Giving devs access to the registry

This article was written for a friend, who works in a company where developers are local admin on their PC's, but don't have access to the registry. I'm not sure if this is a Windows thing, or some custom solution of that company, but needless to say, developers weren't happy with the situation. This article attempts to find some middle ground, but also explain, for non-technical people, why developers need access to the registry.

Why do developers need access to the registry? For the same reason they need admin rights. And in the same way. Because there are two aspects to this story. First, that they need access. Second, that they only need this on their local machine.

Needing access

A quick Google search regarding administrator access brings up this StackOverflow question. Of course, the overwhelming majority of answers and comments say yes, developers need administrator rights. I say of course, because StackOverflow is a developer's Q&A site after all. But going to ServerFault, a Q&A site for sysadmins, the same arguments are made.

So what about access to the registry? The same arguments apply, which I will go into below.

But let me first say, I'm not talking about using the registry for your application settings, user data,... By now, it's a well-known fact that you shouldn't be storing anything in the registry. Unless you have very good reason to do so, which you probably don't.

What I want to talk about is access to the registry used by applications and services that developers need in their job. Not allowing developers access to the registry on their local machine will cause several problems that will block their productivity, frustrate them, and demotivate them. At worst, it's another piece of the unfortunate puzzle that causes them to leave.

When a developer is busy working on something, using whatever tools she needs, and suddenly is blocked because of some corporate rule, several things unfold. First, there is frustration. The company has just killed her flow because of some, to her, silly decision made without regard for the specifics of her job. We must respect that the decision isn't just silly, but to the developer it feels like that. More on that later.

For now, the developer is blocked and, if lucky, she can contact a sysadmin to help her around the problem. But let's be honest, there are very few companies, if any, that will have this fixed in 5 minutes. Usually, this will take some sort of formal change request, and several hours if not days to alleviate the problem. All that time, the developer isn't creating business value. She might start working on something else, but it only means she will have to take more time to get back into the first task. This is wasted time and thus, wasted money. Multiply this time x number of developers and y number of times this happens, and you're just throwing away money for little to no use.

And if this continues on and on and on, this is something that the developer will put in the contra-column when considering new career options. Granted, that may be a bride too far for most developers, but it is something to consider.

The other side

But we must consider and respect the other side of this story. The sysadmins and/or management have legitimate reasons to want to restrict people from messing about with their company PC's, on the company network. Virusses, spyware, corrupting the machine, etc. There are lots of dangers that, when encountered, take time away from sysadmins. And time here too, is money.

However, there is a difference between the accountant, secretary or sales representative on the one hand, and the developer on the other hand. There is also a difference in the kind of work they do. This is not to downplay the non-developers, but we must acknowledge their is a difference in technical skill-set, and what they require from their PC's.

I think we can safely assume a developer is smart enough to avoid shady software, suspicious websites or malicious emails. If your developers don't have those skills, I believe you have a whole different class of problems, as you may have hired the wrong developers.

How to have access

So a compromise can help us here. Developers should have full access to their local machine, but with on some conditions. These conditions can differ from company to company, but could include things like:

  • no switching of the antivirus
  • no meddling with the proxy
  • no removing corporate software or startup scripts
  • etc, you get the picture

You could have developers sign a specific contract where they agree not to do this, and have certain measures in place when they violate this. Worst case, this could mean them losing their jobs.

Also, it seems logical that this full access only applies to their own machine. This access should not be applied to any server environment. The only reason a developer needs full access is for developing efficiently, for running the tools necessary for the job. It should not be because the application he is working on needs full access. Again, unless you're doing something very special, but this is rarely the case.

Conclusion

Blocking developers from full access to their local machine reduces their efficiency, increases their frustration and costs the company money. This is because a lot of the tools they use require this access, unfortunate as it may be. But this doesn't mean they need (or even want) to use the company PC as some unlimited playground where they can be irresponsible. And neither should the company accept this type of behavior. But with good agreements between teams and management, and commitment from the developers, all the possible negative consequences can be avoided.