[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: FW: Delegate
The only problem with this model is that you don't necessarily know
how long an internal chain-of-command is. This is similar to IP
subnetting. For example, from outside MIT (which has net 18), there
is a single "network", so someone from the outside could say "well,
there is only one net-18 subnet, so I delegate with level one". But
once you get past the router you find many /16 subnets. Oops! but
wait, some of those /16 nets get split up even further, into /24 or
even /28 networks!
That is precisely why I would wish as a manager at the top
of a corporation to stop unbounded delegation. Each link
in the chain makes it harder to discover what is going on.
As a security officer I would consider it very important to
be able to control the number of phone calls required to
discover what had happened. The depth of the tree has a major
effect on the search time since each link may potentially
involve contacting someone who is off sick, on holiday or
absconded with the money.
Phill
Follow-Ups: