Information technology tools and resources at the UW
20160316: Managed Workstation Group Management Changes
The Managed Workstation service will no longer make group membership changes on your behalf.
What and When:
On Friday, March 11th, we changed our position on whether we’ll manage your group memberships. We no longer provide that assistance.
What you need to do:
No immediate action is required on your part. This notice is advisory so you know that if you request a change to one of the groups which currently only we can manage, we will transfer management of that group to you.
In the far past, the service design for Nebula file services required that the Managed Workstation service manage the groups which owned a given file directory. These are sometimes called “Nebula groups.” Several years ago, we changed that design to allow customers to manage the groups which owned a given file directory. A year ago, we moved group management to be an additional cost outside the core Managed Workstation rate. This is the next step in a progression based on a careful review of our practices in light of your needs.
We do not have adequate processes to provide group management services; in many cases you believe we are providing some process to ensure requests we receive are authorized or that we somehow know when to remove users who should no longer have access. This has led to many faulty assumptions, and we do not think your needs are being met. You are in the best position to manage your groups, so we believe from the perspective of needing good access control, this is the right step.
We do not provide any added value by making group membership changes for you. By having us make the changes you request, a delay is introduced while you wait for us to make your change. There is nothing special about the group membership changes we make—anyone can make that change. So from the perspective of timely changes made by those who decide who should have access, we believe this is the right step.
We do not think providing group membership management is a capability that is within the primary goal of the Managed Workstation Service. The core capability we provide is managing workstations. If you have a need for someone else to provide a group membership management offering, we believe the Groups Service would have the core competencies to provide that. The Groups Service provides customer assistance at no cost, so you can work with them if there is analysis or orientation needed. We’ll be happy to make sure you get connected with that service team.
The transition of your group will require three things:
- The existing group name or the Nebula file service path (e.g. “pottery” or i:\groups\pottery or u_nebula_pottery)
- A desired group name (e.g. we’d like to rename u_nebula_pottery to uw_pottery_filedir_pottery)
- A desired group of administrators for the group (e.g. the admins should be uw_pottery_roles_groupadmins)
We’ll walk you through this when you have a group change request, so there isn’t need to worry too much about these, but being prepared will make the transition smoother.
We will continue to provide assistance with:
- Setting permissions on Nebula file services (i:\groups included) –part of Managed Workstation core rate
- Helping you get the right eligibility group(s) set for your department–part of Managed Workstation core rate
- Getting a workaround for a Nebula file service failure–part of Managed Workstation core rate
- Analysis of your IT problems, like how to model permissions within Nebula file services to achieve your goal—billable at hourly consulting rates
- Analysis of your existing access management controls, like ‘what group memberships does Sally have so I can apply those same group memberships to Joe?’—billable at hourly consulting rates. Note1: we’ll help with this, but will not make the group membership changes on your behalf. Note2: The Groups Service would be a better choice to provide this kind of analysis.
Note: all of these examples are included in the recently published ‘What does the Managed Workstation rate include?’ document.
- we will happily transition management of your existing groups to you at no cost,
- there is no expected loss in functionality, and
- we suspect that this will mean lowered costs for the service (which could translate into a lower future rate you’d pay).
If you have concerns or questions about this update, please send email to firstname.lastname@example.org with “Managed Workstation Services group management change” in the subject line.