MIS Systems Thread, SIMS SOLUS - Delegating upgrade rights for management by third party in Technical; Dear all
I'm sure this is an utterly ridiculous thing to ask. I'm sure as soon as I start discussing ...
SIMS SOLUS - Delegating upgrade rights for management by third party
I'm sure this is an utterly ridiculous thing to ask. I'm sure as soon as I start discussing file and registry permissions required by SIMS SOLUS, most people will respond with "hahahaha, no you can't do that".
But here it is.
I support a school which has a virtual machine running two SQL database applications: SIMS and PSFinancials. I'm currently in the process of handing over support for these two applications to their respective support providers (having been the one that installed and supported them for a few years myself). I'm not employed by the school - I'm a freelance engineer.
SIMS will be managed by the local authority's IT Support Unit, who have a fabulous record for ensuring they don't accidentally shut down servers, change the IP address of domain controllers, and all the other things that you can do to wreck a network.
Given the above, you can imagine I'm thrilled about the prospect of giving them administrator access to the server.
(In case your sarcasm detector is not working today - the above is of course... a joke.)
Actually, I'm not simply "unhappy" to give them local admin to the server - it's not going to happen. No way. If they foobar the server which is not unlikely, it will prevent the finance ladies from doing their jobs properly. Of course, PSFinancials is technically supported by PSFinancials Support ... but I know how it works. It will all come back to me eventually, regardless of whatever form I get anyone to sign. (I plan to continue to provide support to the school - just not for SIMS and PSF.)
Sadly for SQL licensing reasons, I can't split the VM into two VMs, and give each support provider local admin. That would be great.
So I'm in the unenviable position of wanting to set up delegated permissions so that each support provider can *properly* do their job. That is, log on to the server, troubleshoot SIMS problems, upgrade SIMS database, etc. - WITHOUT giving them full admin.
I'm sure this will end up being some hack involving:
- Group Policy User Rights Assignment
- A healthy dose of Sysinternals Process Monitor to figure out what permissions SIMS SOLUS3 actually needs
- A healthy dose of ... long-term ... patience when I realise 6 months down the line there is one more permission that I didn't realise it would require to do something
Before I get my hands dirty, can anyone tell me whether they have done something similar? Whether SIMS SOLUS has a vaguely sensible implementation of NTFS / reg permission requirements? i.e. By Group Policy I could set up a domain security group, assign full control to the obvious program files directories required as part of SOLUS upgrades, and it will just work?
I would presume that you could either setup as you have suggested a group policy which would allow certain programs special rights. but why do all that when everything is set to work as is!
I would create a specific user account which has the rights to access just the Solus 3 and Sims then within Sims find the best user controls that will allow the LA to do what is necessary both remotely and on site.
Surely this would be a case of keeping it simple as long as the specific user has read write permissions over the directories which the Sims and Solus 3 use then that user would have everything it required, you could even deny access to all the other directories that are not required including the registry so that the LA can't do their very best to keep everything running well (Sarcastic note).
but why do all that when everything is set to work as is!
@bossman I'm not sure I follow. What exactly do you mean "everything is set to work as is"? Also, what exactly do you mean by "user account which has the rights to access just the Solus 3 and Sims"? A windows user account? Are you referring to Windows ACLs when you say "a user account which has the rights [...]"? Also what do you mean by "best user controls that will allow the LA to do what is necessary"? Do you mean SIMS permissions? What's a "user control"? Sorry if I sound a bit confused but I'm not sure I follow your terminology.
EDIT to my last post: I did log a call with Capita on this subject. But by the time I was actually put on to the "relevant department", it became apparent that the person didn't even know the difference between Windows "permissions" and "rights", so I gave up straight away with that... grr! Why can't you find technical people on technical support desks I ask?!
A windows account with which you can give certain rights to via group policy and ACL rights on the directories with its own application shortcuts.
Then in Sims the LA would have their own account already setup in which to setup accounts, groups etc.
The specific user account would then only have access to the Solus 3 and the SQL applications shortcuts to which read write ACLs would have been set on the directories where these apps run from.
In using ACLs on the directories where these apps and all their files run from you will be able to stop any other directories and apps from being run by that specific user, therefore you would supply the LA with that specific user account to log in with so they can do their usual best.