+ Post New Thread
Page 3 of 4 FirstFirst 1234 LastLast
Results 31 to 45 of 54
Learning Network Manager Thread, Giving SLT User Administrator Password in Technical; Also consider if they wanted rid of you or someone else for whatever reason and decide a bit of network ...
  1. #31
    CAM
    CAM is offline

    CAM's Avatar
    Join Date
    Mar 2008
    Location
    Burgh Heath, Surrey
    Posts
    4,116
    Thank Post
    826
    Thanked 358 Times in 282 Posts
    Blog Entries
    60
    Rep Power
    281
    Also consider if they wanted rid of you or someone else for whatever reason and decide a bit of network tampering is the way to go. You have enormous amounts of power as a network admin and the trust and impartiality that goes with it. As SU - ROOT used to say to me every time I used it during shell training, "With great power comes great responsibility!"

    It sounds utterly paranoid but that is a trait that network security revolves around.

  2. #32

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,279
    Thank Post
    1,376
    Thanked 2,379 Times in 1,675 Posts
    Rep Power
    703
    Quote Originally Posted by CAM;
    1052151It sounds utterly paranoid but that is a trait that network security revolves around.
    Yes, of course, and indeed when I talked about "your" password I did mean the admin password in general - and @elsiegee40 's explanation is a good one and I shall keep that in mind!
    But if they want to do it, they will.
    Last edited by witch; 6th September 2013 at 12:37 PM.

  3. #33
    nicholab's Avatar
    Join Date
    Nov 2006
    Location
    Birmingham
    Posts
    1,493
    Thank Post
    4
    Thanked 97 Times in 93 Posts
    Blog Entries
    1
    Rep Power
    50
    Would love to know if this got taken to a disciplinary where this would go. They can't just sack you for not giving access as it in your jobs spec to maintain the systems to the highest profession standards!!
    Last edited by nicholab; 6th September 2013 at 09:26 AM.

  4. Thanks to nicholab from:

    Get2theChoppa (11th September 2013)

  5. #34

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,935
    Thank Post
    1,341
    Thanked 1,784 Times in 1,107 Posts
    Blog Entries
    19
    Rep Power
    595
    Quote Originally Posted by witch View Post
    Well, you can ask, but as they are SLT they outrank you and can do what they like. It is neither "your" network nor "your" password so the only thing you can do is tell them why it is not a good idea and ask them what they are thinking that they might need to do when you are not there

    Correct, it is not "your" network, but it is "your" password ... and you can cover it under DPA under principle 7. Principle 7 of the Data Protection Act - Guide to Data Protection
    Sharing your password means you are not taking reasonable organisational measures to prevent accidental damage, ie that someone may delete or move data for which they do not have the understanding, expertise or experience to judge the impact of.

    I would also cover it under Principle 1 - the processing of data shall be lawful. If access to data is given to someone who does not have the right to process it (ie as part of their job description) then your are in breach of principle 1.

    And this is before we get into the fact that it would allow for accusations to be made against SLT that they are 'investigating' staff files and there is no clear audit trail to prove it one way or another, meaning that any case of constructive dismissal suddenly gets a massive injection of ammo to throw at the school.

    Explain to SLT that by doing it all by the book you are protecting them and the school, and should they wish to insist that they know your password they I suggest you give them a dummy account, with minimal delegate admin access whilst using a separate admin account yourself.

    I would also speak to a union to get advice about being instructed to complete an action that could be potentially harmful to the school and individual employees.

    In short, don't give them your account, give them another and if you can do as suggested, account details in an envelope, sign the envelope, laminate it, sign the laminate too, then into the safe. Some SLT will want a second copy kept off-site. Do the same again, but the off-site copy has to stay with a nominated and trusted person such as the Chair of Governors, then brought in for a monthly check to show it has not been opened.

  6. #35

    Ephelyon's Avatar
    Join Date
    Aug 2008
    Location
    Cheshire, England
    Posts
    1,662
    Thank Post
    291
    Thanked 318 Times in 192 Posts
    Rep Power
    141
    Forgot about Principle 1.

    But how does that square with what I raised before about the "can" NOT in fact being the same as the "may" in our case? Surely that must mean that, for us, the requirement for access to all data assets must be included in each of our job specs, otherwise a sysadmin post is always in breach of Principle 1?

  7. #36
    nicholab's Avatar
    Join Date
    Nov 2006
    Location
    Birmingham
    Posts
    1,493
    Thank Post
    4
    Thanked 97 Times in 93 Posts
    Blog Entries
    1
    Rep Power
    50
    I did at one point refuse to sign the end user agreement as I would break it on a daily basis. It also did not have any input form us and generally made me cross?
    Last edited by nicholab; 6th September 2013 at 09:56 AM.

  8. #37

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,279
    Thank Post
    1,376
    Thanked 2,379 Times in 1,675 Posts
    Rep Power
    703
    I refused to sign the end user agreement until it was modified to allow me full access to any staff data on the server. We have a separate admin network which I am not responsible for so that made things a little easier.

    I agree that we have a big responsibility over this issue and I wouldnt give out "my" password - I was just using that as shorthand for an admin account. But I still say that even with all these reasons documented and a minimal admin account created - if they still demand the full admin access, I don't see how you can refuse? The suggestion that SLT is going to be irresponsible with it or do something unacceptable is a bit worrying

  9. #38

    Ephelyon's Avatar
    Join Date
    Aug 2008
    Location
    Cheshire, England
    Posts
    1,662
    Thank Post
    291
    Thanked 318 Times in 192 Posts
    Rep Power
    141
    The fact is they can cause problems without meaning to. The concern isn't that they would deliberately vandalise the system, but simply that the use of this skill requires great precision and some of us have careers in - basically - how to use it properly. Surgeons tend to hold onto their scalpels too. To suggest otherwise demeans the profession.

    As I said, clearly there is a hierarchy but at the end of the day if you believe an instruction is potentially illegal you have the right to refuse. If they have a problem with that, then it's time to go before the Governors, the LEA or a Tribunal if necessary and slog it out.

  10. #39

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,279
    Thank Post
    1,376
    Thanked 2,379 Times in 1,675 Posts
    Rep Power
    703
    How would just requesting admin access to the server in a head's own school be illegal?

  11. #40

    Ephelyon's Avatar
    Join Date
    Aug 2008
    Location
    Cheshire, England
    Posts
    1,662
    Thank Post
    291
    Thanked 318 Times in 192 Posts
    Rep Power
    141
    I said earlier:

    "Furthermore, there will be some data stored on the system that even members of SLT should not be privy to. This includes sensitive personal data on staff, particularly where e.g. disciplinary meetings are concerned, or disclosures of e.g. mental health concerns that may lead to an OHU referral. Some of you will know that the latter happened to me last year, and the only member of SLT I expect to have access to those stored copies of OHU referrals is the Head. Not the Deputy Head, not the Assistant Heads, not the Business Manager, because they Don't Need To Know™. In that manner, and only in that manner, we comply with Principles 2, 6 and 7 of the DPA."

    But that could be a different scenario. If there are allegations made against the Head, for example, here they would go to the Governors. The Chair also has an account and may store data (meeting notes etc) in respect of that allegation. The Head may not access this.

    Put simply, just because you hold X Very Senior Role doesn't mean you get full access to everything. Nobody does. We are the only exceptions and that's purely for functional reasons, e.g. how can you back up all data if you can't access it all? If someone wants to give me a few million and a team of very clever people, I'd be quite happy to go away and attempt to design a security/filesystem model that doesn't require this, but for now it remains an unfortunate exception.

  12. #41

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,935
    Thank Post
    1,341
    Thanked 1,784 Times in 1,107 Posts
    Blog Entries
    19
    Rep Power
    595
    Quote Originally Posted by witch View Post
    How would just requesting admin access to the server in a head's own school be illegal?
    If the Head has admin access and doesn't have a clue about what he might break when fiddling then the school is failing on principle 7, as they know that there is a high risk that something could go wrong. They are not taking all 'reasonable' organisational measures (ie only those that have the expertise, experience and understanding of the data and systems it is housed in).

    If the Head is trained and certified SysAdmin then it would be reasonable for him to be granted full admin access (or given a separate account with full admin access so that there is a separation of activities between the day job and the elevated access).

    In the same way, if another member if SLT is an experienced data controller, has a high level knowledge about the MIS then they might have access to a full admin account in there.

    It should be part of a school's risk assessment when identifying data controllers, and the final decision should be with the SIRO, if you think about it.

  13. #42

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,935
    Thank Post
    1,341
    Thanked 1,784 Times in 1,107 Posts
    Blog Entries
    19
    Rep Power
    595
    Quote Originally Posted by Ephelyon View Post
    Forgot about Principle 1.

    But how does that square with what I raised before about the "can" NOT in fact being the same as the "may" in our case? Surely that must mean that, for us, the requirement for access to all data assets must be included in each of our job specs, otherwise a sysadmin post is always in breach of Principle 1?
    It will vary from school to school but generally the NM, and others with full access to the main admin account which can access everything, can grant access to everything or change passwords to grant access, are recognised as that they can access everything, but that does not mean they *will* access everything.

    This is then backed up with an audit trail of password changes, etc so that it is clear who has done what... if needed.

    In the same way the CPO in the school will have access to sensitive personal data and data labelled as IL4, it does not mean that they will read every little bit of data on every child.

  14. Thanks to GrumbleDook from:

    Ephelyon (6th September 2013)

  15. #43

    Join Date
    Nov 2011
    Location
    Cambridgeshire
    Posts
    522
    Thank Post
    141
    Thanked 75 Times in 67 Posts
    Rep Power
    19
    Just an aside: My account is a member of the Administrators, Domain Admins, Domain Users and Staff groups, but there are still some functions that I can only use under the built in administrator account. I use my account for most admin activities on the server, but the built in account when computer says no. We buy support services from our LA and they have access to and sometimes use the built in account too, for the same reason.

    I have tolerated that on the basis that there is a trail of the fact that my access can be tied to my machine and that someone else does need access in case I am not available. Is there a permission that I can give myself, so that I can close this loop hole?

  16. #44

    Ephelyon's Avatar
    Join Date
    Aug 2008
    Location
    Cheshire, England
    Posts
    1,662
    Thank Post
    291
    Thanked 318 Times in 192 Posts
    Rep Power
    141
    Thanks, good to know. I wonder how it would be to work for a Head who'd had a sysadmin background?

    Would be interesting considering that with the amount of full-time teaching experience needed to reach Headship, I'd imagine they wouldn't have been doing much sysadmin work since about... the 80s/90s?

  17. #45
    nicholab's Avatar
    Join Date
    Nov 2006
    Location
    Birmingham
    Posts
    1,493
    Thank Post
    4
    Thanked 97 Times in 93 Posts
    Blog Entries
    1
    Rep Power
    50
    I think it comes from a change security model in schools I still find it confusing that one teacher is not allowed access to some information but another teacher is I thought they were all on the same team. This suggest that historically all teacher had access to all information and now there are different information circle in schools. But the data protection act is stupid that for over 50 years index cards have been used but only now have we decided that use need to registered that card index which is stupid.

SHARE:
+ Post New Thread
Page 3 of 4 FirstFirst 1234 LastLast

Similar Threads

  1. Vbscript reset a single domain user's password
    By ryan_powell in forum Scripts
    Replies: 9
    Last Post: 4th June 2009, 02:43 PM
  2. Clear User accounts password attributes on mass.
    By tosca925 in forum How do you do....it?
    Replies: 2
    Last Post: 8th June 2007, 03:15 PM
  3. Local Administrator Password Puzzle
    By Andie in forum Windows
    Replies: 18
    Last Post: 11th February 2007, 09:14 PM
  4. Replies: 8
    Last Post: 12th November 2006, 02:02 PM
  5. Data Protection Act And Root/Administrators Passwords.
    By tickmike in forum General Chat
    Replies: 4
    Last Post: 11th September 2006, 03:35 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •