Corporate (non)security.

“Hello systems security, this is wolfman badge number 1234567. I Need to get access to the restricted data tab on the XXXX application.”

:We cannot give access to that tab it is restricted:

“Then it was named well. However I didn’t give you my badge number because I wanted you to call back and invite me out for coffee. I gave it to you so that you could look it up in the security profile manager and see that I am supposed to already to have access”

:If you are supposed to have access then why don’t you?:

“More or less because someone on your team screwed up. At the time my XXXX app full access profile was created it should have been granted, but it wasn’t”

:Why didn’t you have it fixed till now:

“Well because I didn’t realize it till now. You would see, if you would open the security profile manager, I am the XXXX app support team lead. I have access to the entire database including the restricted data. I always view it through the database. However Now I need the permission to the Tab on the websphere front end.”

:That tab is restricted, we don’t give everyone access:

“I am aware of that as the last dozen or so of my sentences should indicate. However I should have access to it already, I didn’t notice notice I didn’t have it, because I didn’t need to use it. However I do need to use it now. The tab is showing bad data for a record, but the database is all spiffy. I need to open the tab with debug running so I can see what the app is trying to do wrong.”

: Approval for that only comes in certain positions:

“Yes and I have one of those jobs. If fact I already have the permission right there in the profile manager, Now I just need the tab granted to me”

: (sigh)I will send you an email telling you the process to get what you need:

" I don’t really need that. You see I know the process, and am presantly engaged in it. I(that’s me) call the security team(that’s you). Then you(you again) check the security profile, and either run the access propagation script, or you(still you) can even click the little button that says “grant access to restricted tab” or you can even add XXXrest_tab=‘Y’ directly to the LDAP entry for me I am not picky on how you… GAHHHHHH… WHAT THE HELL!!?"

:is there a problem:

"NO THERE IS NOT A PROBLEM THERE ARE ABOUT A DOZEN! I just got your process document, let me start at the beginning.
First this shows how to access the data directly in the database, which I was just explaining to you I have been doing all day and most of the last 3 months.

Second I wrote this friken document, did you skip the ‘Author: Wolfman’ part.
Third, I wrote it for two specially selected users who need batch update access to the database, It is confidential because it has a highly restricted audit_update user password, which I see is in there.

Fourth the document had nothing to go with the restricted data tab because no one should be batch updating to that(well other than me), But I see someone has pasted in a section in light green that shows how to query the restricted tabs.

Fifth: The query in there is garbage. It was written by some luser with a SQL for dummies book until they got something that looked right. But it is missing half of the required join conditions. It is a runaway that is bitch slapping the crap out of the database shared-pool everytime it is run. Plus the data retrived is worthless, WIthout the required joins it is showing licenses for people that are expired or never existed.

6th. The batch update part is still in there. If the idiot who wrote the query decides to gerry-rig a restricted data batch update they will trash the entire database because you gave them the audit_update password, which I didn’t even know because that is managed by your team, and has serious accountability overhead, that was added after the doc passed out of my hands.

and 7th: Even if all those other things didn’t exist your team came up with the plan of stopping people from possibly looking at one restricted record through the front end, you are giving them access to hundreds of thousands of restricted records in seconds. That’s like stopping someone from drilling a hole in a dam by giving offering to trade them their drill for a pile of dynamite and a diagram of the structural weak points.

And 8th… ehh screw 8th and on, I have to get this mess strightened out, bye"

: If the document doesn’t help send an email to Mike XXXXX:

“Yaahhh ok, that explains something. Mike is my boss. If anyone sends him an email he gives it to me. Then I explain to the person that I cannot just give out restricted data, that is not in my responsibility. I have to tell them to open a ticket with the security group (hey that’s you once more) to have the access request reviewed and approved. Then you guys send me an request for the exact data that was approved then I send to him.”

: (silence):

“anyway I have to call Vijay and tell him to change the audit_update password now.”

:Vijay XXXXXXX? he is my bosses boss!:

" Yes I know that. Since I have to call him to get this mess straightened up I’ll just have him grant me the tab access"

So that turned out for the best. The process works.

Good lord! This sounds like the backwards shit I have to deal with where I work, too (not security, but I’m the sole Win32 developer and people turning around anc completely changing app requirements, etc. w/o telling me and then wondering why it doesn’t work, etc.)

You have my sympathy… :smack:

Please please please tell us how the call to Vijay went!

Good God. I just went through something similar. I am THE data and conversion analyst for a system that we just converted to.

I go in the back end and manipulate thousands of records at a time manually.

Can I get access to use the actual application to create and delete a record so I can record the process the application uses and the tables it touches? Hell no.

(I did finally get it, but it took 12 emails a 3 frustrating days).

Move to a small company.

Me: What’s the password for X?
Someone else: It’s Y.
Me: Thanks!