We have local workstations, dev servers, staging servers, and production.
Devs can do whatever they want on their local workstation. In any given week, I work on 2-3 different projects with radically different stacks. Central IT (which is technically outsourced to a stand-alone company that supports us and the other companies owned by our Fortune-500 overloard) has absolutely 0 knowledge of what we do and what we need to support our work.
Devs also usually have sudo access to the dev servers, but rarely install things there.
Devs never have admin access to staging, but they usually have the ability to do deploys from the build server.
Devs absolutely never have admin access to prod, and can't do deploys to prod either.
Dev team builds, tests and does whatever is needed on local and dev servers. They're responsible to make sure their stuff works and when ready for testing, trigger an automated deploy to stage. They don't have the ability to install any dependencies or configurations on stage, so if they run into problems, they need to negotiate with DevOps. QA validates on stage and has client do UAT on stage. If everything passes, DevOps manages the deploy to production.
That's a grand total of 3 "technical" people on the small project. Dev, QA, DevOps. Large projects will have multiple people in each role, but we still structure the same way.