Is there a reason that McAfee limits password management to Partner/VAR admins and only a Customer Admin can manage passwords? When a reseller has to help a customer reset a password, they can not because they either have Partner/VAR roles. This makes no sense, to a certain point. This is beginning to cause issues with our clients.
The Customer Admin role is the only user account level with the access to change other users passwords. This was done to maintain account security and to limit access to this function to within a single customer shell. Global Administrators also do not have passwords.
Partner Administrators are encouraged to assist users in utilizing the password reset function on the Control Console, leveraging a previous Spam Report for having a user reset their password if policy allows, and only in emergency situations creating a Customer Admin account to just reset a password.
We know for some of our partners this may not be seen as optimal, but it does help limit account access to within an organization.
I understand the roles and the implied security, however in an environment when users can not follow instructions or a reseller needs to help their clinets, this is not acceptable process and in fact, has caused a few clients to leave. IMO, to force such restictrictions on a partner level is not inline with today's need to fully support a client.
You are refering to access within an organization, then as in a previous post, we could also use a admin role by domain group. As a partner org with multiple organizations, we could us roles by domain groups, which would help specific individuals e.g., support, sales, billing etc, manager their specific customers.
Coming from a former platform, such restrictions were not this stricted and are hard for clients with as much as 10-years on this former platform.
I understand your feelings. The partner administrator roles are designed to mirror, in large part, the same permissions as the Global Administrators with some acceptions and isolated to a specific partner shell. Global administrators do not even have the ability to manually set passwords or see passwords, which is why when Partner Admins contact support for password issues, we always have to walk them through the password reset function. Many partners incorrectly assume we would have the ability to just set a password, or provide a password over the phone. However, this would be counter to our mission as a security company. Even then, the end user would still have to be walked through setting a secure password and setting their challenge question for the account to be secure. When any administrator, partner or customer contacts McAfee support they must use the password reset process.
Yes, being able to just reset a password is easier, but we tend to think about this in the same way someone would think about needing to cross a freeway. The pedestrian bridge is there but is a longer distance and takes more time, however the chances of getting injured are significantly slim. Darting across the lanes of traffic is faster and a more direct approach, but the liability is huge. Having the ability to change passwords on the fly creates significant liability. Without the ability to change passwords, the grounds for accusations of unauthorized account access (or actual cases of unauthorized access, which is not unheard of) is greatly limited. Considering the number of clients we work with that must abide by strict HIPPA, SEC, FERPA, and other privacy regulations, limiting access to accounts as much to the intended end user as possible is important. Then there are other security concerns to be cognisant of, such as the fact that identity is difficult to establish over the phone. Using the password reset function, this risk is reduced by sending the password reset either to the end user directly or to a domain administrator. Whomever clicks on the password reset URL must then answer a challenge question to provide some level of proof that they are the owner of the account.
There are multiple ways of handing user passwords that allow 'as easy as possible' access or password reset without compromising account security, or opening up individuals to privacy concerns and compromising account security. Organizations can choose LDAP Authentication to put the password management in the hands of their Active Directory or LDAP Server. Users can utilize their most recent spam report, if the administrator has kept the default settings to allow end users to login directly via the spam report without a password. Users can reset their passwords directly from the control console.
If all else fails, a customer administrator may choose to manually reset the password but they must then take on the responsibility of authenticating the user, then of walking the user through resetting their password once logged in and having them set a challenge question so they may use the password reset function in the future. The individual logging in as a customer administrator is then accepting these responsibilities, the liability of ensuring account security, privacy, adherence to any applicable laws and regulations.
I understand that this is not the most direct route and is not easy, but our primary mission is security and at times the safest path is not the direct line. WIth the many ways of resetting a user's password, an administrator at any level should never have to manually do so, and even then should do so with the utmost reluctance.
"WIth the many ways of resetting a user's password, an administrator at any level should never have to manually do so, and even then should do so with the utmost reluctance."
In a perfect world I would agree. However, what McAfee deals with on a corporate level and those that deal with end-users and admins on a lower scale, have different needs.