“You can’t have your cake, and eat it!”, I was told last week, by one of our Danish developers.
We had been discussing a feature request from an Italian customer, who wanted to enforce approval on user elevation requests but at the same time, provide a ‘bypass’ facility that would enable staff to gain automatic approval, in ‘emergency’ situations.
Whilst suspecting the developer had a valid point, I suffered an adverse reaction to the common ‘cake and eat it’ turn of phrase he used.
I mean, what else does one do when they have cake, if not eat it?
A little more research only got me further agitated, when I discovered that this non-sensical saying had ‘evolved’ from the far more logically correct ‘you can’t eat your cake and (still) have it’ in the first half of the 20th century, to the idiotic idiom we have today. Darwin’s theory of evolution obviously does not apply to the English language.
At least my Danish colleague had no such problems with his language:
“Man kan ikke både blæse og have mel i munden!” (You can’t both blow and have flour in your mouth!) is the more amusing (but still bake-related) equivalent of the term in Danish.
Once the mental image of a developer furiously wafting clouds of flour away from his laptop screen had subsided, I regained composure and got back to working the customer enquiry.
Their Admin By Request deployment had been so successful, it was to be recommended to another part of the business, who still ‘enjoyed’ working under full local admin rights.
The loss of Local Admin rights, for those who have gotten used to having them all their lives, can be quite a blow. We joke sometimes that Local Admin Rights are seen by some as a ‘human right’ but for many, it’s no laughing matter – this is how some people feel. It was no surprise that the suggestion to deploy Admin By Request there went down like a – sack of pasta flour landing on one’s head. No grazie!
This was presumably the motivation for the deployment of Admin By Request countermeasures, with a ‘have cake and eat it’ request:
“What if there is a situation, and we simply can’t wait to be approved? We must have a way to bypass approval… in case of emergency!”
And there lies the problem. With Admin By Request, the enforcement of approval is a binary choice, either it’s on or off.
There is no ‘on… but also off, if it’s an emergency’ setting.
To make a product feature which would allow approval to be circumvented in case of emergency, we would need to also invent a feature that could determine what constituted an emergency in the first place! For this particular customer an ‘emergency’ might range all the way from a full factory shutdown to a home working developer needing to install something in a hurry so he can rescue a fast-melting Zuccotto. Good luck finding an A.I. solution to do THAT.
It seemed that for my Italian customer, this would be a case of “Volere la botte piena e la moglie ubriac!”.
Then I had an idea. Maybe with Admin By Requests ‘Support Assistance’ feature, it would be possible to have your cake AND eat it after all?
For those of you not familiar with our Support Assistance feature, here’s a quick heads-up:
First, I have to point out that the feature is a little unusual in that you will find no settings for it in the Admin By Request portal, and because of this, you won’t find any ‘in line’ support documentation either. The genius of this feature is… that there is really not much to actually do, aside from have a basic compatible configuration, and that means the use of ‘Sub Settings’.
A classic use case for Support Assistance would be as follows:
A user with restrictive Admin By Request settings (manual approval required, no elevation of system files allowed) has a system problem which requires IT helpdesk to fix. The IT helpdesk remotes to the users computer (using something like MS Teams or TeamViewer) and immediately finds that they are not able to elevate PowerShell because the logged-in user’s Admin By Request settings do not allow this.
The helpdesk user invokes Admin By Requests ‘Support Assistance’ feature to ‘fetch’ their own Admin By Request settings which get temporarily applied to the users working profile, to get the job done.
To invoke Assistance, right click on the Admin By Request icon, and click ‘About’
From the resulting pop-up screen, select ‘Assistance’
Now select ‘Start’
At the next screen the helpdesk user would authenticate with their own AD / AAD user / password.
If this authentication is successful then the Assistance Session is started, visible by the blue timer counting up, signifying the duration of the Support Assistance session.
The helpdesk user can now do anything on this system with Admin By Request, just as if they were logged into their own user account. Elevate system files. Start a full, unrestricted Admin Session. What is possible depends entirely on whatever settings you have put in your own Admin By Request sub settings.
If the restricted user sub settings required approval, and the helpdesk user do not, the helpdesk Admin By Request settings applied by Support Assistance ‘win’, and approval is no longer required.
See where I am going with this?
Ice Ice Baby!
Yes, if we create a new Sub Setting – called ‘In Case Of Emergency’, create an AD group called ‘ABR-EMERGENCY’ and add a special ‘Emergency’ user to this group, now the Admin By Request settings of the ‘In Case Of Emergency’ sub setting will be applied to any user of Admin By Request that uses the ‘Emergency’ account with a Support Assistance session.
Being Support Assistance, everything is joint-logged, in both the name of the end user, and in this case, the ‘Emergency’ account used to gain the emergency override.
Plus as the ICE account has it’s own sub setting, this means we can also show a nice ‘Emergency Mode’ notice screen before any elevation is started:
There is one drawback with Support Assistance, but this can also be seen as a benefit.
To use Support Assistance a ‘line of sight’ link to your organizations Active Directory is needed for the additional authentication. Therefore, this is solution is not going to help any offline users. Then again, if you want to build in an ‘ICE Override’ perhaps it’s a good thing that this is not allowed ‘un-authenticated’ and offline, otherwise it would be impossible to track the usage.
One more nice little side effect of requiring real time authentication with AD, is that you can configure ‘Logon Hours’ for your ‘ICE’ account to limit the time of day which it can be used.
So, for example, if you want to require approval during office hours, but also want to find a means to allow users to get auto approval when there is no one in the helpdesk to do the approval (and of course it also happens to be an ‘emergency’) then you can simply set the ‘logon times’ in AD to out of helpdesk hours.
Everyone Gets Cake
The result? Admin By Request can be deployed and security compliance achieved because users are no longer working under permanent Local Admin rights.
Requests to perform Local Admin rights elevation all require approval… unless it’s deemed to be an emergency.
If the emergency account is used, there is still a full audit trail, accessible via API, for someone (or something) to keep a close eye on emergency account use.
From ICE to ADM
Whilst I’m on the subject of Support Assistance, I thought I would mention one more use case, which works pretty much identically to our ‘In Case Of Emergency’ example.
This customer was extremely security conscious and really did not want users elevating *anything* with their domain accounts at all. Because of this, they wanted to create mirror ‘ADM’ accounts which users could use to exclusively run their admin tasks from.
Typically, with Admin By Request, we are working with the logged-in user, but, yes, using Support Assist you could create and use tandem ‘ADM’ accounts. Rather than restrict usage to the more traditional Helpdesk, or the rare emergency, Support Assistance would be used to access ‘ADM accounts’ throughout the day for process elevation, with everything joint-logged, whilst keeping the primary account completely locked down, with no rights to elevate anything.
Perhaps we should rename the feature, from Support Assist to ‘Settings Overlay’, or maybe just good old ‘Cake mode’?
The Non-Cakewalk, Cake Walk
The armchair psychologists among you might suspect that my over-sensitivity to the ‘can’t have your cake and eat it’ phrase is down to an emotional episode in my childhood, and you’d be right.
After collecting a birthday cake from a shop in hot and humid Singapore, 5 minutes into my walk home I wondered why my box had sprung a leak. That my box did not immediately appear to self-combust, issuing volcanic plumes of white smoke when leaving the shop…. was a significant difference from other customer purchases I should have questioned.
It was an ice cream cake, and the shop had forgotten to pack the dry ice.
That night, twelve candles were blown out on a lowly mango pudding…. and sadly, it is the only birthday I can remember where there was no having of cake, and no eating it either!