From: Strata Rose Chalup (strata@virtual.net)
Date: Mon Oct 02 2000 - 19:49:10 PDT
Jeff Bone wrote:
>[...] this sort of "race" between sysadmins, who
> want to de facto control access to information resources
Actually, Jeff, as a semi-reformed (and recently backsliding) former
sysadmin myself, I have to say "bzzt!". We don't WANT to, we feel that
we HAVE to in order to survive.
Sysadmins are continually held responsible for information resources by
higher management, whether or not they have any actual control over
content, security, etc. So it becomes a matter of sheer CYA to try to
control any information services in an organization. That way you have
some chance of keeping it working, or starting with a known-working
state when it breaks.
"You certainly can do that, but first please put it in email, print it,
and give me a signed and dated copy for review by my management." For
really good stuff, it's "...and give me a copy dated and signed by both
you AND your manager." And if they actually give it to you, copy it,
give it to your manager, and make him sign it if it's sufficiently
stupid. Then just let things happen. But even if you manage to pull
that off, which is rare, you still hit Rule #1.
Rule #1 is that it always belongs to you. No matter who you get to sign
off on things, who ACKs that you disowning a host, a service, a policy,
etc. When something goes wrong, upper management will ALWAYS come down
on the systems people. And it doesn't matter how upper you get, if you
are in IT/IS instead of in Eng or R&D or ISP/ASP Ops, you are expense,
not revenue, and you get your *ss kicked all the time for other
departments screwups.
If the sales guys spend all their hardware budget on parties for clients
and run out of disk space for the contacts/leads database and are
suddenly dead in the water with RDBS errors, it is your budget that has
to suddenly get tapped for hardware, not theirs. Good luck getting it
back.
If the engineering department completely ignores the "official" hardware
guide and goes out and buys souped-up development systems from another
vendor (leaving you stuck with a mishmash of equipment that may or may
not support your software standards, let alone spare parts pool), your
group has to just deal with it unless your (expense!!) VP of IS/IT is
politically stronger than the (revenue) VP of Engineering (yeah, right).
If the r&d department throws a complete curveball around the entire
acquisition and evaluation process because of a visit from the regional
manager of sales from Vendor B, when Vendor B's product failed your
functionality evaluation, you get told that Vendor B is a big vendor,
their stuff couldn't possibly suck that much, and you should "just make
it work".
If your exec staff insist that you have to leave the telnet port
unfirewalled so some expen$ive management consultants from the City can
work remotely, you can't even make them sign anything that says "IS&T
won't be held responsible for this!" (Well, ok, I got that once, but I
had to drop my pager and badge on the Director's (my boss's boss) desk
and be prepared to walk away to get their attention. And no, it wasn't
a bluff, if they'd gotten their way I'd have been the natural scapegoat
for the VP level above the guy.)
[Just FYI, these are all examples from PAST employers, thankfully...]
So yeah, sysadmins are jackbooted thugs most of the time when it comes
to security and even to internal services. They do nasty things like
take away root from users, build firewalls, force you to use ssh/scp
instead of telnet/ftp, and so on. Because when all's said and done,
it's not YOUR pager that's going to go off at 3am or on the weekend when
something breaks or is broken into, it's the sysadmin's pager. No
matter how many /etc/motd's you put up, or web page disclaimers, or
notes on the printer saying "this is my personal printer, don't use it,
if it breaks call me and not IS&T", etc.
Some systems departments will let users do various system-ly things if
the user is willing to a) carry a pager or b) give out their home/cell
number or c) both. Amazing how many users aren't willing to stand
behind what they put up when they're the ones who are going to get the
call. In most places that won't work, since if anything goes wrong the
IT Dept's boss, someone at the VP level, is going to say basically "why
the hell were you letting them do that?", even if the answer is "because
their toadies can beat your toadies, boss, and you have to lean on their
bosses and make the chimes ring all the way down the belfry". Also the
help desk will call you first, no matter what, and may not be able to
route a call to someone who they don't have a pull-down "Assign Ticket"
menu for. :-(
When you ARE the fan, you know the location of the bullseye. Intimately.
_SRC
PS- And you have no sympathy at all for the jerks who want to save
themselves 5 minutes of hassle, or the energy of sparking 2 neurons
together, or both, and don't care if it means other people can't work or
that the sysadmins get calls at all hours.
-- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Strata Rose Chalup [strata@knownow.com] | strata@virtual.net, KF6NBZ Director of Network Operations | VirtualNet Consulting KnowNow, Inc [http://www.knownow.com] | http://www.virtual.net/ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This archive was generated by hypermail 2b29 : Mon Oct 02 2000 - 19:48:42 PDT