23 Replies Latest reply on Oct 30, 2013 4:45 PM by bbenton

    How did you organise admin people and groups?

    bbenton

      We are up and running with Jive 6 on prem, it's very exciting!

       

      I'm thinking about how to organise admin people and groups, I prefer not to run with elevated privileges on a system as I don't always see what others see but we have SSO with SAML and anything else is going to be trickier to set up and manage.

       

      My main concerns are that there is accountability and traceability on actions so things are dealt with quickly and consistently, but it must also be easy to receive the notifications and act. And of course we need to extend admin functionality to others at some point. I can do additional smtp aliases or mailboxes but want to ensure I future proof this as well as meet the requirements mentioned.

       

      Also, has anyone appended (Admin) or something like that to their user name? I wonder if people should know what capacity you're posting in or maybe I'm just overthinking it. SSO and SAML kind of makes me go back to thinking I just leave it as it is with me with Full Access under my own name, but then I would still like a backdoor non-admin account in order to see what others see. I've set one up but don't know how to bypass SSO to use it! I know how with the system admin account.

       

      Anyway, just wondering how you went about this please, thanks.

       

      B

       

      PS Hope those of you there are enjoying JW13, I am watching some on the web and following on Twitter.

        • Re: How did you organise admin people and groups?
          bbenton

          Just to be cheeky, and take pity on a poor person who couldn't go to JW13 despite travelling from the UK to SoCal in order to get our on prem Jive6 instance up the week before <tiny violins>, Roguen Keller, Ryan Rutan, Claire Flanagan, Shirlin Hsu, Carrie Gilbert, Tracy MaurerLauren Klein and Megan Truett would you be willing to share your thoughts on this please?

           

          Many thanks

          Belinda

            • Re: How did you organise admin people and groups?
              roguen

              Hi Belinda,

              I didn't attend any JW tracks that pertained to this specific question, but I think I can provide some insights around what we did in our communities.

               

              For HDS we created seperate, no-federated, users for our admins.  These do not go through the SSO system, they only live in the community where they were created directly.  For these we made the first name our first name and the last name "(Community Admin)"

              So mine would read "Roguen (Community Admin)"

              These accounts have full privileges in the community.  So really, it's a lot like you were talking about.  To log in with this user use your community name and /admin

              http://www.mycommunity.com/admin

              This will take you out of the SSO login path and directly into the admin console.

               

              Again, just as you identified here.  We made these emails forward onto our regular emails in case they were notified of something.

               

              We didn't want was for our regular users to be able to see into Executive level private areas.  So we use a non-full admin user for our day to day.

              When someone logs in with the full rights admin, these is some good accountability.  We can see this user executing in the logs and we know when they last logged in should there need to be any tracking.  (Would be nice to also have some IP address/location tracking as well, but I don't see that).

               

               

              So it looks like you have it figured out for the most part.  You just need the url above to log in through the admin console.

                • Re: How did you organise admin people and groups?
                  bbenton

                  That's perfect and exactly along the lines I was thinking, thank you. I'd just missed the bit where I use my SSO account as non-admin and my other local account as admin, obvious now you point it out! And now I get how I would be notified of things needing attention without needing a separate smtp alias or mailbox, spot on. <gives props>

                  • Re: How did you organise admin people and groups?
                    Carrie Gilbert

                    I unfortunately don't know of any official best practices around this—I find different customers have unique enough requirements around access and compliance and such that approaches tend to grow more organically at this point. But what Roguen's described is very similar to how we manage this internally within Jive as well. I think we add an underscore or other character in front of the admin versions of people's regular LDAP logins (e.g., "_carrie.gilbert"), which is admittedly not quite as transparent as the "(Community admin)" approach.

                     

                    Re: hiding the accounts, outside of manually browsing the user directory, the only time I've noticed our own admin accounts within Jive is on the rare occasion that someone inadvertently does something in the community while logged in as an admin. Since they are generally such a silent participant, it doesn't take much for them to trend. That said, I've only seen that happen maybe 2–3 times over the last several years.

                • Re: How did you organise admin people and groups?
                  tmaurer

                  There is at least one other thread where a bunch of people discussed how they manage this. Here is the first one that I found, but it is by no means the longest. I know there was one that got quite a few responses from many different people. If you want some more feedback, I'd suggest trying a search for it.

                  How do you balance admin rights vs your personal account?

                  • Re: How did you organise admin people and groups?
                    wesley.goldstein

                    Hi Belinda,

                        JCS recommends that you just do your admin work with your regular account. It makes things easier. Whether you log in with an admin account, it is just another two steps to see what everyone is doing and since the Audit logs can capture who did what, regardless of the account they use, it really doesn't matter if you use an <Admin> account or not. You should also have a test user account to test specific use cases. The difference in this way is that you normally spend a majority of your time doing the Admin and other work, which would be on your normal SSO account, and a very small time testing use cases and theories with the test account, so using this logic, it makes sense to make the account you use the most the easiest one to access and use. We can talk more this week when we have our phone call.

                      • Re: How did you organise admin people and groups?
                        bbenton

                        I see too much deleted and private content, it's confusing. Also I think to encourage adoption it's better if people know I'm not seeing their private chats and privately shared docs as a matter of course. We also need to future proof this for growth and adding more admins. It's just best practice to never run with elevated privileges day-to-day. I'd rather do this via groups and adding people in and out of them.

                          • Re: How did you organise admin people and groups?
                            bbenton

                            Oh, and separate admin accounts of course.

                            • Re: How did you organise admin people and groups?
                              it2000

                              "I'd rather do this via groups and adding people in and out of them." sounds like a good idea. We use something similar (not a one-click but a script to execute) to allow developers (admin) access to production servers for some hours (not related to Jive). Auditing will also be enabled for the account and the server administrators get also an email notification.

                              It should be possible to build something similar for Jive, maybe a small app which allows to move users to the admin group for some hours. So one can always use the standard account and give it more privileges if needed.

                               

                              Other companies and products have similar issues:

                              Microsoft/Windows7 allows privilege elevation - a normal user can not install programs or change the date/time.

                              Atlassian/Jira (web application) has an "Exit Administration" and an "Administration" button where one needs to provide the password again to get temporary admin rights.

                              1 person found this helpful
                                • Re: How did you organise admin people and groups?
                                  bbenton

                                  Yes, although quite happy with a separate admin account too sp specific actions are logged against that, but groups are definitely the way to organise I think. I can see the argument for visibility, and it's a good one, but I am trying to get out of the middle and facilitate people engaging with eachother.

                                   

                                  Another example - how can you see what others can see if you are running with elevated privileges, especially Full Access? Someone has reported a Space permissions problem, they are right, I can see the problem too, but only because I am running with the same privileges as them.

                              • Re: How did you organise admin people and groups?
                                Megan Truett

                                Have to agree with Wes here, Belinda. What he recommended above has worked well for us. Having seperate accounts I think would be more work and actually could be more confusing, especially as your community gets rolling and you have to quickly engage. "I need to respond to this ... hold on, log out ... log in ... ok, now I can respond." That's touched on in the conversation that Tracy referenced above. Also, from a community manager view, it's not necessarily bad to have your account be the admin account and for people to know that. People are more likely to reach out to Belinda the Community Admin than a faceless admin account. In my community, people know that I am the admin for it and they also know I can see everything if needed. Just because I can doesn't mean that I will, but it does mean that if they need some help on something in a private group, I can easily jump right in and take care of it so they can move on to the next. Honestly, people should know that everything they do at work can be seen by someone else, be it Jive, email or anywhere else. I actually think that running with elevated permissions daily is good because you know where you are at all times and you stay on your toes more easily. For example, I've seen people make the mistake of commenting on something in a private group while wearing the admin hat because they forgot that they were not in their "regular user" account.

                                1 person found this helpful
                                  • Re: How did you organise admin people and groups?
                                    bbenton

                                    Thanks Megan, I have another PC I use for the admin account - it doesn't work well to try and switch between Jive accounts on the same PC with SSO. I agree it's more setup work, at least initially, and I am nearly persuaded your comments about the visibility of the Community Admin, but I still think it's best practice not to run with elevated privileges for day-to-day work and a non-privileged account is very handy for troubleshooting permissions problems.

                                    • Re: How did you organise admin people and groups?
                                      roguen

                                      I suppose you could really argue it either way.  Very valid points here.

                                      From my personal experience, what I have found is that when someone is running full time admin they tend to test in Production rather than UAT:  "I can get check the widget layout right here, whoops, I hit publish.  Forgot I was in prod"

                                      It's the same thing for me on a *nix box.  I don't log in as an admin user.  If I need those privileges I use a 'sudo' command. Just too bad there isn't something as easy as this in Jive.

                                       

                                      SSO can make things messy I'm sure.  If you want to have both on the same desktop then perhaps log in through SSO with your regular account.  Open a different browser (first one in FF, second in Chrome) and log in as your non federated admin account.

                                       

                                      The real hard stop for some of the communities I've worked on has really been the visibility issue though.  Those secret executive areas I mentioned before.  Jive introduces a strange problem: users a little further down rank in the company get to see everything (not to disparage the value of our community admins).  In one case the top level execs asked us to create a secret group in the community, make one of them the admin and basically "pinky swear" never to look inside of the group.  That's not only a problem from an internal resources perspective, but every time you invite a contractor in to work on your community (remember that they will see that content as well when a PROD->UAT refresh occurs).   Sure, NDAs are in place to prevent sharing, but if you were to make the mistake of accidentally posting in one of those groups as a full admin I'm pretty sure the execs would have a very difficult time dealing with the now missing illusion of privacy.

                                       

                                      Again, I don't disagree with the points made above.  And to be honest, I would expect that Wes and Megan have a better idea of what level of privacy and ease you need.  But I wanted to voice this opinion for anyone else who might be reading the thread.  It's worth consideration.

                                      1 person found this helpful
                                  • Re: How did you organise admin people and groups?
                                    bbenton

                                    One other thing <scope creep>, I'm finding a similar issue with Space permissions, the inheritance is great if you want the same space admins for all spaces but would you generally do that? I'd have thought that each space would have it's own admins. Again, I can set groups up for that, and I'm more comfortable with normal user accounts being able to administer spaces, but just interested in the default settings. It all seems to point to individual admins performing all tasks.