1

We used to get users submitting requests to be added to ABC and XYZ group, not supervisors mind you, just end users. I used to grant the requested network permissions, until I got burned one day when a supervisor who authorized john Q User to have access to that ABC folder.

So now I have a form that lists all of the available security groups. When John Q User needs access to a particular folder I tell the to have their supervisor fill out the form, sign it and return it to me.

I process the form, stamp it with the current date and scan it to a PDF file that is retained for all of eternity.

What do you do?

21 Spice ups
2

My procedure is quite simple:

“no.”

12 Spice ups
3

Inform them that those requests have to go through their supervisor or someone in HR. That’s how I have always handled them or seen them handled. I also ask them that they submit a help desk ticket that is then forwarded to their supervisor for approval.

No approval = no soup for you!

17 Spice ups
4

The person who is in charge of the data (not IT, but department head etc.) must OK any changes.

8 Spice ups
5

That’s how we handle that as well.

6

  1. Receive email asking for access

  2. Forward to Help Desk because they’re trying to go around the system

  3. CC their supervisor (or head of that folder/group) and ask said supervisor to approve

  4. If approved: allow access, close ticket, continue on with my day.
    If denied: close ticket, continue on with my day.

7 Spice ups
7

My current organization is small enough that I generally know who needs access to what, even more than the users themselves :slight_smile:

However, in one of my former jobs, We had a “folder owner” designated for each of our shares, and all requests for access had to be approved (via writing or email) by the owner. As an example, an HR share was owned by the HR Director’s executive assistant, so she knew who should and shouldn’t have access to the contents.

2 Spice ups
8

Most of our permission requests come per mail and I’m forwarding them to the Person responsible for the network share to approve it.
I always wanted some kind of workflow system but didnt habe the time to find a solution.

9

We have identified the “owner” and backup (identified by the owner) for each network resource (drive, folder, etc.). The users must fill out a form requesting access, the form gets signed off on by the user’s manager/supervisor. We then get approval from the resource owner or the backup owner. All of this gets put into a helpdesk ticket.

10

get rid of the list of all groups on the form. A power-hungry manager could look at the list and slowly determine what the groups mean. The next thing you know you’re blindsided by approval to have that person added to every group because they had enough time to figure out an arguement as to why they need to be a member of said groups.

2 Spice ups
11

Supervisors (ie: Managers in charge of the section data in question) must provide written (email etc) request and or approval for Users to have ANY change in data access. Any request that cannot/will not get written approval is denied. This method has worked very well for us. We have little to no issues with data access with this process.

12

We’re not big, so our process is typically, “Does it make sense?”

1 Spice up
13

Stephan: You’re too nice. When I get e-mails that should go through helpdesk, I reply “Send all requests for IT assistance to helpdesk@…” and then delete their email.

5 Spice ups
14

Like with anything else I require an email request to be sent to myself and to that person immediate supervisor. Then their supervisor says yes or no and I do my thing. Don’t see a need for forms or anything else when an email trail is so much easier

3 Spice ups
15

We play pass the ticket because the paper trail keeps our security auditors happy. The managers/directors/VPs/etc. don’t like it, but they haven’t managed to get the Security Department to change policy, so we follow the written policy.

  1. User makes a request, ticket assigned to IT.
  2. IT reviews request. If it was a mistake (user was should have access, but is in wrong or no role group) IT corrects the issue. If not, we find the person(s) who are the owners of the resource, pass the ticket to them for approval.
  3. Owner of the resource adds their approval to the ticket, assigns back to IT.
  4. IT takes appropriate action from there.

Quarterly audits by outside auditors are a pain, but they are a great way to make sure the documented procedures are followed.

2 Spice ups
16

If we are talking about simple permissions to access a folder or whatever, we tell them, that’s nice, but your boss has to submit a ticket saying that he approves of the change in permissions.

Account creation/deletion HR informs us of the change and we process the ticket.

Changing membership to e-mail distribution groups is done through our customer’s central IT department.

17

Email from their manager to me stating please add xyz to group/folder abc. That gets filed away for future reference :slight_smile:

18

we have a list of “owners” of the folders (usually senior managers). any permissions request must be authorised via them in wirting somehow, that is then kept with the helpdesk ticket forever…

19

I go one step further and make my form an email form, and when I get the reply back. I keep it in a folder for all eternity. Also I email the user saying no if it’s denied. I had a few users ask me why. I tell them talk to the folder owner they were the one that denied it.

1 Spice up
20

I basically do the same thing, supervisor approval. It’s not IT responsibility to create access policies, it’s our responsibility to handle requests and to secure the data.

3 Spice ups