One of the Nordic banks had decentralised security admin. The main person for giving access to the abc data, was a manager in the abc group. For annual userid/access validation the abc manager had to review the access lists, and report back. That way every manager suffered a little, rather than a central security admin trying to do >all< the validation - when they didn't know the people in the abc areas etc.
On Sun, 6 Aug 2023 at 21:27, Bob Bridges <robhbrid...@gmail.com> wrote: > Volvo Data has (or had when I worked for them) a policy world-wide: Any > department with more than <n> employees must have a someone there scoped to > change a password for her group. That way there was no problem with > identity authentication. Instead of calling the help desk and having them > prove my identity because I could quote by SSN, or some such nonsense, I > could just walk up to Anna and say "hey, I messed up my password; could > you...?". > > I've been convinced ever since that decentralized security is safest. As > a central sec admin, I would help train those folks, and I would monitor > their actions to be sure they were acting right, and help them when they > had questions, but that took up less time than trying to do everything > myself. > > --- > Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 > > /* All the hurt and disappointment of the years - hers and mine - seemed > to be the only thing that was ever true about our marriage. -John Eldredge > in "Wild at Heart", describing a temporary perception */ > > -----Original Message----- > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf > Of Wayne Bickerdike > Sent: Saturday, August 5, 2023 23:37 > > At Australian Defence we heavily used GROUP SPECIAL. That relieved > sysprogs from daily BAU tasks such as password resets or resume for IDs > where people were inactive due to vacations or active service. > > Other shops I've worked at had a dumbed down RACF administrative function. > That often proved to be a bottleneck for new hires getting the profiles > right for their workload, that's why role based models work well if they > are designed correctly for incumbents. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
