In the early part of my IT career I spent a lot of time behind the administrative console tweaking security settings and really locking down the network. People would come to me with access requests which I would either allow or deny based on my interpretation of the security policy of the organisation that I was working for.
The truth of the matter is that I had a lot of power, perhaps more than was appropriate because I didn’t really understand the business or its needs and seldom had any empathy for the users that I was dealing with. I was a PFY fast turning into a BOFH.
Today I don’t spend nearly as much time behind the administrative console and I have to deal with BOFHs just like every other luser. My new position in the world has given me a greater appreciation for what it is like waiting for an access request and getting the fifth degree from someone other than the business owner as to why I need this level of access.
More often than not a request of increased network rights will result in a negative response and I will be forced to try and compress years of experience into a document for a technician to execute on my behalf. For other users the issue might be as simple as getting the rights to get access to a particular share on the network or the ability to provision WSS sites from SharePoint Portal Server.
It is now my opinion that the general practice of centrally managing access sucks. Essentially the problem is the lack of support for federation and delegation in the tools like Microsoft’s Active Directory and Novell’s eDirectory products.
Now before all you security gurus pipe up and tell me I am wrong, think about all the organisations out there using a directory services product, and then think about the extent to which those organisations delegate authority to manipulate parts of the directory. You could probably count them on one hand.
Even if there was the desire to support delegated authority in your organisations directory service how many users in your organisation could use the Active Directory tools effectively? I would guess that most would give up without getting anywhere, some would succeed, and scarily, some would cause some kind of irreversable damage to the directory.
Basically – the user experience is so bad for the end user that the feature may as well not even exist. So what is the solution? Thats a subject for another post!