I've worked with older governmental systems, and chances are they are running a wide variety of systems, some of which, the oldest and most critical, are probably written in COBOL running on IBM mainframe hardware. In those environments, there is no real distinction between "database" and "application". COBOL systems are very file- and batch-oriented, and are "monolithic" in the extremist sense. The technology itself makes it impossible to give read only access to such systems.

Ah, I remember a time 30 years ago when I logged accidentally into the PROD database (forgot to add the suffix "1" to the connection ID), thinking it was a Dev instance, and then issued a "truncate table CUSTOMERS"... the reaction came within 75 seconds - and restore from backing took several hours.

Never mind the direct risks, if you have "god mode" to basically any government thing, you instantly become the target of foreign intel/military operations. You can bet good money that there are entire teams, if not divisions, working around the clock to exploit this situation.

  > It is extremely dangerous and even experienced engineers can cause irreparable data loss or some other bad outcome

  HERE BE DRAGONS

I've had a company give me full admin access to their cloud account. Thankfully, I learned the lesson earlier in my career and immediately created myself of more mundane user. Break glass access is important, but definitely not as the usual level of access.

> I don't see why the DOGE team would need anything more than a read replica to query.

They shouldn't need more than limited read access. The fact that they have more access, very likely demanded and not accidentally given, is due to their intent to do more than simply query data.

Ultimately someone has root permissions. Re: federal agencies, in the United States, that someone is clearly, constitutionally, the President. Article II of the constitution vests all power of the executive in the person of the President. The President has authority to appoint agents. That same article _does also_ say the President has to "take Care that the Laws be faithfully executed", but the "Care" there is highly debated. But the idea that the President doesn't have the right to appoint Musk to get root access to federal agencies seems legally incorrect.

I'm not make a value judgement on this, it's just how it is. At a startup, the founder ultimately has root access to the database, no matter what the technical controls.

Now, maybe it's stupid, and maybe it should be some other way, but to my mind the other way is that Congress gets together and writes a law saying "the executive cannot get root access to X, Y, Z". In absence of that law, the executive can do whatever they want.

Not to be THAT GUY, but "an append-only database which cannot be modified by anyone" is something HN has spent the past 10 years saying is completely useless...

I loathe working places where they just give you all the permissions because it's "easier". One risk is if something does happen, and they don't have exceptional tracing and logging, (and let's be honest, at an organization sloppy enough to hand out privileges like candy, what's the chance of that?) it's difficult or impossible to pin down the source to any individual. As a result, both responsibility and suspicion is diffuse.

There's a good balance between preventing accidents and reducing friction.

One person having "god-mode" access isn't usually that terrible.