Audit vs Automation

In a previous post, I talked about the levels of automation.  In this post, I will talk about how audit rules can prevent automation.  Lets assume you belong to a software development shop.  Every time there is a new version of software being developed, someone has to create a branch in revision control.  You have to create a new pom file.  You have to create new Jenkins jobs.  You have to configure the appropriate upstream/downstream relationships.

This process seems repeatable, so someone writes a script to create the new branch.  At this point, you now have Level 2 Automation.  Whenever a new version gets created, someone has to manually execute this script.  As your company grows, this process needs to run more and more frequently.  It runs more because you are releasing more versions of software, as well as having more software packages that get released.  Its time to step up your automation to Level 3.

You integrate with your ticket system to kick off the script every time someone puts in a ticket requesting a new version.  The script has to run as an application username instead of someone's personal username.  You put in a request to create new application users for Subversion and Jenkins.  This effort will let uses submit tickets and get their branches created automatically.  It seems like a good goal, but your request gets rejected.  For security reasons, only usernames associated with people can have write access to Subversion.  This is a requirement by your security team.  They want to be able to track back every single change to a person.  That seems like a reasonable requirement, but it is a roadblock to automation.  The audit requirement prevents Level 3 Automation.

For some companies, this becomes a question of Audit vs Automation.  Will you compromise your ability to audit your revision control system to allow faster setup of your development system.  Do you try and find a middle ground?  Do you allow application usernames the ability to create new branches, but not modify anything that already exists?  The answer to these questions will vary from company to company.  Unfortunately, the larger the organization is, the more likely that company has strict audit requirements AND high levels of automation.  I would be interesting in hearing how various companies have solved this dilemma.