So why bother at all?
Mar. 22nd, 2006 05:32 pm![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png)
![[community profile]](https://www.dreamwidth.org/img/silk/identity/community.png)
Our security system has a number of resources which can be requested (usually via a manager) to allow a person (or a position) to perform certain tasks on our network.
One of these resources gives users effective god rights over any workstation they log onto. As a result, it is regularly used and abused forty different ways by all kinds of lazy programmers who don't want to fix their crap. "Oh, just tell the user to request god rights if they get that error."
The problem is not that this level of access exists.
The problem is that the three-level approval process is so useless.
First, the user must request it themselves, or get someone else to request it for them. No-one ever refuses anyone at this time because hey, it's only a request, right?
Second, the user's manager has to approve the request "in-principle". As 99.9% of managers have no frickin' idea about anything technical, the user could put down a request reason like "I need this to chainsaw a bucket of puppies into mulch" and it would get approved.
Thirdly, it has to be approved by our central IT security team. A good move, you would think. Except that the team is perhaps four people covering twenty-five thousand users. They spend all their time clicking the "approve" button as fast as they can while watching the requests pile up in their queue.
Given the number of people who request and get these rights, I have to wonder why we bother restricting them at all.
One of these resources gives users effective god rights over any workstation they log onto. As a result, it is regularly used and abused forty different ways by all kinds of lazy programmers who don't want to fix their crap. "Oh, just tell the user to request god rights if they get that error."
The problem is not that this level of access exists.
The problem is that the three-level approval process is so useless.
First, the user must request it themselves, or get someone else to request it for them. No-one ever refuses anyone at this time because hey, it's only a request, right?
Second, the user's manager has to approve the request "in-principle". As 99.9% of managers have no frickin' idea about anything technical, the user could put down a request reason like "I need this to chainsaw a bucket of puppies into mulch" and it would get approved.
Thirdly, it has to be approved by our central IT security team. A good move, you would think. Except that the team is perhaps four people covering twenty-five thousand users. They spend all their time clicking the "approve" button as fast as they can while watching the requests pile up in their queue.
Given the number of people who request and get these rights, I have to wonder why we bother restricting them at all.
no subject
Date: 2006-03-22 07:27 am (UTC)The same here. Not so complicated though, just basic admin/user rights play. And about 1/5 of users have admin rights at least within their workstation just because they are located too far to reach them if they need anything and networks do not connect.
Funny things do happen.
no subject
Date: 2006-03-22 12:39 pm (UTC)Because of one stupid vendor-supplied program, we don't have a choice but to give local admin rights since _everyone_ uses it.
The silver lining is that we're in the middle of a roll-out to replace said app. I wonder how said vendor will react when we suddenly turn around and dump their crap--we haven't let on yet that they've been replaced by a competitor ;)
no subject
Date: 2006-03-22 02:03 pm (UTC)-None- of my users have admin priv, only IS, and we like it that way.
no subject
Date: 2006-03-22 03:00 pm (UTC)Any other requests, the user is granted rights to their specific machine.
no subject
Date: 2006-03-22 03:51 pm (UTC)I've never, EVER, seen a bunch of people whine so fucking loud in my entire life.
Fortunately, it's only a small minority of people that are whing, because the rest of the people have just enough raw computer skills to do their work on it.