Monday, October 5, 2009

RMOUG: Beware Triggers and DBA Code of Ethics

The Rocky Mountain Oracle Users Group (RMOUG) is well-known in the Oracle database administrator community. This is one of the most successful models I have seen of an effective user group and its annual Training Days conference is particularly well regarded. Although I am not a database administrator (DBA), I still found three DBA-centric articles in the current edition of the quarterly RMOUG newsletter (RMOUG SQL>UPDATE_RMOUG) to be worth the read and worth mentioning here.

The three articles in the Fall 2009 edition of SQL>UPDATE_RMOUG are "Beware..." (Another Look at Triggers), "Database Administrator's Code of Ethics", and "Using the PL/SQL Profiler." In this blog posting, I'll look briefly at the first two of these three articles.


Beware ... Triggers

Tom Kyte is one of the best-known experts in the Oracle community. He authors the askTom site and is a Senior Technical Architect at Oracle. His Blogger profile has been viewed approximately 87 thousand times. When I give a presentation during the same conference slot he is presenting in at a database-oriented conference, I can expect a very small audience at my presentation.

In his article "Beware...", Kyte writes, "At first, I thought triggers were the coolest thing ever ... something that I as a developer could use to perform 'magic.'" Kyte goes on to explain that the "forgotten trigger has bitten me many times in the past." Kyte also states, "If I could remove a few features from the database -- it would be triggers and when others then null."

After providing many examples of trigger abuse, Kyte concludes, "When used correctly and sparingly, triggers can be a positive thing. It is when they are used for every and anything that they become a really bad idea. ... Triggers should be used when there is no other way to achieve your goal. They should be the last resort."

I am not aware of this article being available online, but you can reference Kyte's The Trouble with Triggers for more information from Kyte on triggers.


DBA Code of Ethics

In the article Database Administrator's Code of Ethics, OracleGiants editor Brian Carr states that the purpose of this article is "to analyze the social and ethical responsibility of Database Administrators (DBAs)." In this article, Carr defines a DBA as "the person in charge of managing the relational database and its access rights" and references the Wikipedia article on database administration.

In explaining why DBAs should have a code of ethics, Carr points out that DBAs, like their systems administration cousins, "generally have high levels of access" in various powerful organizations with highly sensitive data. To support this position, Carr references the InfoSec News story The Data Security Weak Link.

Carr points out that physicians and certain types of engineers have their respective codes of ethics. He suggests that DBAs should "also be required to take an oath, or swear to practice by a strict Code of Ethics" because "people and organizations do trust extremely confidential and sometimes very personal information to a Database Administrator."

In this article, Carr first references Stephen Wynkoop's proposed SSWUG DBA Code of Ethics before outlining his (Carr's) own proposed code of ethics that adds fiduciary responsibility, limitation of data access to only that required to do the job, and "a more professional tone" to the SSWUG DBA Code of Ethics. In this article, Carr briefly describes six principles (prudence, justice, temperance, courage, responsibility, and trustworthiness) behind the proposed code of ethics.

As I read this article, I definitely saw some things that I liked, but I also wondered how realistically it would be followed. It would be interesting to know if there is any proven correlation between existing professions with codes of ethics and better behavior because of the existence of a code of ethics. I believe that a code of ethics could be a great educational tool to help younger people in a profession learn what is considered ethical and what is considered bad form. However, it is likely that a code of ethics provides very little deterrent to a person lacking concern for rules, laws, or ethical behavior.

Carr concludes his article with a realistic assessment of the potential advantages of a DBA code of ethics. He states, "The Code of Ethics would likely never be enforced, other than what is considered to be unlawful, however, the code is about striving to be a more cohesive profession when it comes to what we do and how we do it."

Personally, as a customer or patient whose records are at the mercy of DBAs out there, I would like to see some guidance related to what is considered ethical behavior. As a software developer, I cannot help ask myself questions like "Would a code of ethics benefit software developers?" and "Would software developers care about a code of ethics?" In other words, would having a code of ethics for software developers change anything?

This article "Database Administrator's Code of Ethics" is hosted online and this online version includes references at the end of the article. The print version of the article in SQL>UPDATE states that this article is a "collaboration between Burleson Consulting and Brian Carr." I bring this up because Burleson Consulting hosts a brief article called Ethics for the Oracle Professional.


Conclusion

Although I am not a DBA, I found these articles to be thought-provoking. Many of the reasons Kyte outlines for not using triggers can apply to similar "magic" and trickery we might employ in software development. I feel about aspect-oriented programming (and some other software development concepts) similarly to how Kyte feels about triggers: they can be very helpful when most appropriate, but can be a maintenance nightmare when used indiscriminately. Too much "magic" can be too difficult to read and maintain.

Like DBAs, software developers (especially those that maintain production software) have access to sensitive data. In addition, developers are in a position to introduce vulnerabilities in software's security (such as the back door popularized in War Games). There is no question we need software developers to rely ethically, but the question is whether a code of ethics would have any influence on that.

No comments: