Thoughts on Account Provisioning
A few weeks ago I gave an interview with VPNHaus (part 1) (part 2), regarding account provisioning in the enterprise. I'm writing this as a follow-up to the interview to discuss the issues in greater detail.
First of all, account provisioning is probably one of the most crucial but utterly boring parts of IT. From the perspective of the systems administrator it's a matter creating the user record and figuring out what sort of access they need to enterprise resources. In many places it's a mater of click, click, type, click, click and then press the OK button. For the new user, this will probably be the first introduction they have to the IT organization.
Since IT doesn't do the hiring for the company, this data needs to come from somewhere. That's where HR comes in. HR provides things such as the proper spelling of the user's name, whether they will need remote access to the network (ie: VPN), and a general overview of what the user will need rights to. Again, this is another entry level, boring task that generally requires someone to fill out a help request and then let IT deal with it.
I've seen, though, in many organizations where there's a breakdown in the communication that IT gets from other parts of the organization, particularly HR. The standard operating procedure at one place that I worked was that IT was informed that there was a new employee on their first day. This resulted in a mad dash to provision an account as well as provide basic resources such as a computer, phone, or in some cases even a desk.
Now, what happens when an employee leaves? IT is usually insulated from the rest of the organization either physically or logically, so again the request to terminate access needs to come from HR. In smaller organizations this is less of a problem because generally people will hear about a departure through the grapevine. This isn't a hard and fast rule, though. In a company of less than 50 employees I'd sometimes not be told of a departure until after the fact.
This presents a problem because if IT takes it upon itself to delete a user that it thinks should be deleted there's a risk that important data could be lost, or that the user has a legitimate need to retain access for one reason or another. On the other hand, if IT decides to do nothing, there's a vector for attack where, depending on the circumstances of the employees departure, they might have a motive to use the enterprises resources maliciously.
All this leads to the need to have strong policies in place that dictate the workflow of a user request. This is a policy that both HR and IT need to agree to, and it needs to be efficient, effective, and enforceable. Unfortunately this seems to not happen in many small to medium sized business, and if nobody knows to do anything the user walks into their first day on the job not having an email address, a login, or even a computer. By creating a workflow, there's the ability to first deliver correct information on time and provide accountability across all of the steps needed to create the account.
For example, the company hires a new salesperson. Presumably there will be at least a two week lead-time before they join the company. HR then fills out a request for the new account, supplies the correct spelling of the user's name, provides whatever other information is needed by IT such as contact information and necessary access levels. IT then should, with some measure of expediency, fulfill the request and confirm with HR that the account has been provisioned.
The process should be similar when the employee leaves. HR should notify IT that there's a departure and fill out a request to have the account disabled. Depending on the circumstances of the departure it might be necessary to escalate that to a higher priority level, or let IT know about any special requests (ie: do not delete but disable the account, forward email somewhere, etc.) IT then should expediently handle the request and again confirm with HR that the request has been completed.
While many folks in the trenches (including myself) bemoan the fact that IT is a "service organization," it is one that can only do it's job efficiently when given good data and good policies to follow. For the organization to work efficiently, there needs to be clear instructions and expectations on what to do, how to do it, and when. Sadly it seems that these common-sense policies generally come into effect well after there have already been issues that could have been prevented.
Clean Server Room
I spent the better part of today going through the server room and cleaning out years of accumulated junk that had been thrown in there.
Highlights include:
- 100+ DLT backup tapes, all headed to the degausser on campus
- 30 heavy gauge power cables from various servers
- Norton Internet Security 2004, never opened
- Office 2000
- Tons and tons and tons of empty boxes.
The goal? To make it so that when I need to retreat away from the noise of my office and actually get some work done, I have a place to go that not only has a door, but a door protected by a mag reader. And, if I position myself close enough to the Liebert (which is where the table is in the room) I don't get blown on. The ambient temperature of the room is about 74 F which isn't bad, and the noise from the servers is at least better than listening to people talking loudly.
Oh, and Jae is a jerk.
Productive at Work
Over the last few days I've setup Dell Openmanage and finished tweaking our install of IPMonitor. Now, when a service goes down or there's a hardware failure I'll get an email notifying me. You'd think that this would have been setup before, but my predecessor apparently just scheduled weekly walkthroughs of the two datacenters to look for amber lights on the servers.
Tomorrow's project will be configuring tighter rules for alerting that will go right to my phone via a text message (I only want the really critical errors to come there) as well as automatically open up a helpdesk ticket. I also began sketching out a new server inventory which I will need to put into Sharepoint along with some other documentation.
It's a fairly slow time right now, and since I've gone to work in academia I've really enjoyed the ability to set things up the right way, rather than rush from fire to fire like I had to do in startup-land. That's not to say that I don't miss some of the fun of being in a startup - I worked with some absolutely brilliant people at Grid, and I really miss spending time with them and having debates and conversations about tech.
I also found a piece of software which, so far, has helped me a lot. My desk is right outside of the office that the desktop support folks work out of, and there's a lot of traffic in and out of there. It's very distracting to be troubleshooting some server or network problem and hear people BS'ing with the desktop folks. Since my desk is actually in a really nice space (although it's a bit small) and there's political reasons why I can't move into an office, it's become imperative that I find some way of isolating myself. Well, besides the big frosted Japanese privacy screen that I set up in front of my cube, I found an OSX White Noise Generator, Noisy. I have it set to generate pink noise at about 10% of my iMac's volume. It's a small app that I just keep open on my second monitor and jack up the volume if someone starts talking loudly or I really need to focus.
I still miss working with Jae, even if he was noisy.
New stuff at www.BenRuset.com
Just made a quick page for www.BenRuset.com. Has a nice minimalist feel to it.
The picture is of my Touareg (the 'egg) at the Forked River Mountains.