Yes, that's the way I did it too when it was my baby. It's generally accepted that the abc manager is right person to decide who gets access to the abc datasets (because how would ~I~ know?). But I also let him designate someone in his area whom I scoped and trained to change the access rules himself. Again, I monitored such scoped civilians, and helped them with questions. But as far as reliability goes, it seems to me that people who are inclined to misbehave will do so with other people's resources rather than their own.
(Getting a "local" person scoped to do resource administration is an easy sell: "Joe, how would you like being able to change the access rules when ~you~ want them changed, instead of when I can get around to doing it myself?") --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* Crow is unjustly despised as a delicacy, but I've learned that those who walk the way of the Lord can find it delicious. As a child I thought it embarrassing to apologize; as an adult I learned it is a positive pleasure to apologize forthrightly for a real sin without making excuses or shuffling blame. -from the CSL forum, 2005-12-14 */ -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Colin Paice Sent: Monday, August 7, 2023 03:19 One of the Nordic banks had decentralised security admin. The main person for giving access to the abc data, was a manager in the abc group. For annual userid/access validation the abc manager had to review the access lists, and report back. That way every manager suffered a little, rather than a central security admin trying to do >all< the validation - when they didn't know the people in the abc areas etc. --- On Sun, 6 Aug 2023 at 21:27, Bob Bridges <robhbrid...@gmail.com> wrote: > Volvo Data has (or had when I worked for them) a policy world-wide: > Any department with more than <n> employees must have a someone there > scoped to change a password for her group. That way there was no > problem with identity authentication. Instead of calling the help > desk and having them prove my identity because I could quote by SSN, > or some such nonsense, I could just walk up to Anna and say "hey, I > messed up my password; could you...?". > > I've been convinced ever since that decentralized security is safest. > As a central sec admin, I would help train those folks, and I would > monitor their actions to be sure they were acting right, and help them > when they had questions, but that took up less time than trying to do > everything myself. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN