We have an environment made of of Web Servers (Windows 2003). We use something called "provisioning" to populate a farm of web servers that are used by the customer/user.
In my promotion process, we have the normal types of environments we are all used to have: development, QA (testing environment), and a production environment... with some others environments like a training environment and a production (duplicate) environment... (plus of course, a backup environment. All the latter environments are (and should be) equaled to production.
As CM, I am responsible for promoting "TESTED" code to the production environment. Previously (before having the provisioning software) I used to manually promote code to 10 to 15 web servers. Now, I all I have access to is 1 server that is used as a staging server. I promote code to it, and the systems people will create an image of the box, and then populate the Production environment using the provisional software to push it.
The problem I have is that I am unable to go into those systems that are being populated to perform audits, or just to verify code is there and verify things don't change. It's like I have lost control. All I have access to is the staging server.
This is all NEW to us. We are just trying to follow NIST requirements and the like. So, maybe this has just gone a little too far. I myself believe that the only people that should have access to these systems are the System folks and CM. But they don't think CM needs to go in there.
What is the consensus out there in the real world (I say real world because I work for DOL)? In my experience, CM should be able to know and manage the Production Baseline which includes all systems. As it currently is I don't know what is on those systems...
Can someone share some ideas? Am I seeking to be a "control" freak? LOL!!!
