Guerrilla IT, Embracing the Superuser?

snydeq writes "First it's letting users manage their own PCs and now it's sanctioning the shadow IT projects they do on the down low: 'You probably know them. They're the ones who installed their own Wi-Fi network in the break room and distribute homemade number-crunching apps to their coworkers on e-mail. They're hacking their iPhones right now to work with your company's mail servers. In short, they're walking, talking IT governance nightmares. But they could be your biggest assets, if you use them wisely. The reason superusers go rogue is usually frustration, says Marquis. "It's a symptom of the IT organization being unable to meet or even understand the needs of its customers," he says. "Otherwise, it wouldn't be happening." The solution? Put them to work.'"

Superusers?

[wild_quinine]

Yes, they're end users. But they don't sound like customers. They sound like employees.

In which case they should toe the god damn line, because they're fucking shit up for other people.

Yes, enterprise IT can be frustrating. But your cheeky little wifi hack maybe just took down three buildings of network, resulting in thousands of dollars of lost productivity. Actually happened, in my org - 100% true story.

I don't like meaningless limitations any more than the next guy, but these know alls who think they're 'superusers' because they can set up a wifi network need to lay off - they don't have the big picture, they just think they're being clever. Guerilla? Arse-scratching chimp, more like.

Re:Superusers?

[diamondsw]

If they're truly breaking things, this means your network is so poorly designed that they are even capable of it. Get off your BOFH horse and do a decent job before yelling at people who are just trying to do their job reasonably.

My mother's laptop takes over 5 minutes to boot because of all of the scripts and login items the company forces her to run. This is not an uncommon occurrence because the various shit also prevents it from waking from sleep about 50% of the time. It's so locked down she can't install anything - not even a driver so she can plug in her company-supplied Sprint EVDO card for remote access. Nope, she has to drive into the office (about an hour away) just so they can pop in the card. Need to change an IP setting for the home wifi network? No-can-do (truly, the firewall and VPN cannot be trusted against the awesome power of the home LAN...). Maybe use something secure like Firefox instead of IE 5.5 (yes, 5.5!). Nope, can't install it. Use a USB memory stick to copy a file? Nope.

"Enterprise IT" policies are almost always to make IT's life easier at the expense of the end user. Now who was supposed to be supporting whom?

Re:Superusers?

[techpawn]

Those types are like the annoying dicks in class who distract the instructors with unrelated questions just to show the rest of the class how smart they are.

I'm not doing it to show the class how SMART I am; I'm doing it to show the instructor where I'm LACKING. If we're covering a section that I already understand and I can tell we're near the end but I have a question about the topic that isn't high level, ones that's more specific to my real world problems that forced me to go to a class, how does that make me a dick for asking. If I'm in a class I'm there to get the most of the instructor as I can. The books can be found online for cheap, their experience in real world problems can not.

Re:Superusers?

[wild_quinine]

If they're truly breaking things, this means your network is so poorly designed that they are even capable of it. I knew someone would come back with a smart comment like this, but I'm not yet jaded enough to include disclaimers in my posts. For your benefit: the wifi router in use was very poorly designed, using some horrific bridging tricks. Shutting down three buildings was actually an automatic fallback, to protect our larger network.

"Enterprise IT" policies are almost always to make IT's life easier at the expense of the end user. Now who was supposed to be supporting whom? Now this is exactly what those chimps with their cheeky tricks believe. But in any decent organisation, of which I'm fortunately part, the people at the top really do care about supporting users, to our own convenience. It's our job, so we get it done. And nothing gives us greater satisfaction that a system that runs for the benefit of its users.

The job is supporting users, and that's what we do.

And that just precisely means making decisions about what can and what cannot safely be allowed in certain circumstances, and the sheer size of the operation means not being able to turn on a dime if somebody wants a completely different config. That's the way it is. We're not being unhelpful, we're making sure you don't butcher things for every other person in the zone by being a smartass.

Re:Superusers?

[everphilski]

Yes, they're end users. But they don't sound like customers. They sound like employees.
In which case they should toe the god damn line, because they're fucking shit up for other people.

Yes, enterprise IT can be frustrating. But your cheeky little wifi hack maybe just took down three buildings of network,
resulting in thousands of dollars of lost productivity. Actually happened, in my org - 100% true story.



My IT department is fine - I don't see them but once or twice a year and my computer works well enough. But a similar problem to the one you described occurred at the college I'm working on my PhD at. (I heard this story second hand, might be an error or two, but I trust the source) The engineering department wanted WiFi in the building in order to hook up the conference rooms and let students use wireless in the classroom. Seems simple enough, especially in this day and age. A formal request was made. And rejected by IT. Random bitching and moaning. So after a few months of inaction, the engineering department installed a few routers themselves, under the radar.

See, the problem is when IT gets in the way of business. IT is a service, not an administration. So when it starts acting like one, with bureaucracy, with stupid shit to get stuff done (a friend of mine, engineer in another company, had to wait three weeks (!!!) to get an approved, paid for compiler he needed installed on his laptop???) then yes, we go under the radar to get work done, which might I remind you is why we get paid. Apologies in advance if we ever cross paths.

Re:Superusers?

[element-o.p.]

If I had a dollar for every person that called me because some "superuser" installed a test piece of equipment on my network (against company policy, incidentally) and screwed something up, I'd quit right now and retire in the Caymans.

I've seen rogue DHCP servers assign duplicate IP addresses on our network, I've seen rogue DHCP servers assign IP addresses from a different network on our LAN, and I've seen (multiple times, from the same "power user") two ports on a DSLAM plugged into my production network cause a broadcast storm. After the first time, we turned on Spanning Tree; the second time, it only took down the equipment connected to his SOHO switch.

The parent post is right -- just because you can connect your two Windows computers at home up to a WiFi network doesn't mean you are qualified to be a network administrator in an Enterprise network. If you'd rather be an IT system administrator, then take the steps to become one; don't try to subvert your corporate IT department just because you think you can do it better.

Re:Superusers?

[Aqualung812]

"Enterprise IT" policies are almost always to make IT's life easier at the expense of the end user. Now who was supposed to be supporting whom?

Actually, both are to be supporting the company. IT does not answer to the end user, they answer to the shareholders, the CEO, board, and the regulators. Supporting the end users only applies if it will support the company to do so.

BTW, if end users can be trusted with admin rights, then why do botnets mainly exist on home user's computers? Those same home users will allow their work computer to be infected if mean old IT would let them.

Re:Superusers?

[element-o.p.]

Spoken like someone who's never worked in IT :rolleyes:

Yes, there are companies where the IT personnel are on a power trip, but IME, that's the exception rather than the rule. Most of the time, IT's policies are put in place for a reason. We don't want to make your life any more difficult than it needs to be. But when some "superuser" with a super-ego decides to circumvent IT policies by taking data home on a thumb drive, and then loses the drive or posts the data on-line for some reason, we get a mandate to keep it from happening again. When a user connects the company laptop directly up to their DSL or cable modem at home, contracts a new virus that evades the A/V software's detection rules and infects the network, then we take steps to prevent users from connecting to any network we don't control. And when we find our users installing games and P2P software, then we take away the ability to install anything on company laptops unless you can show that you have a bona fide need to do so.

You gripe that "Enterprise IT policies are almost always to make IT's life easier at the expense of the end user." Yeah, maybe. Sometimes it's true. But how long would it take you to change your tune if *you* were they guy getting called out on the carpet because a virus took your network down for two days? How many times would you let a user install rogue DHCP servers on your network before you decided to configure your switches to only allow certain MAC addresses to use given ports? How many times would you give out administrative access to anyone who asked for it, if your users kept breaking their computers because they didn't understand what they were doing?

Quote: If they're truly breaking things, this means your network is so poorly designed that they are even capable of it.

Are you serious? Your entire post is criticizing IT for doing exactly that! Yeah, we can lock down a network so that no one can break it, but to do so, it would be locked down so much as to be entirely inflexible. Your example of your mother's laptop is what happens when an IT department doesn't trust it's users, and therefore tries to build a network so that it can't be broken.

Quote: Get off your BOFH horse and do a decent job before yelling at people who are just trying to do their job reasonably.

If that's all that our users were trying to do, you'd find the network wasn't nearly so restrictive. However, I've seen field techs delete all of the company-provided software so that they could install Quake 3 (no, I'm not kidding...). I've seen users copy warez on the file server. And consequently, I've seen network administrators take away admin rights and block ports on the corporate firewall. The problem is that *most* users play be the rules, but the ones that don't get the IT staff in trouble with management. Therefore, we lock things down so it can't happen again.

There *has* to be order in any society or it becomes unstable and falls apart. In the corporate enterprise network, IT is responsible for creating and maintaining that order, and therefore, IT implements the policies that are necessary to keep the IT infrastructure operating smoothly. Not everyone likes those policies, but believe me, you'd like it a lot less if they weren't there.

Re:Superusers?

[morgan_greywolf]

Yes, there are companies where the IT personnel are on a power trip, but IME, that's the exception rather than the rule. Most of the time, IT's policies are put in place for a reason.

As someone who has worked on both sides of this fence, I have to say many IT policies are put in place to make life easier for the admins, not the end-users. And, yes, sometimes there are very good reasons for these policies, but not always.

The problem is that in any company, there are groups that genuinely need solutions that are different somehow from what the rest of the company is doing. Typical IT thinking is that if it doesn't fit in their cookie-cutter one-size-fits-all mentality, then it's not needed. The cookie-cutter model is great for probably 80%-90% of your userbase, and therefore is a success for those 80%-90%.

OTOH, for the other 10-20%, I've seen situations where groups needed a either a COTS app that needed heavy customization and therefore didn't fit the model or a custom app that IT organizations aren't always equipped to develop in-house. So they throw one of their project managers on it, who outsources the IT work to contractors, and then IT steps in and says "Whoa! That doesn't fit into our cookie-cutter model!" cries "skunkworks!" and immediately tries to get the project shut down.

Except, here's the thing: the need for the custom app or customized COTS app commonly generated by a legitimate business need. That's why upper management often approves the skunkworks project without IT's approval and when IT tries to shut it down, things might get ugly as different factions in upper management duke it out.

The bottom line is that IT needs to do what they do, but if they aren't addressing a legitimate business need and the users are going outside to get the legitimate business need met, well they need to step out of their box and act like a solutions provider and not like a bunch of rent-a-cop droids.

Don't agree

[nine-times]

"It's a symptom of the IT organization being unable to meet or even understand the needs of its customers," he says. "Otherwise, it wouldn't be happening."

I don't think that's true. Lots of people just want to screw around with things and get an ego boost out of flouting authority or trying to show-up the IT staff. You know, there's always going to be that guy who wants to install games on his PC, and figure out how to tunnel past the porn filter. Maybe it's because he wants those things, but also it's because he gets a kick out subverting the rules. Either way, it doesn't mean the IT staff isn't doing their jobs.

Please tell me

[croddy]

Please tell me people don't really talk like that. "Grew the solution"? "Drive business value"? These people need to get a hold on themselves and listen to the feces streaming out of their mouths.

yeah right.

[apodyopsis]

hahaha, let the users have admin rights?

does the author have **any** experience of the commercial environment?

Re:So, I get two salaries, right?

[garcia]

Remind me why we even have an IT dept. again?

Depends on the company but generally because they were told to have one, not because the department itself operates well. Honestly, while I could fully be a "rogue superuser" I prefer to let them do most of their work because I just don't get paid to do what they get paid to do.

Will I install applications, use applications and write applications as necessary to get *my own* job done? Yes. Will I go out of my way to do it so that others can do their job better? No. I am the first to tell someone who sends me an IM that asks, "Bill, can you come down and help with foo?" to go and submit an IT work order and wait it out. But I'm certainly not going to wait for them to come and fix my machine when I know full well I can do it myself without watching work backup for minutes, hours or days.

Been on both sides

[gEvil+(beta)]

I've been on both ends of the IT/user divide. I've administered networks of several hundred machines and am well aware of what some people will try to do with them. In my current position, however, I'm just a regular user. So when people in the department start talking about doing something that IT wouldn't approve of, I can usually explain to them in their terms why it wouldn't be such a good idea. OTOH, there have also been times where I've been called in by my boss to take care of a situation that IT hasn't been able to resolve, but that I've figured out because I face the problem daily. In those instances, I don't mind making a quick lap around the department and tweaking the machines a bit, because I know that it's exactly what IT would be doing anyways if they could be bothered to figure it out. And before someone says anything, I've contacted IT before to explain the problem and the fix. It's just that it's usually such an esoteric issue that they can't even begin to get their heads around it (e.g., font caching issues involving using certain programs in a certain sequence).

Bypassing network lockdowns

[truthsearch]

My last employer had firewalls that only allowed traffic through ports 80, 443, and an unusual port for VPN. I heard they also sniffed unencrypted packets, mostly to watch for viruses and breakins. Some of my coworkers wanted to use IM, although it was banned on the network. So I set up an encrypted squid proxy through my work desktop and home server. My whole team had IM and was able to communicate more efficiently.

One day I got called into the boss's office. He says, "I hear you've installed IM on everyone's desktop." So immediately I think I'm in trouble. Then he says, "Would you mind setting it up for me? How did you get it on the network?" He realized it increased productivity and any personal use wasn't seriously inhibiting work.

The point is don't hinder technology for a whole company only because you're afraid one ignorant user will bring in a virus. If power users want something, it's typically because it'll make them better at their job. Figure out a way to let them have it.

Re:So, I get two salaries, right?

[gEvil+(beta)]

Exactly. I'll generally deal with my own machine (up to a point) and will take full responsibility for any issues that might arise due to my actions. That said, if I encounter a problem, I'll do what I can to take care of it within the rights limits of what IT has given me. When I go beyond that I know that I'm on my own and can't particularly expect IT to fix it if I screw something up.

Re:So, I get two salaries, right?

[SatanicPuppy]

I think most good IT departments are okay with allowing a certain amount of freedom. Where I work we don't give out admin logons, but we do allow some users to admin their local machine, and we do allow some users the privileges to do basic crap on other people's machines. If you have a guy who is willing and capable of doing annoying little changes for people and taking some of the headache off of the IT staff, more power to 'em.

But that stuff should always come with a "screw it up, and you're going to have to fix it yourself" caveat. If you pick your people well, then they should be okay with that in the first place.

Re:IT parallels the free software movement

[Spad]

And while you're creating this community, your network is busily being infested with malware, unlicensed software and pirated music.

As much as we love to believe that everyone would be an ideal user with just a little education, most people simply do not care about computers outside of the fact that they have to use them for checking their emails and inputting data into "Application X". I admit that I work in the NHS, so there's an abnormally high percentage of IT illiterate users, but I see very few users with an actual interest in learning.

Maybe, maybe not

[Angst+Badger]

It really depends on the organization. There may be some overriding legal or safety reasons why you don't want to let anyone out of the sandbox: end user apps may not place nice with air traffic control or nuclear plants. ;)

On the other hand, some IT departments fully live up to the Dilbert character, Mordac, Preventer of Information Services. My IT department happens to be one of those, and the main consequence of my supervisor's blanket refusal to do anything that bothers him is that everyone, including his boss, comes to me to get things done. And that's okay with my boss, because his real objection is to doing anything unfamiliar, not the fact that it's being done somewhere.

But that's obviously a dysfunctional situation. The problem is that our IT department -- and presumably many others, including some of the snitty, arrogant posters in this thread -- isn't doing its job. By definition, if the IT department is either preventing necessary work from being done, failing to help get it done, or imposing arbitrary obstacles to get out of doing work in the first place, the solution is not necessarily giving end users IT responsibilities; the solution is for upper management to kick ass and, if necessary, hire IT people willing to do their jobs.

Contrary to some of the polarized views I've seen here, IT isn't always the problem, nor are end-users always the problem. Most often, it's a failure of both to work constructively and flexibly together and a failure of upper management to insist that they do.

Of course, if the dysfunctionality in your company isn't going anywhere anytime soon, you may have to look for workarounds, and the solution proposed by the original poster might work in some situations.

Re:So, I get two salaries, right?

[plague3106]

Well your caveat only works to a point. How long would your department let him spin his wheels while work is not getting done? Who then gets blamed for the downtime? The power user or IT?

Re:So, I get two salaries, right?

[Xzzy]

We did this at my employer, one of the departments decided they wanted to maintain their own desktops as a group. As no self-respecting admin actually enjoys taking care of desktops, we let them do it.

It wasn't a total break, they're still subject to the site's security policies and their home directories still mount from an nfs server we maintain, but no one in our group has had to install a machine or fix a dead hard drive in 5 years. They understand their needs far better than I ever could, so it really was a win-win situation.

It's worked surprisingly well, the admins are all volunteers from within the group, and they even maintain a batch system that all the workstations use for running jobs.

If any company has a group of people willing to take on that kind of responsibility, I'd say it deserves serious consideration.

I'm that guy who used to screw around...

[Overzeetop]

...and even I think this is a BAD idea. You want to mess with your own PC, okay - there's some merit there for some people. Mess with the network - hell no. There are too many things that need to get done, and the ability for one person - even an otherwise knowledgeable person - outside of IT to screw things up is just too much of an unknown.

I'm not usually one to chime in on the side of IT, as they often throw out the baby with the bath water, but letting people who's primary function is something other than keeping the network up mess with the network is just a massively bad idea. Screw up a workstation and one guy is dead for a day. Screw up the network and the whole company can go toes up.

As a confessed Super-User

[fionnghal]

I can relate to this issue. My co-workers often come to me to fix their email and various other apps that have been screwed up by an incompetent IT staff. I try, I really do try to get my coworkers to call IT if their is a problem, but sadly, they often don't trust them. I have been accused of all sorts of things by various IT employees and none of it true or even provable if it was. The truth is mine is the only computer they are _not_ regularly fixing (or screwing up) here in my office.

Re:IT parallels the free software movement

[Chanc_Gorkon]

It's like antivirus programs. I have no problems with having it installed on my computer, but I DO have a problem with it kicking off in the middle of the danged day when I am trying to work. The problem with some of the power tripping IT staff (hey I am in IT) is that they don't think....what time of day should these run?? They accept all defasults.....and that sucks.

Re:IT parallels the free software movement

[Qwerpafw]

It's not hard to teach people the basics of networking. When you hold people's hands, you make it so they won't have to learn, so they don't. Require them to learn how to fish and they'll be providing for themselves. I know you'll say it's crazy, it's impossible, no normal person could ever learn responsible computer use... but get off your high horse. People routinely learn much more difficult things than using computers - and if they have a motivation to learn how to do things, they will.

In fact, you've proven this. You say people will figure out how to "infest" your network with unlicensed software, but that's assuming individuals will figure out how to do this. You're probablly certain they will - and why? Because it's probably already happened. You spend your time fighting against your tricky users, who find all the holes in your policies and install skype, or limewire, or whatever the unauthorized flavor of the month is.

IT creates an oppositional environment where users are pitted against systems administrators. Is it a surprise that people find ways around the IT department's rules? Imagine if these energies were placed towards helping the system, helping the network, helping resolve instead of circumvent. Sure, not everyone may be willing to expend effort, but there'll be enough people who will take responsibility for themsleves and share with others.

The problem with most IT departments.

Most IT departments think that they know everything there is to know about computers and the network. The problem is that they don't know half of the shit they think they do. In particular they usually know nothing about what their users need in order to be productive. Instead most IT departments focus exclusively on control, control, control. While control is great you must have an idea of what you need to control and why and that is where IT departments are out to lunch. Security is not the only responcibility of IT, usability is just as important. If I can't use my computer I might as well not even have it. Its just a waste of space and money if it is locked down so tight that I can't get my job done. Time and time again it has been shown that with physical access to a system you can gain control over it.

Stop being a disabler and start being an enabler. Show people how to user their computers effectively while keeping them safe through education.

Depending on the context: absolutely spot on

[mce]

First of all, it depends on the context whether this is a good idea or not. In some environments, the IT group is the one and only IT wizard. In others (esp. in companies where IT development and IT research are the core business), the official IT group often is not at all capable of even understanding what the engineers are doing and supposed to do.

I've always worked (nearly 18 years now) in the latter situation. Once upon a time, I was one of those superusers in that I was had an IT degree, but worked in engineering (research, actually) where most of my collegues were non-IT engineers. They were very IT savy at a personal level, but generally missed the wider scope. So far so good. The not so good thing, was that the IT department had no clue whatsoever of what the real business needs in terms of IT were (and neither had the company's management). The consequence was an ever worsening war between IT and IT users, amongst other things resulting in ever more shadow systems. We solved this by establishing a working group that took care ensuring there regular was bidirectional communication between parties (I was one of the founding fathers and later on was the chairman for many years). This worked wonders. (Note: It worked so well, that when I finally left the company, the IT group tried to convince me to stay by proposing that I might join them in quite senior positions.)

Part of the whole concept was to do exactly what TFA says: the real superusers were identified; they earned the trust/respect they deserved; and then gained the appropriate - for our context - access to specific systems. (I personally managed the whole repository of OSS as well as some commercial soft we had installed centrally on UNIX. No, I did not have root, as I designed the complete setup such that I did not need it, but it will also be clear that with that level of access I potentially could access a lot of data and that capturing root would not have been difficult had I wanted. Some superusers can be trusted afterall.) Many succesful applications were developed in the same way: some superuser developed - with the knowledge of IT - a prototype that was taken into production for a larger audience after review by the working group and possibly some clean up by IT.

Actually, all this is nothing new. Strategic alignment between business and IT is a core part of IT governance. So is making sure that IT governance is not a buzzword hidden in a bi-monthly meeting between the CTO and CIO, both of whom generally do not understand the issues, but that it is something that is built into the whole system at all levels. And yes, this includes the superusers (at least the capable ones).

Concluding remark: I've since obtained an MBA. As part of the IT course, I wrote a paper describing the complete history of IT management & governance at my previous employer detailing the above story at length. That paper made a very happy professor, as he considered that I was absolutely spot on. Afterwards he started using me as an in-class assistant for the remainder of his course.

Re:So, I get two salaries, right?

[pla]

Remind me why we even have an IT dept. again?

Because for every one of you, we have a hundred people who can barely manage to get around in MS Office, and most dangerous of all, three or four people who think they know computers (yet strangely manage to cause more restore-from-backup sessions that all other users combined).

That said, if I didn't work in IT, I sure as hell wouldn't do the same work unrelated to my job description. Dealing with helpless coworkers without having it go into my pay or performance reviews? Not bloody likely!

Where do you work?

[khasim]

Well, they broke the machine didn't they?

Yeah. And?

Are you seriously saying that the company you work for would support you NOT helping an employee recover his system just because he broke it himself?

But I'm not responsible for rebuilding a machine that has been rendered non-functional by a user who insisted that he knew what he was doing.

No, seriously, the company supports that position for you?

I always make this stuff clear when a manager requests these sorts of permissions for one of their people.

Again, and the company supports that position?

We support the standard configuration, once you deviate from that, all bets are off.

That's a LOT different from what you've been saying.

We only support our standard configuration. Yet if a machine breaks, whether from an employee's actions or not, we still repair/recover as much as we can.

I'm fascinated that you seem to be claiming to work for a company that values your self-esteem over actual customer contracts.

Re:Where do you work?

[SatanicPuppy]

You're being a jackass, but I'll respond anyway.

If you build a system with tons of unsupported software, I am not responsible for reinstalling and reconfiguring all that software. Period. And that is absolutely a position that is supported by my boss and my bosses boss, and the only guy higher than that only talks to shareholders.

I'll restore an image. I'll recover files, though frankly they should already be on the network share. I'll give you a fresh install. That's it.

Why, you ask, would any corporate IT support such a radical position? Because that guy's time isn't worth more than mine.

We've all got jobs to do and if I have to spend a week fixing a screwed install (and it'd have to be me or one of the other senior guys because the regular techs aren't equipped to do it), then a weeks worth of my work won't be getting done. That's more unacceptable to everyone involved than making one guy reinstall his own unsupported apps.

If you're going to give them any extra permissions, they have responsibilities there. If they can't be trusted not to make a complete mess of it, then they should never be granted those permissions in the first place.

The whole goal should be to make things more efficient and get more work done. If those things aren't happening, you're doing it wrong.

Re:Where do you work?

[paeanblack]

If you build a system with tons of unsupported software, I am not responsible for reinstalling and reconfiguring all that software. Period. And that is absolutely a position that is supported by my boss and my bosses boss, and the only guy higher than that only talks to shareholders.

That's true today, but don't expect the status quo to last. This is no different from when people started bringing PCs into the office 25 years ago. Corporate IT said, "no way...use the mainframes", and the users brought PCs anyway. The users won.

IT exists to manage things in a sane and orderly manner, but it can not and never will be able to proscribe useful tools in the long run.

Don't ever turn a user request into a battle where your defense is "we can't support that." You may win that battle, but you will lose the war, every single time.

Re:Where do you work?

[SatanicPuppy]

My tone? You started this conversation accusing me of slighting Joe User, which has nothing to do with my original statement, and then you persist in trying to point out my "hypocrisy" in saying that users with special privileges won't get special treatment!

And no, I don't believe that it is IT's job to spoonfeed users. That is old thinking. You should be teaching them to do basic tasks themselves. 70% of the IT work here is in developing and deploying new systems, and the rest of the work is split between maintenance and user support.

We lock down the average user to the point where there is effectively no way that they can break their system. If it gets broken, we switch it out with an identical system and they're up and running again in no time, because all their files and emails are stored remotely.

The users who require more access are granted it, but they are not given extra tech support. They want a fresh system, no problem. But they never want that, because that would be just the beginning of their work.

And my value is creating new things; some of which help employees do their jobs, and some of which remove the need for anyone to do that job. One day I may automate myself out of a job; it's certainly possible. But it's a lot better than trying to manufacture a job for myself by fostering a culture of dependence.

Huh???

[mpapet]

We work in a healthcare organization and having people develop applications on our servers can potentially cause huge issues.

And why exactly would dev's get to touch production? This is the reason why change control , documentation and good service topography is so vital. Your dev system should be a snapshot of production minus personal data. Your infrastructure should support that all the way back to the dev shop. Anything less is laziness. Most of which is probably way outside of your control. I gave management the options and rationale and they make poor choices. Don't lose too much sleep over it.

While it's possible to create little sandbox areas for them, it's an administrative hassle

In theory, that's your job. You and I both know in practice, the reality is much uglier, but this gets back to having an appropriate test environment. ...their applications can't cross security lines... Then there's the support issues - who fixes their business critical application when they've left or are on vacation?

Get out of the blame-shifing game. Make the issue sknown and go on with your day. If management doesn't want to spend the money and time to manage contingencies well, then it's their fault not yours.

Comments like this are my #1 pet peeve. Get in front of these issues by communicating well and if nothing changes it's a no-win situation where blame default shifts to IT. Move on. There are greener pastures.

Re:So, I get two salaries, right?

[huckda]

[i]says Marquis. "It's a symptom of the IT organization being unable to meet or even understand the needs of its customers," he says. "Otherwise, it wouldn't be happening." [/i]

Actually in short...the reason is because IT are often understaffed, are required to follow ridiculous internal legislation, and many times are under-funded, and required to maintain a certain level of security...the latter of which is often BREACHED by these so-called power-users...which are nothing more than people wanting control over everything they do...

Here's a news flash...employees are there to WORK FOR their employer...not themselves.

Re:So, I get two salaries, right?

[_ph1ux_]

Yes this is the main problem with the concept of "embracing super users"

At several companies people outside IT have floated the idea that there should be a departmental super user who people within the department can go to with issues. The idea being that a highly technical member of their department would understand their specific departmental tasks/duties/needs and be able to support them on "little or common" it requests.

The reality is that this effectively makes that person a member of IT - and the sad fact is that typically they are not in a position to have proper access to all systems/passwords etc to solve issues.

Aside from specific application support, its generally not a good idea to rely on Super Users to work on general IT issues.

What really needs to be addressed is properly staffing helpdesks with the APPROPRIATE resource.

This starts getting at the core of the problem within IT - Costs...

99% of IT departments are not *embraced themselves* by execs - who only see a bottom line problem; IT departments spend money. Lots of it.

Funding the correct resource in a department can be hard for small to mid size companies because they dont think a helpdesk person should cost them anything north of 50K, but the reality is that a quality baseline of skills is required in helpdesk.

While I ahve exceptional people on my staff, often times they are underpaid given their skill set. I think a rockstar helpdesk person can be worth around 80K per year. But as their skills grow even furtehr they are likely to go and want to become sys ads and sr sys ads. These guys range between 80 and 110 / yr depending on specifics.

Companies think helpdesk should be a lowly intern or some 45-50K person...

This results in mediocre skills and more importantly -- MOTIVATION. Thus the hole of "IT departments unable to meet or understand..."

budgeting for STAFF in IT should be spread as a cost to all departments. Each department should carry an expense for a portion of funding the pay of IT. Just in the same way they (typically, if budgeting is done correctly) share the load in the cost of capital projects.

Re:So, I get two salaries, right?

[Ced_Ex]

Well, this rogue moron has to install stuff on his own, because our IT support department treats the development teams as if we don't know what we're doing, and applies the same policies for business users to us.

How can I be expected to do my work, if I can't even install an IDE, because it doesn't fit the standard image they have?

Anyway, it's more a problem in the structure I have here than anything else. I just wanted to state the point of view from a rogue moron.

Re:So, I get two salaries, right?

[Chode2235]

Here I always thought it was the servers, data infrastructure, advanced developmental work, and systems design and implementation.

Workstation management for all the companies I have worked for has been a PITA for us 'business users' who need to get things done.

I think in general they take a much to hands on approach which ties our hands and takes their time. I am glad that they are finally recognizing that people can take care of themselves a little bit.

Now if only we could have our own coffee pots.

Nightmares?

[GameboyRMH]

In short, they're walking, talking IT governance nightmares I always saw these people as being useful, not nightmares by any stretch. The nightmares are the semi-computer-literate types who want to know why they can't install crap(spy/ad)ware X at the office, and nearly-computer-illiterate business types who want to know why you can't make application Y do magical thing Z. In fact if you have these "guerilla IT guys" doing things themselves, it's probably because the IT department is incompetent. I've never run across a "guerilla" who had to fill in for the IT department but if I did I'd feel pretty bad.

In short, if you see these people as nightmares, chances are there's a good reason they're taking things into their own hands and you should get off your ass and find out what's going on, and find a way to fix it so they don't have to. You shouldn't have to do their job and they shouldn't have to do yours.

One of the dumbest things I've ever heard.

[lawn.ninja]

Maybe the guy who wrote this article works in a building full of programmers or something, because short of that this is the dumbest idea I've ever heard. If I let my users have control of anything the PC's would be full of yahoo toolbars, itunes and some random spyware app that "automatically switches their desktops".

I know plenty of these self proclaimed techies. They go home, they watch tech TV, they read all the latest computer magazines and they can recite what the best video card is down to the chipset revision number... The things they don't know are the most important though, and its info you wouldn't be privi to unless you knew the system, like say a sys admin or desktop support tech would. You know like program dependencies... drive mappings, registry hacks. I honestly don't know one out of the box solution that we use at our company. Every one of our apps, including the mainstream ones, have been customized to work with our environment.

I wish these dumb assholes would learn that not all PC's are your home PC. Just because you can add and remove programs sufficiently at home bears no indication that you can do anything useful in a production corporate environment. Your windows XP home edition bears little to no resemblence to the system we've put in your office. Leave it alone. We QA and test every image that goes into production, your app may not jive with our app... There are reasons to have specialists in every area. People just want to be know-it-all assholes. I don't pretend to be a cosmologist because I watch Discovery Space.

People just have no respect for IT and because of that everyone always has a better solution. people should concentrate on their jobs and stop worrying about how to get rid of the IT department, we're here, we're not going anywhere. If your IT department is lazy or can't provide solutions for you, get rid of the certificate junkies and get some real techs in place. If you give a roadmap of what you need we can make unicorns appear, at least my IT department can.

Re:So, I get two salaries, right?

[Ced_Ex]

So basically what you're saying is that at every major place you've worked at, you've had an idiot. You know what, we've all had a few of those, and for some of us, some of those idiots were in the IT department.

You ask why I should be treated differently? I am under the assumption that they hired me for my specialty, and that I have a base knowledge of what I'm doing. If the IT department fails to give me to tools I need, how am I suppose to be effective?

I'm advocating tiered access. You can't just blanket a development shop with a business area and hope everyone will be happy. We have different needs and technical expertise. What is a development shop supposed to do with a base installation? You can't develop things using a text editor. And you definitely can't develop web applications if you can't setup a web server somewhere. Nor can you submit change requests to IT everytime a small setting needs to be changed.

IT department can't just lock things up and say, "Well, we did our job, the system is locked up tight, nothing will go wrong."

All they've really done is lock up the place, and prevent any legitimate work from taking place. Granted, your job is done, but at the expense of everyone else's job.

Sure, I wouldn't want an IT guy changing the development I'm working on, but at the same time, I wouldn't release an application to a client with the system locked and unable to accomplish what it was initially intended to do.

There is no blanket Solution

[sco_robinso]

It all really biols down to the company, its history, the type of industry it's in, its size, its management, etc.

There are companies and situations where superusers can be a great value, and others not so much.

Personally, I'm in a company of about 200 people. We have a fairly defined and rigid set of IT policies. It's well communicated and well known that you don't install any apps or programs without IT's permission. If users have requests or need software, we'll install it for them after testing it first. That being said, there's very little deviance on behalf of the users, and overall, we have very few problems with rogue users or PCs.

It really just depends on the company. At minimum, you need to have a coherent, plain language IT acceptable use policy that all employees need to be familiar with.

Then, there's something to be said about why superusers deviate. From the sounds of alot of /.ers, they have to fill out forms in triplicate just to talk to someone in IT. In our company, you simply go talk to the guys in IT. If you need a printer or an app installed, we do it in a few minutes.

But again, there's so many factors that come into play, you have to take it piece by piece.

Powerusers and their storage needs...

[HockeyPuck]

Most "powerusers" go by the creed "Tis better to beg for forgiveness, than to ask for permission." Case in point, my team runs a Fortune 100 company's storage environment. We're running about 1.2PB of EMC DMX and NetApp storage (not including VTL). If a department needs NAS for some project we have a easy webpage for them to go to, they fill it out with the sharename they'd like, and we automatically find them a filer and create a 100GB CIFS/NFS share for them. Already integrated with active directory and NIS. End user can specify who can see it by specifying a group such as .group and everyone in their dept can have read/write access to it. Or you could just specify a list of users.

Sounds pretty easy. It's backed up, regular hourly snapshots are taken. It's backed up to tape, firmware upgraded and when the lease on the filer is up, *WE* migrate all the data to another filer off hours and you continue on with your life. Anyhow...

Some PowerUser user decided he wanted to 'play IT'. And decided he wanted his own storage that he could limit who accessed. While we would have been more than happy to allocate him 100GB of storage. He proceeded to go out and build some linux box under his desk with some home-office grade disk enclosure. He then demanded that *WE* back it up to tape, and *WE* integrate it in with NIS/active directory. It should also be known that the few outlets in the cubes are not spec'd to have servers/arrays plugged into them but laptop/dock and monitor type equipment.

Long story short. Someone came along and walked off with the homeoffice disk array and all the data on it. I got to go to all the meetings and watch this asshat explain why he lost customer data.

How much privs do 'powerusers' need?

[HockeyPuck]

Hey powerusers... how much privs do you need? You say you want to install whatever you want on your PC. Which btw you didn't purchase. You say you want to pick our the exact model of server your app runs on, but you don't want to be the one to stock the 97.56GB drives as replacements, nor do you want to carry a duty pager to swap out parts when they break at 2am.

Why stop there? Why not just ask for the admin password on the core routers. I'm sure your expansive knowledge of networking (and installing dd-wrt on your linksys does not make a BGP expert out of you) could provide invaluable when the DWDM gear is malfunctioning. We're upgrading to AIX6 shortly, maybe your vast experience in managing/installing mysql at home will help us optimize a 10TB DB/2 database. Please help us out, since you installed parallels on your mac, you can lend us some of your expertise in VMs when we consolidate two z990s into a z10.

You say you manage a 5TB nfs server at home? Please show us the wisdom of your ways as we try to consolidate 50 EMC DMX arrays so we can save on power and cooling.

When we fuck-up, an entire company and its' customers feel the pain. When you fuck up, you prevent us from doing our job as we clean up your mess.

Users should be given just enough privileges to do their job. This is why you do not have root on your server, you download pre-packaged software from the intranet, you do not have admin on the core routers, physical access to the datacenter and why we don't "tinker." You want to tinker, go work in your garage where you can tell your wife that you built a jumpstart server for the two linux boxes in your home media center and thump your chest. We support hundreds, thousands of users whom would rather spend their days focusing on doing their job.