Guerrilla IT, Embracing the Superuser?

snydeq writes "First it's letting users manage their own PCs and now it's sanctioning the shadow IT projects they do on the down low: 'You probably know them. They're the ones who installed their own Wi-Fi network in the break room and distribute homemade number-crunching apps to their coworkers on e-mail. They're hacking their iPhones right now to work with your company's mail servers. In short, they're walking, talking IT governance nightmares. But they could be your biggest assets, if you use them wisely. The reason superusers go rogue is usually frustration, says Marquis. "It's a symptom of the IT organization being unable to meet or even understand the needs of its customers," he says. "Otherwise, it wouldn't be happening." The solution? Put them to work.'"

Superusers?

[wild_quinine]

Yes, they're end users. But they don't sound like customers. They sound like employees.

In which case they should toe the god damn line, because they're fucking shit up for other people.

Yes, enterprise IT can be frustrating. But your cheeky little wifi hack maybe just took down three buildings of network, resulting in thousands of dollars of lost productivity. Actually happened, in my org - 100% true story.

I don't like meaningless limitations any more than the next guy, but these know alls who think they're 'superusers' because they can set up a wifi network need to lay off - they don't have the big picture, they just think they're being clever. Guerilla? Arse-scratching chimp, more like.

Re:Superusers?

[diamondsw]

If they're truly breaking things, this means your network is so poorly designed that they are even capable of it. Get off your BOFH horse and do a decent job before yelling at people who are just trying to do their job reasonably.

My mother's laptop takes over 5 minutes to boot because of all of the scripts and login items the company forces her to run. This is not an uncommon occurrence because the various shit also prevents it from waking from sleep about 50% of the time. It's so locked down she can't install anything - not even a driver so she can plug in her company-supplied Sprint EVDO card for remote access. Nope, she has to drive into the office (about an hour away) just so they can pop in the card. Need to change an IP setting for the home wifi network? No-can-do (truly, the firewall and VPN cannot be trusted against the awesome power of the home LAN...). Maybe use something secure like Firefox instead of IE 5.5 (yes, 5.5!). Nope, can't install it. Use a USB memory stick to copy a file? Nope.

"Enterprise IT" policies are almost always to make IT's life easier at the expense of the end user. Now who was supposed to be supporting whom?

Re:Superusers?

[wild_quinine]

If they're truly breaking things, this means your network is so poorly designed that they are even capable of it. I knew someone would come back with a smart comment like this, but I'm not yet jaded enough to include disclaimers in my posts. For your benefit: the wifi router in use was very poorly designed, using some horrific bridging tricks. Shutting down three buildings was actually an automatic fallback, to protect our larger network.

"Enterprise IT" policies are almost always to make IT's life easier at the expense of the end user. Now who was supposed to be supporting whom? Now this is exactly what those chimps with their cheeky tricks believe. But in any decent organisation, of which I'm fortunately part, the people at the top really do care about supporting users, to our own convenience. It's our job, so we get it done. And nothing gives us greater satisfaction that a system that runs for the benefit of its users.

The job is supporting users, and that's what we do.

And that just precisely means making decisions about what can and what cannot safely be allowed in certain circumstances, and the sheer size of the operation means not being able to turn on a dime if somebody wants a completely different config. That's the way it is. We're not being unhelpful, we're making sure you don't butcher things for every other person in the zone by being a smartass.

Re:Superusers?

[everphilski]

Yes, they're end users. But they don't sound like customers. They sound like employees.
In which case they should toe the god damn line, because they're fucking shit up for other people.

Yes, enterprise IT can be frustrating. But your cheeky little wifi hack maybe just took down three buildings of network,
resulting in thousands of dollars of lost productivity. Actually happened, in my org - 100% true story.



My IT department is fine - I don't see them but once or twice a year and my computer works well enough. But a similar problem to the one you described occurred at the college I'm working on my PhD at. (I heard this story second hand, might be an error or two, but I trust the source) The engineering department wanted WiFi in the building in order to hook up the conference rooms and let students use wireless in the classroom. Seems simple enough, especially in this day and age. A formal request was made. And rejected by IT. Random bitching and moaning. So after a few months of inaction, the engineering department installed a few routers themselves, under the radar.

See, the problem is when IT gets in the way of business. IT is a service, not an administration. So when it starts acting like one, with bureaucracy, with stupid shit to get stuff done (a friend of mine, engineer in another company, had to wait three weeks (!!!) to get an approved, paid for compiler he needed installed on his laptop???) then yes, we go under the radar to get work done, which might I remind you is why we get paid. Apologies in advance if we ever cross paths.

Re:Superusers?

[element-o.p.]

Spoken like someone who's never worked in IT :rolleyes:

Yes, there are companies where the IT personnel are on a power trip, but IME, that's the exception rather than the rule. Most of the time, IT's policies are put in place for a reason. We don't want to make your life any more difficult than it needs to be. But when some "superuser" with a super-ego decides to circumvent IT policies by taking data home on a thumb drive, and then loses the drive or posts the data on-line for some reason, we get a mandate to keep it from happening again. When a user connects the company laptop directly up to their DSL or cable modem at home, contracts a new virus that evades the A/V software's detection rules and infects the network, then we take steps to prevent users from connecting to any network we don't control. And when we find our users installing games and P2P software, then we take away the ability to install anything on company laptops unless you can show that you have a bona fide need to do so.

You gripe that "Enterprise IT policies are almost always to make IT's life easier at the expense of the end user." Yeah, maybe. Sometimes it's true. But how long would it take you to change your tune if *you* were they guy getting called out on the carpet because a virus took your network down for two days? How many times would you let a user install rogue DHCP servers on your network before you decided to configure your switches to only allow certain MAC addresses to use given ports? How many times would you give out administrative access to anyone who asked for it, if your users kept breaking their computers because they didn't understand what they were doing?

Quote: If they're truly breaking things, this means your network is so poorly designed that they are even capable of it.

Are you serious? Your entire post is criticizing IT for doing exactly that! Yeah, we can lock down a network so that no one can break it, but to do so, it would be locked down so much as to be entirely inflexible. Your example of your mother's laptop is what happens when an IT department doesn't trust it's users, and therefore tries to build a network so that it can't be broken.

Quote: Get off your BOFH horse and do a decent job before yelling at people who are just trying to do their job reasonably.

If that's all that our users were trying to do, you'd find the network wasn't nearly so restrictive. However, I've seen field techs delete all of the company-provided software so that they could install Quake 3 (no, I'm not kidding...). I've seen users copy warez on the file server. And consequently, I've seen network administrators take away admin rights and block ports on the corporate firewall. The problem is that *most* users play be the rules, but the ones that don't get the IT staff in trouble with management. Therefore, we lock things down so it can't happen again.

There *has* to be order in any society or it becomes unstable and falls apart. In the corporate enterprise network, IT is responsible for creating and maintaining that order, and therefore, IT implements the policies that are necessary to keep the IT infrastructure operating smoothly. Not everyone likes those policies, but believe me, you'd like it a lot less if they weren't there.

Don't agree

[nine-times]

"It's a symptom of the IT organization being unable to meet or even understand the needs of its customers," he says. "Otherwise, it wouldn't be happening."

I don't think that's true. Lots of people just want to screw around with things and get an ego boost out of flouting authority or trying to show-up the IT staff. You know, there's always going to be that guy who wants to install games on his PC, and figure out how to tunnel past the porn filter. Maybe it's because he wants those things, but also it's because he gets a kick out subverting the rules. Either way, it doesn't mean the IT staff isn't doing their jobs.

yeah right.

[apodyopsis]

hahaha, let the users have admin rights?

does the author have **any** experience of the commercial environment?

Re:So, I get two salaries, right?

[garcia]

Remind me why we even have an IT dept. again?

Depends on the company but generally because they were told to have one, not because the department itself operates well. Honestly, while I could fully be a "rogue superuser" I prefer to let them do most of their work because I just don't get paid to do what they get paid to do.

Will I install applications, use applications and write applications as necessary to get *my own* job done? Yes. Will I go out of my way to do it so that others can do their job better? No. I am the first to tell someone who sends me an IM that asks, "Bill, can you come down and help with foo?" to go and submit an IT work order and wait it out. But I'm certainly not going to wait for them to come and fix my machine when I know full well I can do it myself without watching work backup for minutes, hours or days.

Bypassing network lockdowns

[truthsearch]

My last employer had firewalls that only allowed traffic through ports 80, 443, and an unusual port for VPN. I heard they also sniffed unencrypted packets, mostly to watch for viruses and breakins. Some of my coworkers wanted to use IM, although it was banned on the network. So I set up an encrypted squid proxy through my work desktop and home server. My whole team had IM and was able to communicate more efficiently.

One day I got called into the boss's office. He says, "I hear you've installed IM on everyone's desktop." So immediately I think I'm in trouble. Then he says, "Would you mind setting it up for me? How did you get it on the network?" He realized it increased productivity and any personal use wasn't seriously inhibiting work.

The point is don't hinder technology for a whole company only because you're afraid one ignorant user will bring in a virus. If power users want something, it's typically because it'll make them better at their job. Figure out a way to let them have it.

Re:So, I get two salaries, right?

[gEvil+(beta)]

Exactly. I'll generally deal with my own machine (up to a point) and will take full responsibility for any issues that might arise due to my actions. That said, if I encounter a problem, I'll do what I can to take care of it within the rights limits of what IT has given me. When I go beyond that I know that I'm on my own and can't particularly expect IT to fix it if I screw something up.

Re:So, I get two salaries, right?

[SatanicPuppy]

I think most good IT departments are okay with allowing a certain amount of freedom. Where I work we don't give out admin logons, but we do allow some users to admin their local machine, and we do allow some users the privileges to do basic crap on other people's machines. If you have a guy who is willing and capable of doing annoying little changes for people and taking some of the headache off of the IT staff, more power to 'em.

But that stuff should always come with a "screw it up, and you're going to have to fix it yourself" caveat. If you pick your people well, then they should be okay with that in the first place.

Re:IT parallels the free software movement

[Spad]

And while you're creating this community, your network is busily being infested with malware, unlicensed software and pirated music.

As much as we love to believe that everyone would be an ideal user with just a little education, most people simply do not care about computers outside of the fact that they have to use them for checking their emails and inputting data into "Application X". I admit that I work in the NHS, so there's an abnormally high percentage of IT illiterate users, but I see very few users with an actual interest in learning.

Maybe, maybe not

[Angst+Badger]

It really depends on the organization. There may be some overriding legal or safety reasons why you don't want to let anyone out of the sandbox: end user apps may not place nice with air traffic control or nuclear plants. ;)

On the other hand, some IT departments fully live up to the Dilbert character, Mordac, Preventer of Information Services. My IT department happens to be one of those, and the main consequence of my supervisor's blanket refusal to do anything that bothers him is that everyone, including his boss, comes to me to get things done. And that's okay with my boss, because his real objection is to doing anything unfamiliar, not the fact that it's being done somewhere.

But that's obviously a dysfunctional situation. The problem is that our IT department -- and presumably many others, including some of the snitty, arrogant posters in this thread -- isn't doing its job. By definition, if the IT department is either preventing necessary work from being done, failing to help get it done, or imposing arbitrary obstacles to get out of doing work in the first place, the solution is not necessarily giving end users IT responsibilities; the solution is for upper management to kick ass and, if necessary, hire IT people willing to do their jobs.

Contrary to some of the polarized views I've seen here, IT isn't always the problem, nor are end-users always the problem. Most often, it's a failure of both to work constructively and flexibly together and a failure of upper management to insist that they do.

Of course, if the dysfunctionality in your company isn't going anywhere anytime soon, you may have to look for workarounds, and the solution proposed by the original poster might work in some situations.

Re:So, I get two salaries, right?

[plague3106]

Well your caveat only works to a point. How long would your department let him spin his wheels while work is not getting done? Who then gets blamed for the downtime? The power user or IT?

Re:So, I get two salaries, right?

[Xzzy]

We did this at my employer, one of the departments decided they wanted to maintain their own desktops as a group. As no self-respecting admin actually enjoys taking care of desktops, we let them do it.

It wasn't a total break, they're still subject to the site's security policies and their home directories still mount from an nfs server we maintain, but no one in our group has had to install a machine or fix a dead hard drive in 5 years. They understand their needs far better than I ever could, so it really was a win-win situation.

It's worked surprisingly well, the admins are all volunteers from within the group, and they even maintain a batch system that all the workstations use for running jobs.

If any company has a group of people willing to take on that kind of responsibility, I'd say it deserves serious consideration.

Re:So, I get two salaries, right?

[pla]

Remind me why we even have an IT dept. again?

Because for every one of you, we have a hundred people who can barely manage to get around in MS Office, and most dangerous of all, three or four people who think they know computers (yet strangely manage to cause more restore-from-backup sessions that all other users combined).

That said, if I didn't work in IT, I sure as hell wouldn't do the same work unrelated to my job description. Dealing with helpless coworkers without having it go into my pay or performance reviews? Not bloody likely!

Re:Where do you work?

[SatanicPuppy]

You're being a jackass, but I'll respond anyway.

If you build a system with tons of unsupported software, I am not responsible for reinstalling and reconfiguring all that software. Period. And that is absolutely a position that is supported by my boss and my bosses boss, and the only guy higher than that only talks to shareholders.

I'll restore an image. I'll recover files, though frankly they should already be on the network share. I'll give you a fresh install. That's it.

Why, you ask, would any corporate IT support such a radical position? Because that guy's time isn't worth more than mine.

We've all got jobs to do and if I have to spend a week fixing a screwed install (and it'd have to be me or one of the other senior guys because the regular techs aren't equipped to do it), then a weeks worth of my work won't be getting done. That's more unacceptable to everyone involved than making one guy reinstall his own unsupported apps.

If you're going to give them any extra permissions, they have responsibilities there. If they can't be trusted not to make a complete mess of it, then they should never be granted those permissions in the first place.

The whole goal should be to make things more efficient and get more work done. If those things aren't happening, you're doing it wrong.