based security is a bullshittous idea. Maybe they'll agree.
# March 11, 2005 7:58 AM

Eric Wise said:

As long as when I utter the name "Sahil Malik" a chorus of angels begins singing and I am coated in a beam of pure white light. =)

The organizational problem here *puts on his MBA hat* is there is no truly central source of IT Manager. So when a conflict like this occurs you either have to beat the other guy into submission with logic and examples or go right to the business users and roll the dice.

In a perfect world the architects would gather the requirements and design the relational objects. These objects and requirements determine the database fields and to some extent the tables. The DBA should not care about why or how the developers are implementing something, they should examine the tables/fields and make sure everything is optimized and there are no flaws in the design. Just like when a developer gets a change request from a user, oftentimes they request things that don't make sense to use as developers, but in the end they are the customer and as long as it doesn't introduce flaws into the application we generally go ahead and implement the request.

That's just my two cents.
# March 11, 2005 8:10 AM

Eric Wise said:

Oh, and you gotta pick your battles. When it's something that isn't going to be too much of a pain in the ass to change later I'm usually willing to let the stubborn ones do what they want and fall on their face as you suggest. This situation was something that is pretty fundamental to the application though and it would be too costly to fix it later.
# March 11, 2005 8:13 AM

Sahil Malik said:

MBA hat or not, I can tell you one thing for sure. Keep the Dba on your friendly side. Life is easier that way. Heck keep everyone possible on your friendly side, and if someone is just a complete jackass - then find another job - the stress ain't worth it. No stress is worth anything.
# March 11, 2005 2:08 PM

Jeff Lynch said:

Your DBA friend is wrong. We never spaced our "lines" by 10. We added ten blank cards to the stack in between each card that contained code... just in case!
# March 11, 2005 3:03 PM

Eric Wise said:

Sahil- No way man. I love this company! We get top of the line equipment to work on, vpn access so I'm not stuck in the office afterhours, great health benes...
# March 11, 2005 3:13 PM

Darrell said:

Unfortunately your DBA doesn't have what we call the social skills, that's why he doesn't have any friends, except for his mama. :) -- Name the movie?
# March 14, 2005 8:56 AM

Eric Wise said:

Waterboy, Adam Sandler

*flexes his massive movie buff muscles*
# March 15, 2005 3:35 AM

TrackBack said:

# March 19, 2005 3:37 AM

verns test blog said:

# April 3, 2005 12:35 AM

Leave a Comment

(required)  
(optional)
(required)  

Enter the numbers above:
Add
Check out Devlicio.us!

About CodeBetter.Com

CodeBetter.Com FAQ
Our Manifesto
Advertisers should contact Brendan

Subscribe

Google Reader or Homepage
del.icio.us CodeBetter.com Latest Items
Add to My Yahoo!
Subscribe with Bloglines
Subscribe in NewsGator Online
Subscribe with myFeedster
Add to My AOL
Furl CodeBetter.com Latest Items
Subscribe in Rojo

Member Projects

WSMQ - Brendan Tompkins
Sarasota Web Design - David Hayden
Patterns & Practices - David Hayden
dotMath - Steve Hebert
EZWeb - Jeffrey Palermo
Structure Map - Jeremy D. Miller
StoryTeller - Jeremy D. Miller
The Code Wiki - Karl Seguin

 

Friends of CodeBetter.Com

Red-Gate Tools For SQL and .NET
 BlogJet
CodeSmith 3.0
 SourceGear Vault
Telerik
 ComponentArt
VistaDB
JetBrains - ReSharper
 Beyond Compare
 .NET Memory Profiler
NDepend
AliCommerce
Ruby In Steel
SlickEdit
SmartInspect .NET Logging
NGEDIT: ViEmu and Codekana
LiteAccounting.Com <-- NEW Friend!


Site Copyright © 2007 CodeBetter.Com
Content Copyright Individual Bloggers

Community Server (Commercial Edition)