Who has admin rights in your company?


Author Reply
Carlo
Flag
Posts:931
Comments:67
Thread Kills:39(4%)
AATG Pts:80
Star Rating
Bronze Medal
Guys I'm trying to work out the best method for deciding who gets what kind of rights in the company I work in.

We have all sorts of people... Desktop support, applications support, Developers, administrators, and 'architects'. Trouble is, too many have too much rights on the systems and because too few of them really understand what they are doing fully, it means mistakes get made.

What would be the minimum needed to let someone lose on the network? Number of years in the job? Qualifications, particular courses or education?

How do you guys do this in your work?
#1 at 15:15:53 - 15/01/2009
Stevas
Flag
Posts:1783
Comments:260
Thread Kills:39(2%)
AATG Pts:195
Star Rating
Gold Medal
I do.
Me.
In fact, I'm pretty much the dude when it comes to admin on the servers around here.
Yeah.


You go think about that.
#2 at 15:16:58 - 15/01/2009
peej
Flag
Posts:14637
Comments:4691
Thread Kills:462(3%)
AATG Pts:400
Star Rating
Gold Medal
Here, everyone's given blanket access to everything from day one, but they're made to sign an agreement that they won't do certain things (like excess facebooking, peer to peer stuff, looking at porn, downloading illegal movies etc).

If they're later found to have broken that signed agreement, their contract is terminated forthwith.

Basically we give 'em all the rope but if they later hang themselves with it, that's their career (and their degree) down the shitter for...well, for very little really.
#3 at 15:18:39 - 15/01/2009
mal
Flag
Posts:532
Comments:165
Thread Kills:40(8%)
AATG Pts:85
Star Rating
Everyone has admin rights on the computer(s) they use. Apart from that, admin rights are allocated on a role-by-role basis. Managers have admin rights to certain personnel systems (but not full admin rights - they can't see your age, for example). Different offices have different rights depending on where they are. Build engineers have admin rights on the build machines.

There are a set of basic rights everyone gets by default (based on territory). Extra rights are assigned to certain roles.

Oh, and there's a firewall installed on each machine that basically only lets out HTTP, POP3 and a few other ports by default. And web access is filtered, supposedly (but I haven't seen the warning in ages), plus mail is scanned for rude words.
#4 at 15:29:53 - 15/01/2009
peej
Flag
Posts:14637
Comments:4691
Thread Kills:462(3%)
AATG Pts:400
Star Rating
Gold Medal
Should've added - we do a fair amount of port blocking and naughty URL banning at the big fuck-off firewall we've got installed but we're not too nazi-ish about that yet, though Facebook usage stats seem to be creeping up again so we'll probably be switching that off for people real soon...
#5 at 15:37:47 - 15/01/2009
frod
Flag
Posts:1243
Comments:102
Thread Kills:35(3%)
AATG Pts:130
Star Rating
Bronze Medal
you get what you need to do your job here and nothing more.
#6 at 15:38:15 - 15/01/2009
Mapster
Flag
Posts:859
Comments:72
Thread Kills:14(2%)
AATG Pts:80
Star Rating
Bronze Medal
Give it to absolutely no one.

If you do, your network will buuuuuuuuuuuurn!
#7 at 15:47:15 - 15/01/2009
HairyArse
Flag
Posts:6388
Comments:1774
Thread Kills:127(2%)
AATG Pts:350
Star Rating
Gold Medal
Just me and I don't know what to do with them half of the time, never mind anyone else.
#8 at 15:55:15 - 15/01/2009
peej
Flag
Posts:14637
Comments:4691
Thread Kills:462(3%)
AATG Pts:400
Star Rating
Gold Medal
HairyArse said:Just me and I don't know what to do with them half of the time, never mind anyone else.


Sell them for sexual favours like a good admin should?

#9 at 15:56:27 - 15/01/2009
Jellyhead
Flag
Posts:943
Comments:35
Thread Kills:38(4%)
AATG Pts:50
Star Rating
It's decided on a role-by-role basis. If you need a premission to do your job then we give you an account with the rights or delegate them to you.

Me, i'm a Domain Admin/Enterprise Admin.

Fear Me! :)
#10 at 16:15:57 - 15/01/2009
Carlo
Flag
Posts:931
Comments:67
Thread Kills:39(4%)
AATG Pts:80
Star Rating
Bronze Medal
Guys, what would you say for number of years experience equals in qualifications?

I'm thinking something like:

10 years exp or Degree or MCSE
5 years exp or 'A' levels or MCSA
2 years exp or MCP

Sound about right?
#11 at 16:17:55 - 15/01/2009
frod
Flag
Posts:1243
Comments:102
Thread Kills:35(3%)
AATG Pts:130
Star Rating
Bronze Medal
no?

MCSE is worthless.
#12 at 16:19:42 - 15/01/2009
Jellyhead
Flag
Posts:943
Comments:35
Thread Kills:38(4%)
AATG Pts:50
Star Rating
I'm loathe to say there's a corellation between experience/education and competence.
We have people here with lots of qualifications and they can barely even login without a guidebook.
Yet we have new people here with no real formal qualifications and they are whizzkids.

Sorry for not helping :(
#13 at 16:20:44 - 15/01/2009
peej
Flag
Posts:14637
Comments:4691
Thread Kills:462(3%)
AATG Pts:400
Star Rating
Gold Medal
Depends on the role. A regularly updated MCSE still opens a few doors but tbh it's nowhere near worth 10 years IT experience.

Within the rest of your structure though it makes sense.
#14 at 16:20:58 - 15/01/2009
frod
Flag
Posts:1243
Comments:102
Thread Kills:35(3%)
AATG Pts:130
Star Rating
Bronze Medal
when I did mine (on NT4.0, heh) it took me about six months in my spare time. It was pretty irrelevant to the actual problems you'd experience on NT 4.0 as well.

is it still just 6 multiple choice MCP exams?
#15 at 16:35:46 - 15/01/2009
peej
Flag
Posts:14637
Comments:4691
Thread Kills:462(3%)
AATG Pts:400
Star Rating
Gold Medal
heh you sound like me. That's the era I did mine in. I did the Windows 2000 update but never did anything else. And yeah, it was a lot of bookworming and a lot of tedium.

Still got the badge somewhere though. Wooh.
#16 at 16:37:45 - 15/01/2009
Carlo
Flag
Posts:931
Comments:67
Thread Kills:39(4%)
AATG Pts:80
Star Rating
Bronze Medal
frod said:no?

MCSE is worthless.
On it's own of course, but if you ran a business, before you was to hand over the domain admin password what would you say the minimum would be?

5 yrs + 'A' + MCSA maybe?

And if they was going to design your domain (or make any design-level changes) what would you demand?

10 yrs + Degree + MCSE?

I'm thinking they must satisfy 2 out of 3 of them... So 10 yrs + MSCE but only 'A' level would be the same as 5 yrs, MSCE and Degree.
#17 at 16:44:03 - 15/01/2009
peej
Flag
Posts:14637
Comments:4691
Thread Kills:462(3%)
AATG Pts:400
Star Rating
Gold Medal
Sort of but it would massively depend on the person.

Here, for certain admin roles we'll take someone who knows AD inside and out over someone who's got a lot of paper qualifications. If they can demonstrate how to consistently solve certain AD quandaries that crop up they'd get the job over someone who just parrot-fashion learned MS accreditation stuff and grabbed a couple of certificates.

Their CV and previous roles will speak volumes. Put it this way, if they've spent 10 years as a sysadmin for a relatively large company, then it's a safe bet that your admin rights would be in safe hands. If they've had more job changes than underwear changes in the last ten years, bin the CV and move on.
#18 at 16:55:22 - 15/01/2009
Carlo
Flag
Posts:931
Comments:67
Thread Kills:39(4%)
AATG Pts:80
Star Rating
Bronze Medal
Except peej, it's for people already employed in the company. Lots of internal staff with too many rights and too many mistakes being made.

The crazy idea: Give rights to 'qualified' 'able' people so the dumb aren't allowed to make the mistakes.

The problem: How do you categorise people to help decide if someone should be given teh rights to do something?

As for people people with 10 years in 1 job... I wouldn't touch 'em as much as a person with lots of jobs in 10 years... Your 'lifer' will not know how anyone else does things and will carry over poor practices as much as the good, the 'job-hopper' will have never seen a cradle-to-grave... Someone in-between the 2 is better.
#19 at 17:01:21 - 15/01/2009
peej
Flag
Posts:14637
Comments:4691
Thread Kills:462(3%)
AATG Pts:400
Star Rating
Gold Medal
Swings and roundabouts really. Our last head of group was at ICI as a sysadmin for 10 years, bloke knows a truly frightening amount about server administration and networking.

Job hoppers come in two flavours. Those who do it because they're fucking hopeless and keep getting fired or encouraged to move on, or those who to it continually advance their knowledge or career.

As you're applying it to people already employed by the company I think you've pretty much answered your own question as to how to filter out who gets sysadmin privileges and who doesn't. If you're running a decent domain setup there, at least it's easy to chop and change access rights using policy.
#20 at 17:05:52 - 15/01/2009
Rhythm
Flag
Posts:3297
Comments:130
Thread Kills:87(3%)
AATG Pts:150
Star Rating
Bronze Medal
Actual job requirements should rule over all. Qualifications are useless for this sort of thing - you should really be looking at providing people with enough access to do what they need to do, and pretty much nothing more. I'm one of the two 'god mode' admins for our online applications and having wide-open access has previously caused no end of issues.
#21 at 17:36:29 - 15/01/2009
Carlo
Flag
Posts:931
Comments:67
Thread Kills:39(4%)
AATG Pts:80
Star Rating
Bronze Medal
Rhythm said:You should really be looking at providing people with enough access to do what they need to do.
I think that's the fundamental problem over here - they don't know how to do the jobs they have been given :(
#22 at 17:46:26 - 15/01/2009
eviltobz
Flag
Posts:304
Comments:68
Thread Kills:15(5%)
AATG Pts:80
Star Rating
Bronze Medal
Rhythm said:Actual job requirements should rule over all.

especially as you're talking about developers and the like. yep, some of em may be numpties, but they need permissions to do what their job requires of em, it's not like they're just all doing general office admin stuff where things can be locked down tight. having worked for a mercifully brief amount of time at a company where i wasn't allowed to so much as install ANY software on my own machine i know how crap that level of security is. set up a few roles with different levels of permissions and slot people into the higher ones as they need it to do their job. if someone absolutely has to have full domain admin but they are a class a mongtard, whether qualified or experienced or not, raise things with their line management, your line management and so on to either get someone else to do that work, or for someone higher up than you to accept ownership of any problems they cause.
#23 at 17:51:11 - 15/01/2009
Micro_Explosion
Flag
Posts:3361
Comments:83
Thread Kills:129(4%)
AATG Pts:220
Star Rating
Silver Medal
It can be reasonably simple: you need a mini online training thing that everyone has to complete, something basic like a powerpoint slideshow with questions at the end or a dummy version of the program. Something like that.

Then you also need to have a form where they have to justify what they need it for and why it is them and not the central controller or software owner that should have the access only.

Qualifications are irrelevant - they need to justify why they need it, not why they could have it if they feel like it. If you need another layer of filtering then you need an official training system - sit them in a room with them demonstrating their capability. Only an hour long or so, nothing major.

I had to write a half page justification when I wanted internet access where I am. It's the only sensible thing they've ever done though.

As you probably know, most of the people will want access because their mate has it and they think access relates to their significance. Put up just enough of a barrier to that and you'll significantly reduce the problems you're getting.
#24 at 20:12:43 - 15/01/2009

home