[identity profile] the-s-guy.livejournal.com posting in [community profile] techrecovery
Our security system has a number of resources which can be requested (usually via a manager) to allow a person (or a position) to perform certain tasks on our network.

One of these resources gives users effective god rights over any workstation they log onto. As a result, it is regularly used and abused forty different ways by all kinds of lazy programmers who don't want to fix their crap. "Oh, just tell the user to request god rights if they get that error."

The problem is not that this level of access exists.

The problem is that the three-level approval process is so useless.

First, the user must request it themselves, or get someone else to request it for them. No-one ever refuses anyone at this time because hey, it's only a request, right?

Second, the user's manager has to approve the request "in-principle". As 99.9% of managers have no frickin' idea about anything technical, the user could put down a request reason like "I need this to chainsaw a bucket of puppies into mulch" and it would get approved.

Thirdly, it has to be approved by our central IT security team. A good move, you would think. Except that the team is perhaps four people covering twenty-five thousand users. They spend all their time clicking the "approve" button as fast as they can while watching the requests pile up in their queue.

Given the number of people who request and get these rights, I have to wonder why we bother restricting them at all.

Date: 2006-03-22 07:27 am (UTC)
From: [identity profile] byh.livejournal.com
Hear you.

The same here. Not so complicated though, just basic admin/user rights play. And about 1/5 of users have admin rights at least within their workstation just because they are located too far to reach them if they need anything and networks do not connect.

Funny things do happen.

Date: 2006-03-22 12:39 pm (UTC)
From: [identity profile] major-error.livejournal.com
at least your systems start off locked.

Because of one stupid vendor-supplied program, we don't have a choice but to give local admin rights since _everyone_ uses it.
The silver lining is that we're in the middle of a roll-out to replace said app. I wonder how said vendor will react when we suddenly turn around and dump their crap--we haven't let on yet that they've been replaced by a competitor ;)

Date: 2006-03-22 02:03 pm (UTC)
From: [identity profile] shadowkat01.livejournal.com
We've had that issue. Already found away around AutoCAD. Now all software RFP's specify they must run as restricted user before the company is even allowed to bid.

-None- of my users have admin priv, only IS, and we like it that way.

Date: 2006-03-22 03:00 pm (UTC)
From: [identity profile] hisamishness.livejournal.com
only our tech force is in the global workstation admin group

Any other requests, the user is granted rights to their specific machine.

Date: 2006-03-22 03:51 pm (UTC)
jecook: (Default)
From: [personal profile] jecook
We are in the process of migrating everyone to moderately locked down systems. (they get power user, but not local admin)


I've never, EVER, seen a bunch of people whine so fucking loud in my entire life.

Fortunately, it's only a small minority of people that are whing, because the rest of the people have just enough raw computer skills to do their work on it.

Profile

techrecovery: (Default)
Elitist Computer Nerd Posse

April 2017

S M T W T F S
      1
2345678
91011121314 15
16171819202122
23242526272829
30      

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 22nd, 2025 10:26 pm
Powered by Dreamwidth Studios