Should Developers have production access?
I asked myself this question at my first job at Scalable Capital, 4 years ago. I had started at a FinTech startup/scaleup with somewhere between 50 and 100 engineers, enthusiastic about DevOps and a You build it, you run it mindset, that I had learned in my software engineering education in university. But reality hit hard. You can't give every engineer full production access, and justify lax credential management with We want to give people ownership and trust.
Yes, you want to hire smart people as a leader, and you need to trust your engineers for them to be productive. But even if your hiring is perfect and you never hire anyone that's malicious, the greatest minds make mistakes and giving every developer access to production environments will be an issue eventually. This doesn't have to be leaking a credential or leaving their Macbook open at a Starbucks. This can even be running the DROP TABLE; statement on the production database instead of the development environment. And I am not making these scenarios up, this happens in the real world even to companies like GitLab.
In some organizations I've heard the argument that developers don't need access to production at all. Actually noone would need it. Or a phrase like: Developers should just write the code and then the operations team will deploy it. But this is a very outdated way of thinking. For a developer to do their job and feel responsible for their part of the system, aka "own" it, They need access to the production environment. There is always a variety of reasons for someone to have to access production, here are 3 simple examples that you can probably relate too:
