1.3.1 General procedure for determining the settings to be specified for each user account
If there are a large number of employees distributed across multiple locations in the organization, a single system administrator might not be able to manage all the devices and hardware assets of the entire company. You (system administrator) can solve this problem by dividing system management tasks among several administrators. In addition, by specifying the permissions, task allocation, and administration scope for the user account of each administrator, you can limit the scope of information to be managed by each administrator.
To determine the permissions, task allocation, and administration scope to be specified for each user account:
- 1. Determine the responsibilities of each administrator.
-
Determine the system management tasks to be assigned to each administrator. For example, there are various system management tasks that include creating and assigning a security policy to computers, managing devices, managing software licenses, distributing software to computers, and managing user accounts. Assign these tasks to each administrator. For example, decide that Administrator B from the Security Division is responsible for creating a security policy and then assigning it to computers.
- 2. Determine the settings to be specified for each user account.
-
Determine the settings to be specified for each user account based on the responsibilities of each administrator. You can restrict the scope of operations to be performed by each administrator by using a combination of permissions, task allocation, and administration scope specified for each user account.
Example of how to set each user account
The description below assumes an organization with the following structure:
The following table describes how to set a user account of each administrator based on their responsibilities:
Administrator's name |
Division under Information Systems Department to which an administrator belongs |
Responsibilities |
Settings specified for each user account |
||
---|---|---|---|---|---|
Permissions |
Task allocation |
Administration scope |
|||
Administrator A |
General System Management Division |
|
|
All tasks |
All departments |
Administrator B |
Security Management Division |
|
|
|
All departments |
Administrator C |
Asset Management Division |
|
|
|
Information Systems Department |
Administrator D |
|
|
|
General Affairs Department |
|
Administrator E |
|
|
|
Sales Department |
|
Administrator F |
|
|
|
Development Department |
|
Administrator G |
|
|
|
In the above example, Administrator A is responsible for the overall system management tasks, including overseeing system management tasks and managing user accounts. No restriction is therefore applied to the permissions, task allocation, and administration scope specified for Administrator A's user account. Administrator G, on the other hand, is only responsible for managing the assets of Development Department. Restrictions are therefore applied to Administrator G's user account settings so that Administrator G only has the System Administrator permission in Development Department. In addition, because Development Department is large, tasks are divided between Administrator G and Administrator F, and Administrator G is only responsible for registering asset and contract information. Task allocation for Administrator G is therefore restricted to asset management that is required to register asset and contract information.