BSOFH: This is your identity and access management system on drugs.
So I’m starting this blog entry just to annoy another blogger, ignoring the stack of request forms on my desk waiting to be signed, when my boss walks in.
“We have a problem,” he announces.
“Who-um ‘we,’ Paleface?” I mutter into my McMigas.
“Excuse me?”
“Nothing,” I say more clearly. “What’s the problem?”
“The problem,” he says, “is that we have three department heads waiting to get access to the SSO portal.”
“...And?” I prompt him.
“And ... well, do something! Set them up.”
“Oh, I don’t do account creation,” I purr. “That’s all automated.”
“So how do they do it?” he asks impatiently.
“They go to this URL --” I scribble on a Post-It note—“and fill out the form and click on Submit.”
“And then they’ll be set up? Isn’t that kind of dangerous? I mean, anybody could fill in that form.” My boss is finally starting to show signs of thinking like a security pro.
“Don’t worry,” I reassure him. “They have to be approved by a Requester.”
“Who’s a Requester?”
“That’s the person who gets their request and then approves it. They get a notification by email that a request is waiting for them, they log in, and they approve it.”
“But isn’t the Requester the one who needs the account?”
“No, the Requester is the approver. The User is the one who needs the account.”
His eyes start to glaze over, but he makes an effort to stay with me.
“So the Requester approves it ... and then what?”
“Then it goes to the Approver.”
“Say what?”
“We have two layers of approver in our system. It’s very secure. First the User submits the request, then the Requester approves it, then it goes to the Approver for Administration.”
“Who’s the Approver?”
“It depends on what the User is requesting. It’s automatically routed.”
“Okay, so the department head fills out the form and submits it. How soon will the approver approve it?”
“You mean the Requester,” I say helpfully.
“What?”
“The first approver in line is the Requester.”
“Oh, right,” he says. “So how soon will it get done?”
“I dunno,” I say. “It could take a while.”
“Can’t we just call the Requester and ask them to approve it quickly?”
“We could ... but ...”
“But what?”
“The User’s request goes to the Requester for that department.”
“Who is the Requester for the department?”
“The department head.”
“Wait a minute,” he says, struggling. “Do you mean to tell me that the department head is the Requester, but he can’t get his request approved because he’s supposed to be the Requester?”
“That’s right,” I reply calmly.
“Well, then, how do we set him up as a Requester?”
“Oh, that’s easy. He requests it by going to this URL and filling out the form ...”
A strangled sound emerges from my boss. It sounds very much like a constipated duck asking for a suppository.
“No, really, it’ll be okay,” I tell him. “If he’s asking to be added as a Requester, that’s a different application, and it goes to a different Requester for approval.”
“Who’s the Requester?”
“One of my staff. They’ll approve the request for him.”
“And then who does it go to?”
“The approver for the application that lets you approve,” I say very slowly. It doesn’t help.
“So to get set up as an approver --”
“Requester.”
“Okay, Requester. To get set up, you have to request the application that lets you be set up as a Requester. And the Requester for that application is ... on your staff.”
“Right.”
“And when your Requester approves it, who is the Approver for that request for that application?” It’s a Herculean effort, but he’s starting to get it.
“I am.”
“You’re the Approver for the requests to be made a Requester?”
“Yep.”
“You’re the Approver for everything around here?”
“Oh, no,” I say. “We have a separation of duties here. I just approve the requests for this application. Not all the other ones.”
“So there are other Approvers for the other applications. How do they get set up?”
“Well, first they go to this URL ...”
“Stop, stop, stop,” he says, starting to look frantic. It’s too late for him to stop; he’s at the top of the first hill and it’s too late to get off the ride. “They request to be an Approver, and a Requester approves their request?”
“Exactly right,” I beam at him.
“But you approve ...” He stops dead in the water.
“I approve the requests for Requesters and Approvers.”
“But ... how did you get approved to be an Approver for all the other Approvers?”
“Easy. I just went to this URL ...”
It took my minions eight hours to clean all the brain matter off the framed Demotivator posters on my walls. But I didn’t charge it against their comp time.
Posted by shrdlu on Sunday, August 19, 2007(8) Comments • Permalink •
