using masteradmin considered harmful

[RobertGraham]

At the CPUG Conference 2007, I gave a talk on the Integrity server product and towards the end, chillyjim diplomatically reminded me that I was unwisely logging in as masteradmin. Since it was just a VMware test host and I *almost* never use masteradmin in production, I just shrugged it off.

After thinking about it though, it occurred to me that I'm guilty of setting a bad example. Even on a test system, I should exercise due care and strive to uphold best practices rather than sloth and carelessness. This is especially true when presenting material on the subject to some who might replicate such a mistake in a production environment without the knowledge that it's in poor form.

The proper practice is to create other admin users, preferably individually mapped logins, like alice, bob or jsmith. And with Integrity's role-based administration, it's rather easy to setup.

So please, if you find yourself logging in as masteradmin more than once in a long while, you'll definitely want to switch to user specific logins.

Robert


PS: A big thanks goes out to chillyjim, not just for alerting me to my mistake, but for doing it in such an adroit manner.

[unclerichard]

On a different note, I use my own personal login most of the time but always use the masteradmin account to modify any policy changes - purely so that the end userbase cannot see a real name against the policies in the integrity Client. In the past, we have been inundated with calls when IA is suspected of preventing user access to sites.

Cruel - but it does cause end users to follow the prescribed support chain!

Unc

[CSING]

Another important reason for two masteradmin's is in case a password is forgotten or locked out. This is especially ture with the embedded database.