I want to start by saying I understand Change Management’s job especially when there are government contracts and security policies that must be followed. They are invaluable to prevent the mayhem that would ensue if devs were in control of prod.

That being said…

I’m working on a project that monitors MSMQ instances inside the company. It’ll watch servers for queues that aren’t processing fast enough or produce too many dead letter messages and various other statistics to help keep data flowing in the system as a whole. This project will exist in a prod environment and have access to prod data. To work, it needs a list of server names or IPs to connect to and monitor.

My original plan was to put the list of servers to monitor in a config file alongside the binaries of the monitor system. I didn’t want to hard code it for obvious reasons and I didn’t want to put the list in a database because it would require several days to make a change and the DBAs would have to do it. I’ve recently been told that in order to meet certain government security contracts, the folder that the code exists in is locked down so that all files in that folder (or folders that are used by the code in that folder) cannot be changed without going through the change management board which could take up to two weeks to approve.

I don’t expect this file to change a lot, but I do expect that when somebody needs to change it they’ll need to do so fast.

If Change Management takes up to two weeks to approve a change to any file in the prod folder, and changes to the DB can take up to a week before it makes it through the DBAs, where are some alternative places I can store the list of servers to monitor? I know I won’t be able to put it somewhere where we can change it on a whim without approval by somebody, but I’m hoping to find a nice middle ground where we can change it within a few hours or a day instead of a week.

The list of servers itself is not a secretive list that needs to be protected from prying eyes. We still have other layers that prevent rogue programs or people from actually accessing the queues.

I know this will highly depend on my company’s policies (not all of which I know, I’m 6 months into working here) but I’m hoping to have a few ideas to present before asking for how my boss would approach it.