As of this writing Rocky, Ken and Daniel have all replied to my original post on the shortcomings of network security, in particular the delegated authority features of directory services packages like Active Directory and eDirectory.

Daniel seemed to take the post in the spirit that it was intentioned and start suggesting some fine tuning that could be done to the Active Directory management tools which could improve things. Unfortunately there is no point adding salt to a broth of rotten vegetables and smelly socks.

Here is my question for you Daniel – if you were playing the role of an interaction designer how would you enable users to manage security using tools that they are already familiar with? Hint – it won’t involve a tree view or an explorer style interface, but more about that later.

Both Rocky and Ken came back with fantastic responses listing all the reasons why the system exists in its current state:

  • Managing authentication and authorisation is complex.
  • Users could open holes up in the network security.
  • The tools require training to use properly.
  • An infinite number of settings and configurations.
  • Lack of tools to manage delegation.

Bzzzt. Wrong answer guys. Here I am, a user, and I’ve presented you with a problem, and rather than envisioning a solution you’ve given me all the reasons under the sun that I’ve got no right to question the current state of affairs.

What I want you guys to provide me with is something like the following:

  • Managing authentication and authorisation as easy as e-mail.
  • The system defends itself from holes being created in the network.
  • The tools have an inductive user interface.

Actually, as I write this I already have a good example of an application that effectively delegates the responsibility of access control to the users that is neither complex and as far as I am aware has not opened up holes in our network. Furthermore it has an inductive user interface which has allowed non-technical staff members to effectively grant and deny access to resources.

What is the name of that product? When a Windows SharePoint Services site is created the person who created is made the administrator of that site and is responsible for granting on denying access to that site. If someone tries to access the site they are given the opportunity to provide alternative credentials and if they fail three times they are presented with a screen that they can use to request access to the site, or some particular function of the site (if they already have limited access).

When they click send an e-mail is sent to the site owner who can then grant the level of access requested. I have been using feature for quite some time and although its not perfect its a darn sight better than having to put in an infrastructure request (which we also manage on SharePoint) to have some adjust an ACL.

So my question is – if its good enough for a WSS site that stores all manner of corporate data, why is it not good enough for file system access, printer access and *gasp* logging into the network in the first place.

How can we take this simple but effective approach to delegation and expand it to work across the entire Windows platform, and indeed across all platforms?