keithstric.com::Administrator stubborness >:-(

SnTT: ExcelData Class updateHomeComments Fixed

I'm currently in a battle of egos I think. The Administrators want control of their address book. I can totally understand this as I've been a Lotus Notes/Domino administrator for about the past 9 or 10 years, so I get it. But when it comes to group management the administrators need to swallow their pride a little bit. Here's the situation. Currently only the main office administrators are allowed to create and delete groups and also add/remove members to those groups. I understand that they should be the ones creating/deleting groups in the domino directory. But to add/remove members also? This results in application owners having to call the helpdesk, get a ticket opened and routed to the wrong people to complete the job and then an email sent to the main office to have someone added to a group. But before the person is added to the group investigation needs to happen to make sure that the person requesting that someone be added to a group is authorized to make that request. Between all the pitfalls it could take days to get someone added to a group due to mis-routing tickets and mis-communication, unacceptable!

I proposed creating groups for applications and then allowing the application owner and someone they see fit being the Owner of the application's groups and then they (the owners) can add/remove people from the groups as they see fit. It is after all the application owner's data, not the administrators, that the owner is granting access to. The powers that be don't think that basically any end users should be able to modify anything in the Domino Directory, including groups. I understand this mentality, but in a large organization this starts to get out of hand and requires the hiring of another administrator whose main duty is managing group membership, again, unacceptable and not to mention boring for the new ~~vic~~ ~~guy off the street~~ administrator!

Maybe I'm being overzealous about this issue, maybe I'm not. But I don't think customers should have to wait for someone that don't know anything about their data to grant access to that data. I looked for a best practices document out on the web but couldn't find anything specifically naming group management, maybe someone knows of a good resource for this?

Rant Off...
Keith

Comments Disabled

Comments (4):

Kevin Pettitt

Re: Administrator stubborness >:-(
On: August 16, 2007 02:02 PM

Keith, you're not being overzealous in pursuing this issue, but perhaps I can suggest a compromise which may asuage any concerns your colleagues may harbor regarding auditability of such changes.

In a previous client with a six-figure-sized user base, group changes were accomplished via a separate "request" database which was tied directly into the Domino Directory. I don't recall exactly, but my guess is that the directory had Default = Rader, but the "Owners" field on the group docs was still correctly populated as you would like. Owners would submit requests to add or remove members of a group, and the request doc would then become a record of who changed what when. A background agent would then take care of the actual change.

Advantages of this:

-As mentioned, auditability
-Eliminates the headache of ensuring owners update the correct Domino Directory replica - especially important in large hub-and-spoke deployments

Hope this helps.

...

Let me know when you've either sorted out the problem or discovered that I'm simply hallucinating and I'll retry Emoticon

.

Kevin

Keith Strickland

3	Re: Administrator stubborness >:-( On: August 16, 2007 02:03 PM
Thanks Kevin, I presented this at a meeting this morning and our region seemed to like the idea. They liked it even more because it would be something simple :). I don't know if this will go forward, but it's a least in the works and the powers that be in our region are favorable with it, now it just needs to be sold to the administrators in the main office. Thanks again, Keith

Kevin Pettitt

2	Re: Administrator stubborness >:-( On: August 16, 2007 02:04 PM
Hi Keith, Glad I was able to help move things forward a bit . Cheers, Kevin

Martin Humpolec

Re: Administrator stubborness >:-(
On: August 16, 2007 02:05 PM

Good question :)

I think that I understand the point of adminsitrators, who have fear from
corruption of Domino Directory, doesn't matter that the people aren't able to
corrupt it in any way.

We did for several clients special database which they used for setup groups
controlling access to application and these groups were automatically
synchronized with DD. Administrators were (and probably still are) happy and
business people as well.

Cheers
Martin

Email: Keith Strickland
Facebook: Keith Strickland
Bleed Yellow: Keith Strickland
LDD: Keith Strickland
MSN:
AIM:
Google Talk:
Yahoo!:

Disclaimer

The opinions and ideas posted on keithstric.com are not necessarily the opinions and ideas of my employer. The solutions, techniques and code provided here are not guaranteed or warranted in any way and are free for you to use at your own risk.