Thursday, January 24, 2008

User, Generic


Ah, the "generic user". Bane of the IT set. How I hate you, you lazy little tool.

Instead of making everyone use their existing domain account, sometimes the decision is made to grant access to network resources via generic accounts not tied to specific users. In some cases (let's not name names, stupid non-disclosure agreements) the password restrictions are relaxed and the permissions enhanced. For instance, the generic account "testuser03" with the password "testuser03" would have complete authority to change anything and everything on the system while the user making use of the account would be much more limited in his own granted permission set.

Why would a company ever allow this kind of foolishness?

The answer is probably more simple than you'd think.

Unfortunately, I don't have it. Other than basic laziness or malicious purpose, I have no idea why anyone would allow it. Yet many do.

While having Superusers test an application makes coding that application easier no doubt (what with no worry about permission issues and all), recovering from an issue becomes an exercise in ghost-chasing. Sure, you can eventually figure out which machine was connected to the server at the time of crisis, but tying even that information to a real, punchable, living human is difficult.

This morning a user (an actual person) was directed to my desk because his remote session was unable to connect. This happens, so I logged into the server to find his session and actually end it to resolve his problem.

Instead of his name, or any name but my own, I was greeted with a list of connected sessions for "Testuser01" - "Testuser09", all in the same state according to the server.

"What are you logged in as?" I asked him over the cubicle wall as he had drifted back to his desk.

"I'm logged in as me."

I didn't see him, so I figured I was on the wrong server. It isn't like there is a list somewhere of what server has what purpose, so this is all guesswork anyway.

I cycled through half a dozen servers looking for his account and feeling more and more dumb.

Maybe, I decided, his session ended on its own while I was looking.

"Hey," I attempted to get his attention again as he was surfing,"Try it again."

Sometimes just giving it a minute allows an IT person to look like a miracle worker. The only work involved is crafting a root cause, which (in my experience) usually has something to do with phase modulation or a faulty flux capacitor sub-system.

However, his session was still stuck.

"Are you getting an error message? Are you sure you are logging in as you?"

"No error. It just sits there."

Between you and me, it does not "just sit there". It never "just sits there". Something happens, even if you have to note the order in which the system fails to a hung state and appears to do nothing.

I walked over to look. The screen was blank and looked for all the world like his disconnected session was not allowing him access.

"Start over, please. A new browser window."

He sighed, obviously very sad, and did as I requested.

The username field was blank, and he typed in his account name. You can probably guess that opposed to some variation of his first and last names it instead read "Testuser03".

Rather than stab him, I just logged off the session to give him access I am certain he did not merit.

I went immediately to the Corporate Wiki Site and posted this haiku:


Generic Account

Who the hell are you really?

Probably a noob.

No comments: