Wednesday, April 15, 2009

Access Control

I returned to my desk after lunch to find the other 50% of Tactical Services alternating between laughing and sobbing.
"I can't work." He told me.
"I know," I answered, "I'm not into it today either."
"No," his eyes took on a manic gleam,"I can't log in anywhere."
As the Earth-bound Avatars of Security, an inability to log in to the servers is like having our wings clipped, like vampires waiting on an invitation to enter a home, like Superman confronted by a Kryptonite wall. Or like me confronted by a Kryptonite wall. That stuff is carcinogenic. And likely heavy.
Anyway, this story rightly begins several months ago when someone asked us (Tactical Services) if we were in favor of keeping the number of users in the Local Administrators group small. Of course we are, and while we are at it can we keep the users off completely?
Well, that change went through yesterday at noon and it seems our approval meant a merciless culling of that group. Including our own access.
Obviously this couldn't stay that way, but the person who administratively approved the change was out of the office, so revoking the order was impossible. Further, we in Tactical Services felt comfortable in yelling about our inability to work but not in approving our own access rights countering a Managerial order due to the obvious conflict of interest.
It was decided to sling us into another Administrator group on the server.
As Tactical Services is the group responsible for granting access to the servers, the request to restore the access came to us. Of course, since our own access rights were the ones missing, we had no technical way to restore them. We would need the access we had in the first place to restore the access we had in the first place, turning the whole situation into a slightly less nerdy episode of Dr. Who.
Internet, this went on for over four hours. No kidding.
At one point I was asked to do work. It needed to get done. Not having the proper access to let me do it cleanly and according to best practices, I hacked the change into place.
I then sent an email to the group that removed my rights informing them that if they planned to remove the access for the Access Control group, they should be more thorough since I apparently still had way more ability to change something on a server than they intended.
But that was wrong of me, a reaction to the ridiculousness of the situation itself. And pretty funny.
At one point we had one group with approval to make the change but no rights and another group with the rights to make the change and no approval. There was no Corporate mechanism to form up into the Voltron of Productivity, so our little robotic lions were left on their own, growling at sudden noises and wondering who invited Pidge to the group.
My access works this morning. I have seen no paperwork documenting the changes needed to make that happen, or of the changes needed to have removed it in the first place.
I'm not new enough to actually expect that documentation to materialize, so I've been writing up my own and setting it as the desktop wallpaper on those servers, lest someone forget the terrible, terrible mistake they made.

No comments: