|
 |
On Fri, 04 Jul 2008 01:17:10 +0200, andrel wrote:
> Jim Henderson wrote:
>> On Thu, 03 Jul 2008 23:16:17 +0300, Eero Ahonen wrote:
>>
>>> Admins need to be people you can trust, because they actually can read
>>> your files/emails .
>>
>> I've been saying that for *years*. I'd get questions every once in a
>> while from managers wanting to keep their IT people out of files on the
>> network. My first question was always "why don't you trust your IT
>> admins?".
>
> A manager thinks he and only he is the boss, unless it is a woman. In
> which case she thinks she is the boss. I think it comes as a surprise
> when they find out that other people have more access than they. And no,
> they are not going to give them the same permissions. Especially if
> these people are much less pays than themselves.
I've only on a couple of occasions working in IT had a boss who insisted
on equivalent permissions to the ones I had. One was a relatively small
business (just a couple hundred users), and he actually backed me up, so
it made sense.
But the whole notion of having an administrator whom you don't trust is
just inherently wrong to me. If you don't trust them (as a manager) AND
can show cause WHY you don't trust them, then they shouldn't be your
sysadmin. End of story.
On the flip side of that, it's the sysadmin's responsibility to act in a
trustworthy way. I *always* had access to financial information, salary
information, and the like, and I *never* *ever* abused my authority to
see what my peers were making or find out how much the CEO was making. I
honestly just didn't care - it's not as if knowing that is going to get
me a raise anyways.
> In our hospital the IT people have access to all rooms and labs, even
> the ones that are protected with badge readers because people may be
> using e.g. genetically modified organisms or dangerous chemicals there.
> It is impossible to have their access restricted (or force them to get
> the right qualifications to enter). So we simply have to trust them that
> they only enter in case of a real emergency, i.e one that can't be
> solved by disconnecting the networkport.
That's a good level of trust. I'll bet the management puts a lot of
effort into making sure they hire people who are trustworthy.
Some companies have an "administrator agreement" that the admins must
sign that says they won't abuse their access. Last company I worked for
had that, ironically, I never did sign one - they just never asked me to.
I also have always insisted (when I've had administrative access) that I
be allowed to disable my own accounts and to *force* my boss to change
the administrative password with me not watching so they *know* I don't
have that information. As an IT person, there's nothing worse than being
even *accused* of inappropriate access once you've left the company.
That can be a career killer. I was asked to leave one job by my boss'
boss (don't know if the boss ever found out why I was leaving - it was
because he was a very poor manager and I called attention to it with his
boss - and his boss had been given the task of turning the poor manager
into a good manager; so basically, I was telling the director he was
failing at one of his main objectives, and he just didn't like it being
pointed out). I still got them to let me delete my own account and then
change the administrator (and the emergency backdoor administrator)
passwords.
I never heard from them again. Well, I bumped into the boss at a trade
show a few years later, and he acted like I should be happy to see him.
I wasn't, but I was polite to him, while still getting out of the lunch
area as quickly as was reasonably possible.
Jim
Post a reply to this message
|
|
