ETA: Tell me, Mangetout, if you care to and (here this is addressed as well to the other posters): Are parts of your system currently or eventually selectively (“privately”) published via HTML, for one thing, or does Windows permit something like the following:
Again, I’m now working with Google Admin, with has default access to any number of users, groups, authorization levels and individual or group passwords, etc., with selective authorization for any user or group to internal domain functionality and to to external apps which have any sort of usable API.
Or else I’m barking up the completely wrong tree, and never mind…
ETA: You’re the Shrimp Guy, aren’t you? (IRL reference obscured for privacy )
It’s a Windows domain - controlled by a collection of Windows servers providing AD, DNS, and other related services - the domain spans a local network and (via VPN tunnels) a group of servers that live in Microsoft Azure.
Not really. The end users are logging into Windows, and then opening up a telnet client and via that, logging into a sort-of* multi-user ERP system.
*Sort-of multi user because many users can log in simultaneously, but there is very strict and quite clunky locking of records or whole functions - if user A opens up the outstanding order list, no other users can get into it until he comes out (or a system administrator forcibly evicts user A).
So if we gave the 6 people in the department separate Windows user accounts, one of them could open this function, lock his screen and walk away, and even though his colleagues could still log in, they would not be able to open the function and production halts - this is really shit, but we’re well and truly stuck with it - and the solution to date is for everyone in the department to collectively or individually impersonate ‘user A’, on a single computer.
I am, but this question is related to my day job, not my website or channel (there’s no particular need for privacy in that matter BTW - I don’t mind if anyone here knows I am the Atomic Shrimp guy)
I worked on a very similar project a few years back - an Engineering department at an Airport where the staff had a few shared PCs and required access to a number of technical applications. The historic approach was that one person logged on to a shared Domain account and the PCs never locked the screen.
The target solution was Citrix thin-clients and individual Smartcards used as the only Login factor - present the Smartcard, access granted to their personal Citrix session regardless of Access point.
I moved on before the project was complete - it was hampered by separate international vendors providing the 3rd party Citrix thin-clients and the Smartcard infrastructure/Microsoft GINA (authentication framework) integration. But it was getting very close to production ready, and worked well for the customer.
I don’t know about Yubico. The traditional typical implementation was smartcard + PIN, but it depends on the authentication system and the installation and the implementation and… “two factor” solutions like Yubico are marketed at people who desire off-site access with unregistered devices, but that doesn’t mean that they don’t /also/ support support other scenarios: you need to actually talk to a salesman.
I have another approach I’d like to suggest. Please let me know if this might work for your situation.
Have you considered using a third-party service like JIRA? Or a CRM system approach with trouble-tickets? This way, the items come in and they can be assigned to team members in handling, if that’s helpful.
One of the problems I have seen with a general mailbox shared by a team, is that there is no follow-up with the person who is assigned to do the work. A general mailbox for a team doesn’t help track the workflow and see what status it is in.
Is this because of office politics? Or because of cost? JIRA isn’t that expensive to use. I know of a trouble-ticket system that works with a popular CMS that is also cheap.
If it’s because of office politics, you have my greatest sympathies. That’s far more difficult than any technical problem to solve.
It’s interesting–and here I suppose impossible due to the economics of the IT industry: if I were a producer of Ferrari ERPs and someone tried to find the best place to put a tractor hitch, I would say that any ERP system worth its salt would bitch loudly until told to accept the bad news you describe, and then suggest some workarounds at its end.