A cornerstone of security for most computer systems is the user account. The user account is a way of defining what each human being on the system can do with (or to) the system. Universally, systems are designed with a user hierarchy in mind: users at the bottom rungs of polite computer society may be able to log in and look at a few things, but not make any changes or see anything particularly sensitive. Those at the top may exercise complete control over core system functions or services. The two basic tenets of a security plan are: (1) give each user the least amount of privileges on the computer system as practical for that person’s function, and (2) limit the number of user accounts that have complete access and assign these to the trusted few in the organization.
These principles have a corollary consequence – the IT department is typically the organizational unit that controls privileges for new staff that join the organization. The process to do this is relatively straightforward: the hiring supervisor completes a form online that notifies the IT department of a new user account to be created. The actual technical process to establish a new account is relatively lengthy due to the ever-increasing number of systems and applications that require a password. Not surprisingly, our user community is made unhappy when a new user account doesn’t work “out of the box.” This problem culminated in a meeting of some of the unhappy users with me, the purpose of which I think was as much to remind me of where my bread was buttered as it was to seek a better way to activate new accounts.
Before a process can be improved, one must understand the steps involved in it. Process improvement also requires that data be collected on the frequency of the problem in order to be able to measure improvements with changes to the process. But in this case, the real problem was a more general frustration with the technology and the sense that the technology department had the wrong priorities, or at least a list of priorities that was at variance with what this group of users thought should be the department’s priorities.
So what do you do? For one thing, having enough notice of a new user account helps to ensure that the account is created timely. Having time to setup the account also would allow time for IT to test the account to make sure that it works before turning it over to the user. As we discovered, having a written checklist of the process also helps to cut down errors (especially if the administrator is interrupted while activating the account, which surely never happens elsewhere). There are also technology solutions to managing accounts across multiple information systems (for example, by using some kind of single sign-on technology that stores the account information of the other systems within the SSO system). These solutions typically cache subordinate system passwords and pass them to those systems when demanded so that the user need only remember the primary account password (such as their Active Directory login).
We also implemented a feedback process so that a new user (or their supervisor) could provide feedback to the IT department on problems with the account. This information can be used for training or for process improvement, particularly where there are trends evident in the errors over time. The problem with this process was that the number of errors reported was relatively small over time, and the fact is that you will not ever have a zero error rate with any process, no matter how much attention you put on it. However, if you activated thousands of accounts each year, the data collected would be more useful to you.
All of these tools only work when there is a good relationship between the users requesting accounts and the IT staff that create them. And for IT managers, this may be the underlying issue that causes the actual tension in the room.
One way to improve user relations is to regularly talk with them to understand the issues and to get feedback on the IT department. This goes beyond an annual user survey and requires an IT manager’s attendance at meetings with users. In addition, having avenues to communicate with the user community when there are system issues is important. Finally, advertising the efforts of the IT department to improve processes with the most complaints can help improve how users feel about the department’s services and staff. Whenever you can, take the complaint as an opportunity to improve relations with your customers and advertise your success at resolving it.