For compliance reasons, we have accounts set up with isolation in mind:
* Developers have their own account
* DH Server service has a separate account
* DH Scheduler service has a separate account
a. ALL of these have to be administrators
b. ALL of these need source access
Both of these are the extreme opposite of a typical security policy.
I would set the following principles:
1. Administrator privileges are very tightly contained.
All deployment related activity should be performed via the DH server service, even when initiated from the DH GUI. This way the developers don't have to run around in full admin mode.
The DH server service should not do other things in admin mode (such as running ad-hoc execution packages). These can be delegated to a separate process with a lower privilege account, or to the scheduler.
The execution user will probably need some evelated permission at database level to drop/recreate indexes. This could easily be facilitated by having a standardized database role managed by DH
2. Source access is given out as little as possible.
All connections to source systems should be run through a DH service, preventing the need to hand out source access to each developer.
Alternatively, we could configure a connection account at project level.
Let's hear your thoughts!