Learning Network Manager Thread, Giving SLT User Administrator Password in Technical; Also consider if they wanted rid of you or someone else for whatever reason and decide a bit of network ...
6th September 2013, 09:08 AM #31
Also consider if they wanted rid of you or someone else for whatever reason and decide a bit of network tampering is the way to go. You have enormous amounts of power as a network admin and the trust and impartiality that goes with it. As SU - ROOT used to say to me every time I used it during shell training, "With great power comes great responsibility!"
It sounds utterly paranoid but that is a trait that network security revolves around.
IDG Tech News
6th September 2013, 10:07 AM #32
Yes, of course, and indeed when I talked about "your" password I did mean the admin password in general - and @elsiegee40 's explanation is a good one and I shall keep that in mind!
Originally Posted by CAM;
But if they want to do it, they will.
Last edited by witch; 6th September 2013 at 01:37 PM.
6th September 2013, 10:24 AM #33
Would love to know if this got taken to a disciplinary where this would go. They can't just sack you for not giving access as it in your jobs spec to maintain the systems to the highest profession standards!!
Last edited by nicholab; 6th September 2013 at 10:26 AM.
Thanks to nicholab from:
Get2theChoppa (11th September 2013)
6th September 2013, 10:40 AM #34
Originally Posted by witch
Correct, it is not "your" network, but it is "your" password ... and you can cover it under DPA under principle 7. Principle 7 of the Data Protection Act - Guide to Data Protection
Sharing your password means you are not taking reasonable organisational measures to prevent accidental damage, ie that someone may delete or move data for which they do not have the understanding, expertise or experience to judge the impact of.
I would also cover it under Principle 1 - the processing of data shall be lawful. If access to data is given to someone who does not have the right to process it (ie as part of their job description) then your are in breach of principle 1.
And this is before we get into the fact that it would allow for accusations to be made against SLT that they are 'investigating' staff files and there is no clear audit trail to prove it one way or another, meaning that any case of constructive dismissal suddenly gets a massive injection of ammo to throw at the school.
Explain to SLT that by doing it all by the book you are protecting them and the school, and should they wish to insist that they know your password they I suggest you give them a dummy account, with minimal delegate admin access whilst using a separate admin account yourself.
I would also speak to a union to get advice about being instructed to complete an action that could be potentially harmful to the school and individual employees.
In short, don't give them your account, give them another and if you can do as suggested, account details in an envelope, sign the envelope, laminate it, sign the laminate too, then into the safe. Some SLT will want a second copy kept off-site. Do the same again, but the off-site copy has to stay with a nominated and trusted person such as the Chair of Governors, then brought in for a monthly check to show it has not been opened.
6th September 2013, 10:45 AM #35
Forgot about Principle 1.
But how does that square with what I raised before about the "can" NOT in fact being the same as the "may" in our case? Surely that must mean that, for us, the requirement for access to all data assets must be included in each of our job specs, otherwise a sysadmin post is always in breach of Principle 1?
6th September 2013, 10:54 AM #36
I did at one point refuse to sign the end user agreement as I would break it on a daily basis. It also did not have any input form us and generally made me cross?
Last edited by nicholab; 6th September 2013 at 10:56 AM.
6th September 2013, 11:01 AM #37
I refused to sign the end user agreement until it was modified to allow me full access to any staff data on the server. We have a separate admin network which I am not responsible for so that made things a little easier.
I agree that we have a big responsibility over this issue and I wouldnt give out "my" password - I was just using that as shorthand for an admin account. But I still say that even with all these reasons documented and a minimal admin account created - if they still demand the full admin access, I don't see how you can refuse? The suggestion that SLT is going to be irresponsible with it or do something unacceptable is a bit worrying
6th September 2013, 11:10 AM #38
The fact is they can cause problems without meaning to. The concern isn't that they would deliberately vandalise the system, but simply that the use of this skill requires great precision and some of us have careers in - basically - how to use it properly. Surgeons tend to hold onto their scalpels too. To suggest otherwise demeans the profession.
As I said, clearly there is a hierarchy but at the end of the day if you believe an instruction is potentially illegal you have the right to refuse. If they have a problem with that, then it's time to go before the Governors, the LEA or a Tribunal if necessary and slog it out.
6th September 2013, 11:15 AM #39
How would just requesting admin access to the server in a head's own school be illegal?
6th September 2013, 11:38 AM #40
I said earlier:
"Furthermore, there will be some data stored on the system that even members of SLT should not be privy to. This includes sensitive personal data on staff, particularly where e.g. disciplinary meetings are concerned, or disclosures of e.g. mental health concerns that may lead to an OHU referral. Some of you will know that the latter happened to me last year, and the only member of SLT I expect to have access to those stored copies of OHU referrals is the Head. Not the Deputy Head, not the Assistant Heads, not the Business Manager, because they Don't Need To Know™. In that manner, and only in that manner, we comply with Principles 2, 6 and 7 of the DPA."
But that could be a different scenario. If there are allegations made against the Head, for example, here they would go to the Governors. The Chair also has an account and may store data (meeting notes etc) in respect of that allegation. The Head may not access this.
Put simply, just because you hold X Very Senior Role doesn't mean you get full access to everything. Nobody does. We are the only exceptions and that's purely for functional reasons, e.g. how can you back up all data if you can't access it all? If someone wants to give me a few million and a team of very clever people, I'd be quite happy to go away and attempt to design a security/filesystem model that doesn't require this, but for now it remains an unfortunate exception.
6th September 2013, 11:39 AM #41
If the Head has admin access and doesn't have a clue about what he might break when fiddling then the school is failing on principle 7, as they know that there is a high risk that something could go wrong. They are not taking all 'reasonable' organisational measures (ie only those that have the expertise, experience and understanding of the data and systems it is housed in).
Originally Posted by witch
If the Head is trained and certified SysAdmin then it would be reasonable for him to be granted full admin access (or given a separate account with full admin access so that there is a separation of activities between the day job and the elevated access).
In the same way, if another member if SLT is an experienced data controller, has a high level knowledge about the MIS then they might have access to a full admin account in there.
It should be part of a school's risk assessment when identifying data controllers, and the final decision should be with the SIRO, if you think about it.
6th September 2013, 11:45 AM #42
It will vary from school to school but generally the NM, and others with full access to the main admin account which can access everything, can grant access to everything or change passwords to grant access, are recognised as that they can access everything, but that does not mean they *will* access everything.
Originally Posted by Ephelyon
This is then backed up with an audit trail of password changes, etc so that it is clear who has done what... if needed.
In the same way the CPO in the school will have access to sensitive personal data and data labelled as IL4, it does not mean that they will read every little bit of data on every child.
Thanks to GrumbleDook from:
Ephelyon (6th September 2013)
6th September 2013, 12:57 PM #43
Just an aside: My account is a member of the Administrators, Domain Admins, Domain Users and Staff groups, but there are still some functions that I can only use under the built in administrator account. I use my account for most admin activities on the server, but the built in account when computer says no. We buy support services from our LA and they have access to and sometimes use the built in account too, for the same reason.
I have tolerated that on the basis that there is a trail of the fact that my access can be tied to my machine and that someone else does need access in case I am not available. Is there a permission that I can give myself, so that I can close this loop hole?
6th September 2013, 01:36 PM #44
Thanks, good to know. I wonder how it would be to work for a Head who'd had a sysadmin background?
Would be interesting considering that with the amount of full-time teaching experience needed to reach Headship, I'd imagine they wouldn't have been doing much sysadmin work since about... the 80s/90s?
6th September 2013, 02:02 PM #45
I think it comes from a change security model in schools I still find it confusing that one teacher is not allowed access to some information but another teacher is I thought they were all on the same team. This suggest that historically all teacher had access to all information and now there are different information circle in schools. But the data protection act is stupid that for over 50 years index cards have been used but only now have we decided that use need to registered that card index which is stupid.
By ryan_powell in forum Scripts
Last Post: 4th June 2009, 03:43 PM
By tosca925 in forum How do you do....it?
Last Post: 8th June 2007, 04:15 PM
By Andie in forum Windows
Last Post: 11th February 2007, 10:14 PM
Last Post: 12th November 2006, 03:02 PM
By tickmike in forum General Chat
Last Post: 11th September 2006, 04:35 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)