Comments below...
-----Original Message-----
From: Action Request System discussion list(ARSList)
To: [email protected]
Sent: 5/14/2006 6:16 PM
Subject: Re: ARS v7 and non-Unique user logins
Axton,
This feature was not intended for "integrations". Rather our
vision is to set up some captive environments for users to do specific
tasks. Tasks like: "I forgot my password, how do I reset it?" (among
others)
-----Comments------------------
This sounds like the creation of a serious security 'hole' and I'm glad that BMC decided to 'sew it up'. The purpose of a help desk is to track, indirectly, all user issues. Users can and do forget their passwords, and this can be handled by external programs and processing.
However, your process introduces a security nightmare in the form of user password compromises, which do happen. If you have users that know they have two logins and if they compromise their password, either deliberatly or not and they can clean up the situation without going to anyone else, this in my humble opinion is definately NOT a way to do business. Why? It is said that between 80 and 90 percent of the unauthorized release of company information is by insiders. Let's say you have a disgruntled person who works in personnel. This person knows that another person in the company, whom they hold in high regard, was passed over for a promotion. They meet and the person who was passed over was given a different reason for their failure to get promoted (this definately is a management issue) and wants proof. Well, your personnel person gives their login credentials to the person. When the 'passed over' person is done, the regular personnel person states, "I forgot my password, I guess I better reset it" and goes through the password reset process. There are other scenarios, but you get the picture.
Also, this does close the loophole of "One User, One Login" as stated in the license agreement (this is a paraphrase, but that is the wording in one phrase.)
James McKenzie
