General discussion


Appropriate assignment of privileges

By collins_rf ·
The problems involving user permissions organization wide have been justified by the phrase, ?That?s the way the rest of the division is and it works okay for everybody else?. In some instances user privileges should be stratified based upon the routine work performed. I do not believe that they can objectively plan and implement a better suited user permissions assignment scheme. Therefore a blanket policy is in place There is one other reason why this may well be the case. I am afraid to say that it has more to do with control than it does with providing adequate support in a timely manner. Understandably, security of the network is a universal concern. Monitoring software and virus protection should be in place and violations of policies should be enforced. The problem is that some sections are required to perform software and driver updates as well as hardware configuration and testing that either are hampered by or outright prohibited by the lack of appropriate user privileges. I am not an absolute expert in the field but doubt that the policy maintained by our IT support section must be as rigid. My contention is that if we had support staffers that knew what they were doing then the appropriate protections would be in place, usage and installations could be adequately monitored, backups made on a timely basis and permissions could be applied that allow everyone to do their job. Now that I have described utopia, I need to hear from the community.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Busy IT staff, large organization

by stress junkie In reply to Appropriate assignment of ...

It is difficult to draw meaningful conclusions from your post. I would need to know a lot more about the circumstances of your situation before I could consider judging the decisions of your IT staff. I can only speculate about a few details of your situation from your post. These are as follows:

- You work for a large organization but what does that mean? The possibilities are so complicated that I can hardly find the words to cover them. Are you part of a large world wide corporation like IBM or Bank of America with many facilities and divisions or are you part of a 200 person corporation with all of the employees in one facility? Note: nobody wants to know which corporation you work for but the characteristics of your situation could be enlightening.

- You are not part of the IT staff. Correct?

- IT is not your principle area of expertise. Yes/no?

- You want to have the same capabilities to do things on 'your' computer at work that you have on your personal computer at home.

- IT policies prevent you from performing tasks on 'your' computer at work that you routinely do on your personal computer at home.

- When you ask your IT support people for reasons behind certain policies they don't provide a particularly good answer. Instead they just say something uninformative like "That's the way other departments do it.".

I could make a couple of observations based on the above listed characteristics but I would be able to make better conclusions if I knew more about your situation. For instance, is the corporation geographically fragmented? How is the IT department organized? In other words is there a central policy making body that the IT teams are required to obey? What is the jurisdiction of 'your' IT team? Clearly the last three questions are closely related.

In closing I will speculate that 'your' IT team may not be authorized to make policy decisions. The IT team members that you talk to may be very busy and lacking in communication skills. Hence they don't give you good answers to your inquiries. And lastly, the IT policies to which you object may, in fact, serve the corporation's best interests very well. I will be happy to comment further if you provide more details. Until then I would say that your IT team probably doesn't judge your expertise performing your job so you should trust that they are doing their job properly. :-)

Collapse -

Ok, hopefully I can provide enough details...

by collins_rf In reply to Busy IT staff, large orga ...

It is public sector or government.

I am not part of the office IT systems support staff.

IT is a major part of my expertise but not my priniciple area of expertise, I am a systems engineer/analyst.

They have charge over three servers and maybe 60 clients, a conservative estimate.

Of 60 clients, our section of 6 operate on what used to be 8 networked machines in 2 locations subdivided into 6 offices and one laboratory. These clients must evaluate software used in field monitoring sites, interface for data retrieval and perform remote systems diagnostics, draft standard operating procedures and perform many other functions for the job.

We 6 perform the opperation of monitoring support for some 50 sites in a regulatory atmospheric monitoring network distributed up to 400 miles away from our laboratory. In order to maintain compliance with state and federal regulations we must operate the systems in the network from an adminstrative permissions perspective. We must have the capability to perform complete replacement and reloading of software within 24 hours, and we usually do. Fortunately our group maintains sole charge of the monitoring network itself. Because of this we can maintain that minimum downtime performance. The ambient network is separate from the office systems network but must interface at various levels in order to be maintained in 24 hour regulatory monitoring operations.

On the otherhand our network operations are the charge of the IT support staff that I mentioned beforehand.

Regarding ease of use, interfacing with the office systems network and your next two questions, Yes and yes. Albeit strictly, and I mean strictly for work purposes, having the permissions in place to load and test vendor software and to perform some evalutations, some programming, some prototyping and settings tweeking make doing the job and getting it done oh so much faster and more efficient. The current policies in place mean either waiting a week to three weeks to accomplish the same task or not being able to fully function. Either way thier response is the same.

The "that's the way other departments do it" argument doesn't fly. Other districts have made the decision to allow modified adminstrative privileges to facilitate the ease of job performance. This started with the implementation of Win2k. This was the first point where the potential breakdown revealed itself for reasons that are all well known. It is important to note the structure of the IT and systems support organization for the particular deparment. The top tier is the department BIS. A great group of folks that are on top of their game and that our section has the pleasure of working with from time to time. They have no problem with granting admin priv's. Then below them is the division. This is actually split into 7 groups. The division ITSG and 6 autonomous districts. The 6 have granted the modified admin priv's. They function with no problem. The ITSG seems to have the problem. Unfortunately our office systems support comes from the ITSG.

Policy.. The ITSG makes the policy. Input, gripes, needs assessments, requirements, none of the above considered, ITSG makes the policy.

Insomuch as the way they are doing their job, well, unfortunately we and other sections have a well documented history of problems spanning 4 years. When a problem happens I don't just jump out and point fingers. I usually come to places like this and research, pick brains, document and analyze solutions. The problem is that with the state not paying IT support the way they should, turnover becomes an issue. Prolem issues are suppressed at the management level in lieu of IT support staff retention. Understandably so, training new IT support employees is tedious and can be shaky while supporting and maintaining the office networks. If they could properly document the system the training issues could be better controlled.

The primary solution to all of this is a management solution. I am convinced of this. What I am seeking in this forum is more along the lines of what other's experiences may be in similar situations, what works, what doesn't and what advice can be rendered.

Collapse -

Now I think that I understand

by stress junkie In reply to Ok, hopefully I can provi ...

Your response was even more enlightening than I had expected. I was originally concerned that you were a nontechnical person who likes to mess with their equipment in work because 'the IT staff can fix anything that I break'. I've seen that attitude a lot.

It's clear that you know what you are doing and that your job requires that you perform some computer configuration. Also, you have your work to do and don't want to waste time with setting network broadcast masks or other tedious routine stuff so you want the ITSG staff to provide support services.

Clearly you should be allowed to perform your work. The ITSG management should understand this. The only justification that I can imagine to restricting you from your required capabilities would be if your group has a long history of creating unnecessary work for the ITSG staff. In that I mean to say that I would expect more calls from your group due to accidents or a test that went bad. The ITSG staff should not restrict you due to an expected higher level of support required due to the nature of your work. If I were the ITSG department manager I would take a very flexible view to higher support requirements for your group. I would only resort to restrictive policies if certain people in your group frequently made huge errors that affected other people not in your group AND if your department manager didn't try to address that.

So I sympathize with your position. The higher levels of IT management have authorized your people to use enhanced privileges. So what can you do? I suppose that you could 'go over the head' of the ITSG department management. Although this approach often results in sabotage from the people who have been forced to do something that they didn't want to do I would guess that you have little to lose. You are already being treated like a strictly administrative department.

The post by adunlap describes a reasonable approach to dealing with special requirements. Your job entails special requirements. Over the years I've often supported techncal groups. It is usually very easy to determine what the clients need to do and what they don't need to do. Your ITSG department should be able to accommodate your needs without any problem.

So that's my opinion. I hope that adunlap and I have given you some ideas to take to your ITSG management, or to their bosses.

Collapse -

Greatly appreciated,

by collins_rf In reply to Now I think that I unders ...

The vast majority of clients that the ITSG serves are administrative and totally non-technical. They are the regulatory arms of the division. There are only a couple of technical sections and one audit section that performs both administrative and technical functions. Unfortunately there are some cultural clashes that occur, albeit unnecesarily. Why the ITSG doesn't stratify requirements based upon function, I cannot say. I can only hope that a discussion can be facilitated by the management so that we can lay out requirements and come to an agreement on how to proceed. Without some management intervention these conflicts will continue.

Thank you for the post.

Collapse -

Consistency of service.

by TonytheTiger In reply to Appropriate assignment of ...

We lock the workstations down, then as a need may arise, we relax restrictions as little as is needed in special cases. Users generally may not install applications that change the registry, nor can they install any hardware (that means anything that connects to the PC with a wire). We try to give them everything they could possibly need, but if they need to do something they cannot do with the tools provided, we handle it on a case-by-case basis.

This allows us to be more efficient, not having to maintain 200 different hardware configurations, and able to address problems quickly.

It's just like file permissions on the network. If you leave it open, eventually someone will, accidentally or deliberately, mess something up.

Yes, it's possible to fix almost anything a user could possibly mess up, but isn't it better to try to prevent the problems in the first place, and eliminate the potential downtime?

Collapse -

I don't disagree..

by collins_rf In reply to Consistency of service.

I don't disagree. I like the sound of the way you operate. In our instance I would even suggest that we coordinate with our IT staff and perform system backups prior to any needed hardware or software installations. In our case we do have to perform these kinds of operations and some do alter the registry. It's part of the way these systems operate. In our field systems that is how we do it, but we have full control of our field systems. If you want details read my response to the first poster in this discussion. I really don't want to have to type that out again.

Related Discussions

Related Forums