> they are giving a service for the rest of the company
That is very true. And part of that service is to ensure that things run smoothly, securely and according to industry standards.
How well would an IT guy provide that service if he were to let some unvetted, undocumented script hacked together by someone who isn't a professional software engineer, run its merry way across the production database?
Don't give access to a DB, the same way you wouldn't give access to any other external system. Instead you ask what is needed and provide a restricted REST API.
You come off as condescending and remind me of why I (ex dev who joined our business department) dislike our IT so much and do my best to encourage shadow IT where I can, while keeping sane best practices around CI/CD, security and testing.
I'm so fed up seeing working Excel solutions cobbled together over 2 weeks, that served business well over years with 0 incidents, get replaced by shitty cloud apps that cost millions to build.
> Instead you ask what is needed and provide a restricted REST API.
Happy to. Problem is, that API has to be built, and tested, and vetted, and maintained, and who's going to do all that work? Because I know a lot of software devs, and none of them lack for tasks.
If it needs to happen, and your team can't do it, somebody else needs to. Your best bet then is to give them the access to do it properly instead of forcing them to hack it together.
I, on the other hand, am tired of being called in to investigate why the janky Excel macro written four years ago by an ex-employee doesn't work for all the external stakeholders this manager just sent the spreadsheet to, only to find that the hardcoded database and local admin user creds in the VBA script are now leaked and in the clear.
A lot of people pushing shadow IT "solutions" wildly overestimate their own ability, while maintaining garbage-tier information security standards. That doesn't sound like you, but it's the far more common situation those of us in "IT" are forced to protect the wider organisation against.
God forbid code gets written to solve a business problem rather than conform to a spec sheet right?
Businesses - and jobs - only exist to solve economic problems in the real world. Everything else, including traditional accounting, IT, legal, and HR functions are just there to make the real work easier, not harder.
From security people's perspective things would be smooth if all computers would be plugged off and their batteries removed. Oftentimes it's not that far from that solution.
That is very true. And part of that service is to ensure that things run smoothly, securely and according to industry standards.
How well would an IT guy provide that service if he were to let some unvetted, undocumented script hacked together by someone who isn't a professional software engineer, run its merry way across the production database?