This is an automated archive made by the Lemmit Bot.

The original was posted on /r/maliciouscompliance by /u/MosiTheLion on 2024-08-21 12:17:35+00:00.


In my first job, I worked in IT as an access and permissions administrator at a large company with significant technological debt. The environment included custom software dating back to the Windows 9x and even DOS era. Initially, the work was quite tedious, involving a lot of back-and-forth communication between multiple departments. We had to ensure that each employee had the necessary training and documentation to access data in the scope requested by their manager. Additionally, we needed approval from the manager of the department related to the system role in question. On top of that, the company’s excessive paper-only bureaucratic workflow made the work go at a snail’s pace. A single SAP account for a blue collar worker required at least three forms signed by different people.

The heads of departments responsible for signing those papers didn’t feel any urgency to send them to us quickly. A good example of this is when I, myself waited over two weeks after being hired in the IT department before my first account was set up. Until then I only had a guest account that allowed me to access the main internal website with the company’s procedures, regulations, and other basic information.

Up to this point each signed form had to be physically delivered to us, which was agonizingly slow given that the company had multiple branches. We decided to automate away the paperwork. Our first step was to allow the use of scanned documents. It was a partial success: while it eliminated the courier delays, management still required us to sign the physical copies afterward, which we mass-stamped at the end of each month.

The next step was to introduce a fully electronic workflow. We faced significant resistance from upper management, so we had to settle on a system that mostly replicated the existing paper processes. Despite this it was a game changer. We created presets that managers could select and customize as needed, using data from these customizations to create better-fitting presets. We also developed workflows that automatically generated and assigned subtickets for necessary approvals and tracked how long it took, sending reminders if needed. And finally we got an approval from HR to access layoff data to generate user block/removal tickets.

Some time after we rolled out the new system, the HR/Payroll manager made a big fuss. She was furious that her team was still waiting weeks to get their permissions and questioned whether all our work had been for nothing. That really struck a chord with me. Inside, I was overjoyed, but I did my best to keep a neutral expression. At that time, we were working on summary reports with burndown and bottleneck charts, and I already knew that tickets requesting HR/Payroll access were spending over most of their lifespan waiting for her or one of her sub-managers to approve them.

The manager immediately went on the defensive, claiming she couldn’t keep up with the amount of tickets. She then requested a change: she wanted any request from her employee to be automatically approved within the relevant scope of their sub-department. For example, a request for an HR worker to have full HR access and limited payroll access would be automatically approved for HR access but not for payroll, and vice versa.

I was sceptical but weren’t exactly in a position to argue. I asked my boss to join the discussion and explained that the goal was to prevent overly permissive approvals that could lead to unauthorized access. I tried to convince her to brainstorm together potential edge cases before making a blanket approval, but she was already set on her decision and wasn’t interested in discussing details. My boss shrugged and said it would be her responsibility. He told her to write up an official document, outlining the change, and we would proceed with the implementation. The only request we had was to include a line that each such request would still be created, assigned to as normal and marked as “automatically approved by (name of the main HR/Payroll manager) decision”. I uploaded the scan into our system and, anticipating that it would eventually backfire, made a photocopy to keep it handy in the top drawer of my desk, the original copy went to the archive.

A few weeks later she stormed into our room. The speed with which she flung open the door made it clear she was furious. She demanded to know why we had granted full access to payroll data to her subordinate. I think it was the only time I ever heard anyone yell in the company. I calmly reminded her of her request to automatically approve in-department access requests. She wasn’t having it, explaining that one of her low-ranking subordinates from the Payroll sub-department had accessed the salaries of everyone in their department, including managers, and was unhappy with the paycheck disparity. Isn’t that obvious that they shouldn’t be able to do that?

“Well, yeah, to a human, but that decision was automated away by your request.” I handed her a copy of the document she had signed, which instructed us to automatically approve any and all such tickets without exception. Immediately afterward, she asked us to roll back the change while she wrote up another document to cancel the previous one. In the following days, she meticulously reviewed all those tickets and requested us to reduce access for several users. I have to admit, she did a thorough job and kept up a good pace in reviewing new requests - doing it daily instead of once every week or two as before.

In the end, we managed to distill a subset of permissions that could be approved automatically and proceeded to implement a similar approach with other departments.

P.S. I don’t know whether that Payroll employee managed to get the raise, but I’m sure they weren’t fired, as we didn’t receive any tickets to block or remove any accounts from that department in the following months.