Guerrilla IT, Embracing the Superuser?

snydeq writes "First it's letting users manage their own PCs and now it's sanctioning the shadow IT projects they do on the down low: 'You probably know them. They're the ones who installed their own Wi-Fi network in the break room and distribute homemade number-crunching apps to their coworkers on e-mail. They're hacking their iPhones right now to work with your company's mail servers. In short, they're walking, talking IT governance nightmares. But they could be your biggest assets, if you use them wisely. The reason superusers go rogue is usually frustration, says Marquis. "It's a symptom of the IT organization being unable to meet or even understand the needs of its customers," he says. "Otherwise, it wouldn't be happening." The solution? Put them to work.'"

End users

[dredwerker (757816)]

You can't let the end user have any power. Just ask the BOFH ;)

Re:End users

[K. S. Kyosuke (729550)]

Including electric power, of course.

Re:End users

[smitty_one_each (243267)]

I will knit an array of sweaters and overcome your fascism with static electricity!

So, I get two salaries, right?

[TheWoozle (984500)]

Great...now I get to do IT's job for them. In addition to my own work. So, I'll get paid for all the extra time I put in working on an IT project, right? Remind me why we even have an IT dept. again?

Re:So, I get two salaries, right?

[garcia (6573)]

Remind me why we even have an IT dept. again?

Depends on the company but generally because they were told to have one, not because the department itself operates well. Honestly, while I could fully be a "rogue superuser" I prefer to let them do most of their work because I just don't get paid to do what they get paid to do.

Will I install applications, use applications and write applications as necessary to get *my own* job done? Yes. Will I go out of my way to do it so that others can do their job better? No. I am the first to tell someone who sends me an IM that asks, "Bill, can you come down and help with foo?" to go and submit an IT work order and wait it out. But I'm certainly not going to wait for them to come and fix my machine when I know full well I can do it myself without watching work backup for minutes, hours or days.

Re:So, I get two salaries, right?

[gEvil (beta) (945888)]

Exactly. I'll generally deal with my own machine (up to a point) and will take full responsibility for any issues that might arise due to my actions. That said, if I encounter a problem, I'll do what I can to take care of it within the rights limits of what IT has given me. When I go beyond that I know that I'm on my own and can't particularly expect IT to fix it if I screw something up.

Re:So, I get two salaries, right?

[SatanicPuppy (611928)]

I think most good IT departments are okay with allowing a certain amount of freedom. Where I work we don't give out admin logons, but we do allow some users to admin their local machine, and we do allow some users the privileges to do basic crap on other people's machines. If you have a guy who is willing and capable of doing annoying little changes for people and taking some of the headache off of the IT staff, more power to 'em.

But that stuff should always come with a "screw it up, and you're going to have to fix it yourself" caveat. If you pick your people well, then they should be okay with that in the first place.

Re:So, I get two salaries, right?

[plague3106 (71849)]

Well your caveat only works to a point. How long would your department let him spin his wheels while work is not getting done? Who then gets blamed for the downtime? The power user or IT?

Re:So, I get two salaries, right?

[SatanicPuppy (611928)]

Well, they broke the machine didn't they? With privilege comes responsibility. The same would apply to me, if I hosed my development equipment...I've done it before, and it's just a cost of doing business.

I'm in favor of allowing the leeway, but its a two way street. When someone like that screws their machine, it's usually not pretty, and it's not the sort of thing that can be easily fixed. I'm happy to restore an old image if you asked me to make one. I'm happy to recover files if it's possible.

But I'm not responsible for rebuilding a machine that has been rendered non-functional by a user who insisted that he knew what he was doing. I always make this stuff clear when a manager requests these sorts of permissions for one of their people. We support the standard configuration, once you deviate from that, all bets are off.

Where do you work?

[khasim (1285)]

Well, they broke the machine didn't they?

Yeah. And?

Are you seriously saying that the company you work for would support you NOT helping an employee recover his system just because he broke it himself?

But I'm not responsible for rebuilding a machine that has been rendered non-functional by a user who insisted that he knew what he was doing.

No, seriously, the company supports that position for you?

I always make this stuff clear when a manager requests these sorts of permissions for one of their people.

Again,

Re:Where do you work?

[SatanicPuppy (611928)]

You're being a jackass, but I'll respond anyway.

If you build a system with tons of unsupported software, I am not responsible for reinstalling and reconfiguring all that software. Period. And that is absolutely a position that is supported by my boss and my bosses boss, and the only guy higher than that only talks to shareholders.

I'll restore an image. I'll recover files, though frankly they should already be on the network share. I'll give you a fresh install. That's it.

Why, you ask, would any corporate IT support such a radical position? Because that guy's time isn't worth more than mine.

We've all got jobs to do and if I have to spend a week fixing a screwed install (and it'd have to be me or one of the other senior guys because the regular techs aren't equipped to do it), then a weeks worth of my work won't be getting done. That's more unacceptable to everyone involved than making one guy reinstall his own unsupported apps.

If you're going to give them any extra permissions, they have responsibilities there. If they can't be trusted not to make a complete mess of it, then they should never be granted those permissions in the first place.

The whole goal should be to make things more efficient and get more work done. If those things aren't happening, you're doing it wrong.

Re:

[paeanblack (191171)]

If you build a system with tons of unsupported software, I am not responsible for reinstalling and reconfiguring all that software. Period. And that is absolutely a position that is supported by my boss and my bosses boss, and the only guy higher than that only talks to shareholders.

That's true today, but don't expect the status quo to last. This is no different from when people started bringing PCs into the office 25 years ago. Corporate IT said, "no way...use the mainframes", and the users brought PCs a

Re:

[_ph1ux_ (216706)]

Agreed,

I allow users to be a local admin or power user on their machine for two reasons:

Important for me:

1. We are STRICT about A/V and system updates.

Important for them:
2. Users often times (when given a laptop) start to use the laptop as their primary machine. They will use it to do their taxes, do all their online shopping/browsing/webmail etc. and use it for entertainment etc... It consumes too much of my departments time dealing with little complaints about apps like IM FTP webex etc...

The user should

Re:

[phpmysqldev (1224624)]

Will I install applications, use applications and write applications as necessary to get *my own* job done? Yes. Will I go out of my way to do it so that others can do their job better? No. I am the first to tell someone who sends me an IM that asks, "Bill, can you come down and help with foo?" to go and submit an IT work order and wait it out. But I'm certainly not going to wait for them to come and fix my machine when I know full well I can do it myself without watching work backup for minutes, hours or days.

Agreed, it has been my personal experience that tier-1 help desk people are usually of the college intern type. While they may be knowledgeable overall it takes too much time to get things done. Why put in a support ticket, or proposal for a new software package when I can do my own fixes, write my own apps, or use a FOSS to get things done quicker and more efficiently.

This is far different from giving me admin status over the network. I think it also boils down to tow different kinds of people, some

Re:So, I get two salaries, right?

[Xzzy (111297)]

We did this at my employer, one of the departments decided they wanted to maintain their own desktops as a group. As no self-respecting admin actually enjoys taking care of desktops, we let them do it.

It wasn't a total break, they're still subject to the site's security policies and their home directories still mount from an nfs server we maintain, but no one in our group has had to install a machine or fix a dead hard drive in 5 years. They understand their needs far better than I ever could, so it really was a win-win situation.

It's worked surprisingly well, the admins are all volunteers from within the group, and they even maintain a batch system that all the workstations use for running jobs.

If any company has a group of people willing to take on that kind of responsibility, I'd say it deserves serious consideration.

Re:So, I get two salaries, right?

[pla (258480)]

Remind me why we even have an IT dept. again?

Because for every one of you, we have a hundred people who can barely manage to get around in MS Office, and most dangerous of all, three or four people who think they know computers (yet strangely manage to cause more restore-from-backup sessions that all other users combined).

That said, if I didn't work in IT, I sure as hell wouldn't do the same work unrelated to my job description. Dealing with helpless coworkers without having it go into my pay or performance reviews? Not bloody likely!

Re:

[huckda (398277)]

[i]says Marquis. "It's a symptom of the IT organization being unable to meet or even understand the needs of its customers," he says. "Otherwise, it wouldn't be happening." [/i]

Actually in short...the reason is because IT are often understaffed, are required to follow ridiculous internal legislation, and many times are under-funded, and required to maintain a certain level of security...the latter of which is often BREACHED by these so-called power-users...which are nothing more than people wanting control

Re:

[_ph1ux_ (216706)]

Yes this is the main problem with the concept of "embracing super users"

At several companies people outside IT have floated the idea that there should be a departmental super user who people within the department can go to with issues. The idea being that a highly technical member of their department would understand their specific departmental tasks/duties/needs and be able to support them on "little or common" it requests.

The reality is that this effectively makes that person a member of IT - and the sad

Re:So, I get two salaries, right?

[Ced_Ex (789138)]

Well, this rogue moron has to install stuff on his own, because our IT support department treats the development teams as if we don't know what we're doing, and applies the same policies for business users to us.

How can I be expected to do my work, if I can't even install an IDE, because it doesn't fit the standard image they have?

Anyway, it's more a problem in the structure I have here than anything else. I just wanted to state the point of view from a rogue moron.

Superusers?

[wild_quinine (998562)]

Yes, they're end users. But they don't sound like customers. They sound like employees.

In which case they should toe the god damn line, because they're fucking shit up for other people.

Yes, enterprise IT can be frustrating. But your cheeky little wifi hack maybe just took down three buildings of network, resulting in thousands of dollars of lost productivity. Actually happened, in my org - 100% true story.

I don't like meaningless limitations any more than the next guy, but these know alls who think they're 'superusers' because they can set up a wifi network need to lay off - they don't have the big picture, they just think they're being clever. Guerilla? Arse-scratching chimp, more like.

Re:Superusers?

[diamondsw (685967)]

If they're truly breaking things, this means your network is so poorly designed that they are even capable of it. Get off your BOFH horse and do a decent job before yelling at people who are just trying to do their job reasonably.

My mother's laptop takes over 5 minutes to boot because of all of the scripts and login items the company forces her to run. This is not an uncommon occurrence because the various shit also prevents it from waking from sleep about 50% of the time. It's so locked down she can't install anything - not even a driver so she can plug in her company-supplied Sprint EVDO card for remote access. Nope, she has to drive into the office (about an hour away) just so they can pop in the card. Need to change an IP setting for the home wifi network? No-can-do (truly, the firewall and VPN cannot be trusted against the awesome power of the home LAN...). Maybe use something secure like Firefox instead of IE 5.5 (yes, 5.5!). Nope, can't install it. Use a USB memory stick to copy a file? Nope.

"Enterprise IT" policies are almost always to make IT's life easier at the expense of the end user. Now who was supposed to be supporting whom?

Re:Superusers?

[wild_quinine (998562)]

If they're truly breaking things, this means your network is so poorly designed that they are even capable of it.

I knew someone would come back with a smart comment like this, but I'm not yet jaded enough to include disclaimers in my posts. For your benefit: the wifi router in use was very poorly designed, using some horrific bridging tricks. Shutting down three buildings was actually an automatic fallback, to protect our larger network.

"Enterprise IT" policies are almost always to make IT's life easier at the expense of the end user. Now who was supposed to be supporting whom?

Now this is exactly what those chimps with their cheeky tricks believe. But in any decent organisation, of which I'm fortunately part, the people at the top really do care about supporting users, to our own convenience. It's our job, so we get it done. And nothing gives us greater satisfaction that a system that runs for the benefit of its users.

The job is supporting users, and that's what we do.

And that just precisely means making decisions about what can and what cannot safely be allowed in certain circumstances, and the sheer size of the operation means not being able to turn on a dime if somebody wants a completely different config. That's the way it is. We're not being unhelpful, we're making sure you don't butcher things for every other person in the zone by being a smartass.

Re:

[Aqualung812 (959532)]

"Enterprise IT" policies are almost always to make IT's life easier at the expense of the end user. Now who was supposed to be supporting whom?

Actually, both are to be supporting the company. IT does not answer to the end user, they answer to the shareholders, the CEO, board, and the regulators. Supporting the end users only applies if it will support the company to do so.

BTW, if end users can be trusted with admin rights, then why do botnets mainly exist on home user's computers? Those same home use

Re:Superusers?

[element-o.p. (939033)]

Spoken like someone who's never worked in IT :rolleyes:

Yes, there are companies where the IT personnel are on a power trip, but IME, that's the exception rather than the rule. Most of the time, IT's policies are put in place for a reason. We don't want to make your life any more difficult than it needs to be. But when some "superuser" with a super-ego decides to circumvent IT policies by taking data home on a thumb drive, and then loses the drive or posts the data on-line for some reason, we get a mandate to keep it from happening again. When a user connects the company laptop directly up to their DSL or cable modem at home, contracts a new virus that evades the A/V software's detection rules and infects the network, then we take steps to prevent users from connecting to any network we don't control. And when we find our users installing games and P2P software, then we take away the ability to install anything on company laptops unless you can show that you have a bona fide need to do so.

You gripe that "Enterprise IT policies are almost always to make IT's life easier at the expense of the end user." Yeah, maybe. Sometimes it's true. But how long would it take you to change your tune if *you* were they guy getting called out on the carpet because a virus took your network down for two days? How many times would you let a user install rogue DHCP servers on your network before you decided to configure your switches to only allow certain MAC addresses to use given ports? How many times would you give out administrative access to anyone who asked for it, if your users kept breaking their computers because they didn't understand what they were doing?

Quote: If they're truly breaking things, this means your network is so poorly designed that they are even capable of it.

Are you serious? Your entire post is criticizing IT for doing exactly that! Yeah, we can lock down a network so that no one can break it, but to do so, it would be locked down so much as to be entirely inflexible. Your example of your mother's laptop is what happens when an IT department doesn't trust it's users, and therefore tries to build a network so that it can't be broken.

Quote: Get off your BOFH horse and do a decent job before yelling at people who are just trying to do their job reasonably.

If that's all that our users were trying to do, you'd find the network wasn't nearly so restrictive. However, I've seen field techs delete all of the company-provided software so that they could install Quake 3 (no, I'm not kidding...). I've seen users copy warez on the file server. And consequently, I've seen network administrators take away admin rights and block ports on the corporate firewall. The problem is that *most* users play be the rules, but the ones that don't get the IT staff in trouble with management. Therefore, we lock things down so it can't happen again.

There *has* to be order in any society or it becomes unstable and falls apart. In the corporate enterprise network, IT is responsible for creating and maintaining that order, and therefore, IT implements the policies that are necessary to keep the IT infrastructure operating smoothly. Not everyone likes those policies, but believe me, you'd like it a lot less if they weren't there.

I gotta agree.

[khasim (1285)]

Just because someone can plug a device into a data jack does NOT mean they're a "SuperUser".

Yeah, that might work at HOME. But in the OFFICE someone (me) has to be responsible for security of our data. That includes YOUR social security number in HR's database.

If you do not like the "restrictions" you are working under, then explain to YOUR boss how much more money you'll make for the company if you get X. And your boss will talk to my boss and I will explain how much it will take to implement X (money, tim

Re:Superusers?

[everphilski (877346)]

Yes, they're end users. But they don't sound like customers. They sound like employees.
In which case they should toe the god damn line, because they're fucking shit up for other people.

Yes, enterprise IT can be frustrating. But your cheeky little wifi hack maybe just took down three buildings of network,
resulting in thousands of dollars of lost productivity. Actually happened, in my org - 100% true story.



My IT department is fine - I don't see them but once or twice a year and my computer works well enough. But a similar problem to the one you described occurred at the college I'm working on my PhD at. (I heard this story second hand, might be an error or two, but I trust the source) The engineering department wanted WiFi in the building in order to hook up the conference rooms and let students use wireless in the classroom. Seems simple enough, especially in this day and age. A formal request was made. And rejected by IT. Random bitching and moaning. So after a few months of inaction, the engineering department installed a few routers themselves, under the radar.

See, the problem is when IT gets in the way of business. IT is a service, not an administration. So when it starts acting like one, with bureaucracy, with stupid shit to get stuff done (a friend of mine, engineer in another company, had to wait three weeks (!!!) to get an approved, paid for compiler he needed installed on his laptop???) then yes, we go under the radar to get work done, which might I remind you is why we get paid. Apologies in advance if we ever cross paths.

Re:

[element-o.p. (939033)]

If I had a dollar for every person that called me because some "superuser" installed a test piece of equipment on my network (against company policy, incidentally) and screwed something up, I'd quit right now and retire in the Caymans.

I've seen rogue DHCP servers assign duplicate IP addresses on our network, I've seen rogue DHCP servers assign IP addresses from a different network on our LAN, and I've seen (multiple times, from the same "power user") two ports on a DSLAM plugged into

Funny...

[Belial6 (794905)]

Bad attitudes like yours always crack me up. Why? Because, with the exception of the mainframe administrators, it is exactly the kind of user you are complaining about that CRATED YOUR JOB. No, I don't mean users. I mean those Arse-scratching chimps that think they are superusers. The PC in the work place is a direct result of people trying to get computing power under the radar of the mainframe administrators. So, if people had followed your advice 30 years ago, you wouldn't have a job.

Re:

[michrech (468134)]

Where I work, we have an automated scanner process that scans the ports looking for known access points. When found, the port is automatically disabled (keeping the rest of the network functioning). When we discover a wireless network on campus that didn't get detected, we start doing remote probes to identify it, add it to the config for our automated scanner, and go from there.

As to what's being used, specifically, I couldn't tell you. I just know I've seen the trouble tickets when they pop up. I'm in

Re:Superusers?

[hazem (472289)]

Sometimes rogue is the only way to go, especially when the IT organization is huge, monolithic, and anything but "IT at the speed of business".

In our situation it was also a reporting issue. Basically we (I) were tasked with doubling the number of countries we reported for. The process in place already required 2 full weeks of work (often with lots of unpaid overtime). The work couldn't start until the end of the month and had to be done by the 15th. Adding new people would have been stupid and it wasn't an option anyway. We were put in a position that if we "followed the rules" we'd either end up working 20 hour days for 2 weeks, or we'd simply fail to get our work done.

Our corporate IT group was willing to consider a more automated database solution... but after 4 months of meetings they wanted millions of dollars and said it would take more than two years to complete. This was a non-solution.

We then, with the help and advice of another "rogue" developer in the company, went to an external local company who built a very nice solution for $25k. Not only were we able to handle the doubled reporting workload, the actual workload itself went from 2 whole weeks each month to just a few hours a month. We did another round of development, spent another $25k, and folded in two other very time-consuming and error-prone processes into the tool (they only happen 3 times a year).

A few months ago I ran into the IT director that helped propose the multi-million solution and he asked how we were doing. I told him we got a great solution and he asked me to schedule a meeting to show him what we came up with. When the meeting was over, he basically picked his jaw up off the floor and expressed how amazed he was at by the tool and how disappointed he was that the IT organization in our company (a Fortune 500 BTW) couldn't accomplish anything even close to it.

To be fair, our IT organization is very good at huge capital improvement projects that take years to complete. Unfortunately they have no capability to support more tactical solutions that help keep the business going until the big project is going. They are unable to grasp the idea that sometimes you need to make temporary bandaid solutions that will be discarded when "big project xyz" is done. "It's just a waste of money and resources" is their usual response - but they seem to have no concept that the business is hampered and profits are not earned because the lack of any tool, even a temporary one, inhibits the business. You don't need to buy a car to get from the airport to work - sometimes it's okay to spend money on a taxi. IT wants to tell us we can't take the taxi because they're building a car for us - we just have to wait at the airport for 2 years or walk.

But as you suggested, we had buy in from our own director (who was able to shake loose the money for the rogue development) and ultimately, the VP in our "chain of command" is pleased - the quality of our reports has improved dramatically (because we eliminated so much manual work) and we're able to support the additional countries, along with even more detailed/graphical reports.

There are some in the IT group that don't like what we're doing. But my response to them is always, "Let me know when you can provide us a reporting system that does this, this, this, and this and we'll be glad to switch to it". "Oh, well, we can't do that, that, and that..." and they then leave us alone.

Don't agree

[nine-times (778537)]

"It's a symptom of the IT organization being unable to meet or even understand the needs of its customers," he says. "Otherwise, it wouldn't be happening."

I don't think that's true. Lots of people just want to screw around with things and get an ego boost out of flouting authority or trying to show-up the IT staff. You know, there's always going to be that guy who wants to install games on his PC, and figure out how to tunnel past the porn filter. Maybe it's because he wants those things, but also it's because he gets a kick out subverting the rules. Either way, it doesn't mean the IT staff isn't doing their jobs.

Re:

[Beyond_GoodandEvil (769135)]

I don't think that's true. Lots of people just want to screw around with things and get an ego boost out of flouting authority or trying to show-up the IT staff. You know, there's always going to be that guy who wants to install games on his PC, and figure out how to tunnel past the porn filter. Maybe it's because he wants those things, but also it's because he gets a kick out subverting the rules. Either way, it doesn't mean the IT staff isn't doing their jobs.
Perhaps, and sometimes like many things in li

Please tell me

[croddy (659025)]

Please tell me people don't really talk like that. "Grew the solution"? "Drive business value"? These people need to get a hold on themselves and listen to the feces streaming out of their mouths.

yeah right.

[apodyopsis (1048476)]

hahaha, let the users have admin rights?

does the author have **any** experience of the commercial environment?

Re:yeah right.

[boris111 (837756)]

It's certainly not perfect, but my gigantic fortune 500 company does this and everything seems to be just fine. This combined with the fact that the PC support people are braindead.

The admin & support issues are a nightmare

[PIPBoy3000 (619296)]

We've actually moved away from this, fairly strongly. We work in a healthcare organization and having people develop applications on our servers can potentially cause huge issues. While it's possible to create little sandbox areas for them, it's an administrative hassle, and it's always hard to be positive their applications can't cross security lines or impact another application's performance. Then there's the support issues - who fixes their business critical application when they've left or are on vacation? It's like the days when people would make Microsoft Access applications for everything, and then it would be dumped in our lap.

Our reponse has been to staff up to meet customer demand and spent a lot of time bringing other IT folks up to speed on web development. It's worked out fairly well, and the number of times I've been called in to fix a Microsoft Access report or the like has dropped dramatically.

IT parallels the free software movement

[Qwerpafw (315600)]

If you look back in history, people originally used computers together, sharing access, tips, and source code. Now it's all top down - someone dictates what you'll do and how you do it. You, as the unempowered user, receive prebuilt restrictions, prebuilt computers, prebuilt binaries. You can't tinker, you can't fix, and you aren't even supposed to poke around.

The problems of restriction in DRM, restriction in EULA, restriction by not providing source code, restriction in IT are all the same. Instead of educating users and providing them the ability to solve problems, IT mirrors large software companies and media companies, and removes any control, forcing them to be "stupid." When users can't even diagnose on their own, and are forced to run to IT for the most minor software install, the bureaucracy justifies itself. IT is necessary because it's been made necessary. Dumb down the users and they need someone to hold their hand. But create a community of educated and empowered individuals and people will share information.

In a community of empowered users people don't just share solutions, they create solutions.

Re:IT parallels the free software movement

[Spad (470073)]

And while you're creating this community, your network is busily being infested with malware, unlicensed software and pirated music.

As much as we love to believe that everyone would be an ideal user with just a little education, most people simply do not care about computers outside of the fact that they have to use them for checking their emails and inputting data into "Application X". I admit that I work in the NHS, so there's an abnormally high percentage of IT illiterate users, but I see very few users with an actual interest in learning.

Re:IT parallels the free software movement

[Chanc_Gorkon (94133)]

It's like antivirus programs. I have no problems with having it installed on my computer, but I DO have a problem with it kicking off in the middle of the danged day when I am trying to work. The problem with some of the power tripping IT staff (hey I am in IT) is that they don't think....what time of day should these run?? They accept all defasults.....and that sucks.

To a degree...

[SatanicPuppy (611928)]

"Put them to work?" I'm not about putting the beatdown on non-it tech guys, but I'm also not about giving them free reign. Isolate them from the bulk of the network, where their antics won't cause problems for the regular users, and impress upon them that they have a level of responsibility for their data and any problems that crop up with their projects. Make sure you bring their managers into the loop and impress upon them the problems that could crop up when their Access and Excel scripting guru runs amok, and then let 'em do their thing.

Oh, and wireless? I don't think so. Messing with network infrastucture is a cardinal sin, and any organization that doesn't have its internal network secured well enough to prevent someone setting up their own wireless inside the building needs to do some serious self-examination. Some things you just do not screw around with.

In my experience, the biggest problem is that the non-it power users don't have the same appreciation for security as the people whose job it is to make sure things are secure. Security is a pain in the ass; no question about it, and a lot of users view it solely as a pain in the ass, with their inconvenience rating much higher in their estimation than IT's "Unreasonable Paranoia". If you restrict those users too much, they're going to spend all their time trying to get around your rules...Same as a child will. But like a child, if you give them a certain amount of freedom inside the rules, then they're much more likely to be obedient. They will understand that the rules are there because they have to be, not just because you hate them and don't want them to be able to do what they want to.

Great idea...

[spywhere (824072)]

Then, the proles can install Kazaa and LimeWire... and put the shares on the corporate servers.


Yes, I've seen that done.

Been on both sides

[gEvil (beta) (945888)]

I've been on both ends of the IT/user divide. I've administered networks of several hundred machines and am well aware of what some people will try to do with them. In my current position, however, I'm just a regular user. So when people in the department start talking about doing something that IT wouldn't approve of, I can usually explain to them in their terms why it wouldn't be such a good idea. OTOH, there have also been times where I've been called in by my boss to take care of a situation that IT hasn't been able to resolve, but that I've figured out because I face the problem daily. In those instances, I don't mind making a quick lap around the department and tweaking the machines a bit, because I know that it's exactly what IT would be doing anyways if they could be bothered to figure it out. And before someone says anything, I've contacted IT before to explain the problem and the fix. It's just that it's usually such an esoteric issue that they can't even begin to get their heads around it (e.g., font caching issues involving using certain programs in a certain sequence).

Re:Been on both sides

[SatanicPuppy (611928)]

That's one thing I see a lot; a lack of communication between the users and IT. They need something, something that we could provide if we knew they needed it, but we don't spend any time up there, and they don't know enough to ask for it.

I've tried things like getting IT people invited to departmental meetings, cross-training the new guys in other departments...Whole lotta nothin has come out of that.

I think in the long run it's jsut going to require that the average user becomes tech savvy enough to know what to ask for, or we start hiring guys whose official role is like "embedded IT"; they work in other departments, but they report to IT.

Bypassing network lockdowns

[truthsearch (249536)]

My last employer had firewalls that only allowed traffic through ports 80, 443, and an unusual port for VPN. I heard they also sniffed unencrypted packets, mostly to watch for viruses and breakins. Some of my coworkers wanted to use IM, although it was banned on the network. So I set up an encrypted squid proxy through my work desktop and home server. My whole team had IM and was able to communicate more efficiently.

One day I got called into the boss's office. He says, "I hear you've installed IM on everyone's desktop." So immediately I think I'm in trouble. Then he says, "Would you mind setting it up for me? How did you get it on the network?" He realized it increased productivity and any personal use wasn't seriously inhibiting work.

The point is don't hinder technology for a whole company only because you're afraid one ignorant user will bring in a virus. If power users want something, it's typically because it'll make them better at their job. Figure out a way to let them have it.

Maybe, maybe not

[Angst Badger (8636)]

It really depends on the organization. There may be some overriding legal or safety reasons why you don't want to let anyone out of the sandbox: end user apps may not place nice with air traffic control or nuclear plants. ;)

On the other hand, some IT departments fully live up to the Dilbert character, Mordac, Preventer of Information Services. My IT department happens to be one of those, and the main consequence of my supervisor's blanket refusal to do anything that bothers him is that everyone, including his boss, comes to me to get things done. And that's okay with my boss, because his real objection is to doing anything unfamiliar, not the fact that it's being done somewhere.

But that's obviously a dysfunctional situation. The problem is that our IT department -- and presumably many others, including some of the snitty, arrogant posters in this thread -- isn't doing its job. By definition, if the IT department is either preventing necessary work from being done, failing to help get it done, or imposing arbitrary obstacles to get out of doing work in the first place, the solution is not necessarily giving end users IT responsibilities; the solution is for upper management to kick ass and, if necessary, hire IT people willing to do their jobs.

Contrary to some of the polarized views I've seen here, IT isn't always the problem, nor are end-users always the problem. Most often, it's a failure of both to work constructively and flexibly together and a failure of upper management to insist that they do.

Of course, if the dysfunctionality in your company isn't going anywhere anytime soon, you may have to look for workarounds, and the solution proposed by the original poster might work in some situations.

I'm that guy who used to screw around...

[Overzeetop (214511)]

...and even I think this is a BAD idea. You want to mess with your own PC, okay - there's some merit there for some people. Mess with the network - hell no. There are too many things that need to get done, and the ability for one person - even an otherwise knowledgeable person - outside of IT to screw things up is just too much of an unknown.

I'm not usually one to chime in on the side of IT, as they often throw out the baby with the bath water, but letting people who's primary function is something other than keeping the network up mess with the network is just a massively bad idea. Screw up a workstation and one guy is dead for a day. Screw up the network and the whole company can go toes up.

Re:I'm that guy who used to screw around...

[Kazoo the Clown (644526)]

I've been a developer since the days that 8" floppies were the network. Currently I'm working on performance improvements for a data warehouse product. Our in-house network is running at 100M, but our customers usually use the product on 1G in order to get acceptable ETL performance. The two test servers were next to each other in the same room. I put in an IT request to set up a 1G connection between the two machines. The response I got was "our network is 100M, can't do it." After repeatedly explaining them how it could be relatively easily done without upgrading the whole building to 1G, and getting the same response, out of frustration I finally went to my boss and said, "here's an $80 switch we could buy that could get it done." We ordered the switch and are now happily operating a collection of machines in that room on 1G to each other. Our IT department is clueless about developer needs-- they assume all employees are only using CRM and office apps. Seems to me the solution ought to be a separate isolated network for the developers that they can hack on to their heart's content, but I suspect few IT departments have the savvy to figure that one out (ours certainly doesn't).

I suspect that most of the developers here have found it necessary to work around our IT department in one way or another. All of us have admin rights on our desktops which is an absolute must for us-- I'm doing things like shutting down and starting up services all the time, installing and uninstalling software, creating users, tweaking settings. I'd be down waiting for IT actions constantly if I had to do all that through them, and I'd bet much of the time they wouldn't understand what I was asking for and couldn't figure out how to get it done anyway.

As a confessed Super-User

[fionnghal (306289)]

I can relate to this issue. My co-workers often come to me to fix their email and various other apps that have been screwed up by an incompetent IT staff. I try, I really do try to get my coworkers to call IT if their is a problem, but sadly, they often don't trust them. I have been accused of all sorts of things by various IT employees and none of it true or even provable if it was. The truth is mine is the only computer they are _not_ regularly fixing (or screwing up) here in my office.

Depending on the context: absolutely spot on

[mce (509)]

First of all, it depends on the context whether this is a good idea or not. In some environments, the IT group is the one and only IT wizard. In others (esp. in companies where IT development and IT research are the core business), the official IT group often is not at all capable of even understanding what the engineers are doing and supposed to do.

I've always worked (nearly 18 years now) in the latter situation. Once upon a time, I was one of those superusers in that I was had an IT degree, but worked in engineering (research, actually) where most of my collegues were non-IT engineers. They were very IT savy at a personal level, but generally missed the wider scope. So far so good. The not so good thing, was that the IT department had no clue whatsoever of what the real business needs in terms of IT were (and neither had the company's management). The consequence was an ever worsening war between IT and IT users, amongst other things resulting in ever more shadow systems. We solved this by establishing a working group that took care ensuring there regular was bidirectional communication between parties (I was one of the founding fathers and later on was the chairman for many years). This worked wonders. (Note: It worked so well, that when I finally left the company, the IT group tried to convince me to stay by proposing that I might join them in quite senior positions.)

Part of the whole concept was to do exactly what TFA says: the real superusers were identified; they earned the trust/respect they deserved; and then gained the appropriate - for our context - access to specific systems. (I personally managed the whole repository of OSS as well as some commercial soft we had installed centrally on UNIX. No, I did not have root, as I designed the complete setup such that I did not need it, but it will also be clear that with that level of access I potentially could access a lot of data and that capturing root would not have been difficult had I wanted. Some superusers can be trusted afterall.) Many succesful applications were developed in the same way: some superuser developed - with the knowledge of IT - a prototype that was taken into production for a larger audience after review by the working group and possibly some clean up by IT.

Actually, all this is nothing new. Strategic alignment between business and IT is a core part of IT governance. So is making sure that IT governance is not a buzzword hidden in a bi-monthly meeting between the CTO and CIO, both of whom generally do not understand the issues, but that it is something that is built into the whole system at all levels. And yes, this includes the superusers (at least the capable ones).

Concluding remark: I've since obtained an MBA. As part of the IT course, I wrote a paper describing the complete history of IT management & governance at my previous employer detailing the above story at length. That paper made a very happy professor, as he considered that I was absolutely spot on. Afterwards he started using me as an in-class assistant for the remainder of his course.

How much privs do 'powerusers' need?

[HockeyPuck (141947)]

Hey powerusers... how much privs do you need? You say you want to install whatever you want on your PC. Which btw you didn't purchase. You say you want to pick our the exact model of server your app runs on, but you don't want to be the one to stock the 97.56GB drives as replacements, nor do you want to carry a duty pager to swap out parts when they break at 2am.

Why stop there? Why not just ask for the admin password on the core routers. I'm sure your expansive knowledge of networking (and installing dd-wrt on your linksys does not make a BGP expert out of you) could provide invaluable when the DWDM gear is malfunctioning. We're upgrading to AIX6 shortly, maybe your vast experience in managing/installing mysql at home will help us optimize a 10TB DB/2 database. Please help us out, since you installed parallels on your mac, you can lend us some of your expertise in VMs when we consolidate two z990s into a z10.

You say you manage a 5TB nfs server at home? Please show us the wisdom of your ways as we try to consolidate 50 EMC DMX arrays so we can save on power and cooling.

When we fuck-up, an entire company and its' customers feel the pain. When you fuck up, you prevent us from doing our job as we clean up your mess.

Users should be given just enough privileges to do their job. This is why you do not have root on your server, you download pre-packaged software from the intranet, you do not have admin on the core routers, physical access to the datacenter and why we don't "tinker." You want to tinker, go work in your garage where you can tell your wife that you built a jumpstart server for the two linux boxes in your home media center and thump your chest. We support hundreds, thousands of users whom would rather spend their days focusing on doing their job.