Hi All

Excuse my ignorenace as previously worked in a company where we had BES 4.0, and only a few people had BES access, me included.

In my new conpany I have joined, I have found out that everyone in IT has domain admin access to the BES? Its running 4.1.5 which I beleive has option to enable role based access.

Can anyone advise me on the argument I can use to remove domain admin access from the BES and request they look at role based?
Currently we have 200+ users and growing.

Thanks

Scott

... because you should follow the principle of least privilege


Why do they need to be domain admins? Yes it gives you access to most everything within all applications / servers ... but what business needs says domain admin? Because they don't know other ways to set things up?

I agree 100% with that, and based on that - what sort of damage can say a domain admin do on a BES with say email infrasturre (as we use it with exchange). Need to cover all the bases before i go in with my argument as most IT staff seem to have domain access. With the BES being pretty darn inportant, I need to get my facts correct as if I can alter the users access on this server, then this may get them to think about everyones access in general.

Scott

A Domain Admin can shut down a BES, delete files from the BES, view logs ...

In theory this same Domain Admin could gain access to the SQL server with the BESMgmt database and have access to license data, they could corrupt the database ... pretty much ruin the entire BES environment.