Monday, August 19, 2019
Daily 2.0 : one browser extension that keep you up to date
I was searching for ways to find information on development. I was first told of Medium which is a nice way to get that.
There is a also nice browser extension called Daily 2.0 that basically does the same thing. You just need to add it to your favorite browser, enter your preferences by tags and then read a lot :)
You can find the chrome extension here
Tuesday, August 6, 2019
What should I say when the customer asks for direct data access ?
On my project, we were asked to open our database to the customer. At first I knew it was bad but I didn't have the argument to answer. I finally came to this mail.
They are currently asking customers what they really need to see. I see improvment :)
-----------------------
Hello @all,
In the backlog, we have this user story : As a user, I can request my data on a database copy.
I will need to know what are the reasons for this request. What information do users need?
In general, a request like this one comes from a lack of functionality in the application.
To rephrase, the question would be: What would these users need to have in the application to avoid having direct access to the database (replicated or not)?
If the answer is: "they already have access on their current application", it is not a good answer. :D
I have several problems with this:
- Security on the exposed data
- Performance risk (anyone can make risky SQL queries, even read-only ones)
- Data and performance control is no longer the responsibility of the informatic service alone
- It requires training these users on our data model
- It requires support when they can't do what they want
- It requires to change the data exposed when the model evolves
- Risk of having to justify ourself to the business on the data structure
- No guarantee that they use the extracted information correctly
- No tests on the exposed data
Topics that talk about the subject:
https://security.stackexchange.com/questions/175344/what-are-the-risks-of-allowing-business-users-direct-production-database-access
https://stackoverflow.com/questions/1559892/why-shouldnt-i-give-outsiders-access-to-my-database
Seen from below, it looks like a reporting / export / API exposure demand that has evolved because we don't know what we want to do.
Did the informatic service already authorized this type of demand before? If so, it's amazing.
Thank you for your answers.
They are currently asking customers what they really need to see. I see improvment :)
-----------------------
Hello @all,
In the backlog, we have this user story : As a user, I can request my data on a database copy.
I will need to know what are the reasons for this request. What information do users need?
In general, a request like this one comes from a lack of functionality in the application.
To rephrase, the question would be: What would these users need to have in the application to avoid having direct access to the database (replicated or not)?
If the answer is: "they already have access on their current application", it is not a good answer. :D
I have several problems with this:
- Security on the exposed data
- Performance risk (anyone can make risky SQL queries, even read-only ones)
- Data and performance control is no longer the responsibility of the informatic service alone
- It requires training these users on our data model
- It requires support when they can't do what they want
- It requires to change the data exposed when the model evolves
- Risk of having to justify ourself to the business on the data structure
- No guarantee that they use the extracted information correctly
- No tests on the exposed data
Topics that talk about the subject:
https://security.stackexchange.com/questions/175344/what-are-the-risks-of-allowing-business-users-direct-production-database-access
https://stackoverflow.com/questions/1559892/why-shouldnt-i-give-outsiders-access-to-my-database
Seen from below, it looks like a reporting / export / API exposure demand that has evolved because we don't know what we want to do.
Did the informatic service already authorized this type of demand before? If so, it's amazing.
Thank you for your answers.
Subscribe to:
Posts (Atom)