Volvo Data has (or had when I worked for them) a policy world-wide: Any department with more than <n> employees must have a someone there scoped to change a password for her group. That way there was no problem with identity authentication. Instead of calling the help desk and having them prove my identity because I could quote by SSN, or some such nonsense, I could just walk up to Anna and say "hey, I messed up my password; could you...?".
I've been convinced ever since that decentralized security is safest. As a central sec admin, I would help train those folks, and I would monitor their actions to be sure they were acting right, and help them when they had questions, but that took up less time than trying to do everything myself. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* All the hurt and disappointment of the years - hers and mine - seemed to be the only thing that was ever true about our marriage. -John Eldredge in "Wild at Heart", describing a temporary perception */ -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Wayne Bickerdike Sent: Saturday, August 5, 2023 23:37 At Australian Defence we heavily used GROUP SPECIAL. That relieved sysprogs from daily BAU tasks such as password resets or resume for IDs where people were inactive due to vacations or active service. Other shops I've worked at had a dumbed down RACF administrative function. That often proved to be a bottleneck for new hires getting the profiles right for their workload, that's why role based models work well if they are designed correctly for incumbents. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN