At first i thought you were talking about basic groups, as in UDGs etc.
You really ought to have system manager permissions if you are the data manager, and usually, that will also mean SIMS manager. However, in some schools, SIMS manager may fall onto the IT team, as data manager is kept separate as an assessment area role. If you are doing extra things that make you the best person to be SIMS Manager then maybe they need to re-assess your role and the responsibility you have.
As you'll see on many threads that, system manager permissions doesn't actually give you a heck of a lot of rights. Many a time people can't do something and assume that sysman rights gives them superuser rights. The permissions structure is well sorted so that you'd explicity need other roles to carry out certain tasks.
That being said, there is extra access that comes with system manager, not least the ability to give yourself extra permissions and remove them again, so you can see what may worry the management. Also, i doubt that even with the new sysman 7 that there is any acceptable level of audit so that any untoward behaviour could be monitored. Sysman does give you access to some parts of the personnel file, even though it's the basics, address, DOB, phone / email, it's something they may not want to release.
Although it is possible to create a custom group to try and give you part of the permissions for just adding people to groups, it is notoriously difficult to give a part of a permission as one part often relies on an ability to view another, or on saving it validates other parts of the screen which if you can't access, wont work.
Download a copy of the permissions spreadsheet if you don't have it already as it gives a good idea of the scope of different roles. If you're not getting any joy from the IT team, perhaps there is someone in management that can take on that permission and allocate the roles on your behalf. In the old fashion of schools, the bursar would have had those rights as well as school admin and many others.
Maybe if you speak to the management / line manager not with a view to getting this permission that they have already vetoed, but finding an easier and quicker method to get the end result you need, they may side with you or come up with a workaround. They may see it's not such a bad thing for you to have, or resolve the issue with getting it done quickly.
If possible try to get a test system setup if you can on a laptop or otherwise, which will allow you to have extra permissions and then play with sysman groups. I understand that may be difficult. Unless someone else here has the time to try... (hint )
It is frustrating, but hang in there. If you and you team have the access you need to get your jobs done, then just make sure you document when you're putting your requests in, so that if anyone complains about access, you can say you've done your bit. Or, send the other people that need access direct to the IT Team or higher ups. Like bossman said, if you all take a step back, and try to discuss it again, you may find they are quite amenable to your request or at least will speed up doing it for you, as at the end of the day, you're making things easier for them.
*makes standard complaint of "if SIMS had usable audit trails, this would be less of an issue"*
When you hire sysadmins, it's a case of "Trust, but verify" (i.e remote logserver that normal admins don't have access to). You can't do that with System Manager - the ability to elevate privileges, commit an action and demote privileges again without any real audit trail is a problem. No, System Manager 6's laughable excuse for an audit log doesn't count.
Here, there's 3 people with SM rights: myself and two DHs (we don't have a dedicated SIMS person). I've worked with them for years and we trust each other to a) not get up to shenanigans, b) let me know promptly if they bork it up. I can't say I'd trust all our staff to do that.
Last edited by vikpaw; 26th September 2011 at 09:49 AM.
Thanks for your reply vikpaw, I do understand the problem they have in some respects, and as suggested I did ask for my role to be looked at and for me to have responsibility for the permissions of individuals, for the reason that IT already give staff way too many permissions which may compromise my assessment data. I am as you stated - a data manager who heads up the assessment team, not an IT person really.
Would it be possible for you write down exactly what my IT people need to do to give me access to edit/view permissions but exclude me from other stuff I don't need. Granted I could use the permissions to add myself in to the group, but then that would be professional misconduct and surely they cannot assume I am going to do that!
The problem is, it's not easy to only give you those permissions, if you look at the attached photo, i don't think you will be able to only edit groups, you need to edit the users' memberships and i'm certain you will end up needing the full rights that sysman has which includes looking at personal info etc. If i get a chance to play with it on my test server i can give it a go, but i'm really busy at the moment. The problem is that editing permissions, inherently involves seeing quite a bit of personal info. Maybe you could just ask them to be explicit about what they think it will give you, because as i said earlier, people often think sysman has super rights to everything when in fact it doesn't. i have made a GOD group which does have superduperrights for the purpose of troubleshooting, but nobody is in it unless it's required for a short period.
Ok thanks - I will ask them what they are worried about me seeing, they may be worried unduly. Although I do suspect the main reason is that their sims knowledge is minimal and they don't know how to grant me the perms in the first place.
Well it's rather crude, but if you look at the official summer sims permissions sheet and compare assessment co-ordinator which you have with system manager which you want, then the things sysman can do is rather innocuous on most if not all counts.
Only use mine as a guide, i'd suggest doing the same yourself, and maybe keeping in things that you can already do that a sysman cannot as that's a longer list i think.
If they don't know what they are talking about, show them what you're really after.