[WikiEN-l] Separating admin accounts from user accounts (Re: katefan0)

[Tony Sidaway]

On 5/28/06, Steve Bennett <stevagewp at gmail.com> wrote:
> On 5/28/06, Andrew Gray <shimgray at gmail.com> wrote:
> > Not that I'm sold on it, but if you're going down *that* avenue, just
> > RFA in batches of twenty or thirty and hand out accounts en bloc...
>
> I'm not sold either, but the debate should perhaps be had. There are
> basically three broad options:
>
> 1. "The borg" - all admins by default act through the same account. It
> is possible, but with difficulty, to determine who performed which
> administrative act. - Major problems of accountability of course.
> 2. "Pseudonyms" - each admin has an account used exclusively for
> administrative actions. At his discretion, he may disclose this link.
> Problems - maintaining the secrecy, convincing users that
> accountability is maintained, users having no idea of the history of
> each admin (where they suddenly came from...)
> 3. As current - problems: targetability, admins having more sway than
> is reasonable when acting outside their role (eg, content disputes)
> etc.
>
> Comments and opinions pls.

This proposal doesn't seem to have any advantages that I can see, but
I can think of one or two major ones.

If you can't tell the identity of the person who performed an
administrator action, then there's no way to detect administrators who
abuse their powers to gain advantage during a content dispute.


If you have the "borg" solution then it becomes very difficult even
for the system to track who actually performed which sysadmin action.

If instead you have a shadow admin account for each admin user, we're
back where we started, but with the disadvantage that we can't see
anything about an admin except his admin actions.  I cannot see what
possible good such concealment could do.  Administrators need to be
accountable. We need to see who is up to what.