I know it's a strange question, but here's my situation:

I've been working for this small company for 5 years now. I was originally hired to be their web designer/webmaster and graphic artist. I work on their website as well as make all their print ads and other printed media.

I can understand that when you first hire someone, you're leary about giving them all your passwords and access to areas. However, I'm a "5 year veteran" of their company, and I still feel like I'm being treated as a "new hire" as far as security goes.

Take the web work I'm doing. I have no access to the register.com account. I don't have administrative permissions for our web server accounts so I can't even setup an SSL account for our shopping cart system. All the administrative control is by our general manager. If he's on vacation or at a show, I have to wait until he returns before I can do anything.

Things unfortunately aren't the best around here - money is tight, and the owners of the company have a knee-jerk apprehension toward technology (they primarily work in the repair center where they do everything by paper and binders - no computerization whatsoever!) They scrutinize every penny spent on computer/virtual technology and they have no problems "blowing up" at anyone they feel is wasting money on said technology (which is usually the G.M.)

With this kind of environment, would anyone think I'd be out of line asking for administrative control over the register.com and web server accounts as well as having some access to a company credit card account in order to maintain service fees and purchase needed services, upgrades, etc. ? I'm not the "best and brightest" employee here and I'm not a "web guru" (I'm struggling with SEO and trying to get my designs "out of the 90's"), but I do feel that not having administrative control over areas that directly impact my job is impeding my ability to DO my job.

Anyone have suggestions on how I should approach the powers that be? :confused:

Well, as a security person and a web developer, I have two conflicting opinions.

The security side of my mind says No control at all! No root passwords, no admin access, no control over the hosting plan, just the ability to upload new content and edit web files on the server. That way the administration maintains "absolute control" and in a worst case scenario can transfer your access to a new designer if you, for example, get hit by a bus, while limiting the potential damage if you, for example, go postal.

The web designer side of me says, Full control! You are the one who needs to be able to make the extensive changes, and in the event of an emergency needs to be able to make changes or corrections. For example, if your server gets hacked, you are the one who is going to need to act and implement fixes to resolve the issue, and if you have insufficient access, the business could be exposed to additional liabilities.

Of course, there are also legal considerations. My lawyer-loathing side cringes to mention things like the PCI standards, which limit who can legally have access to databases containing financial information.

Fortunately, in most cases there is a happy medium. The level of control you need over the register.com account is most likely the ability to set and change nameserver settings. Most registrars have two types of accounts, the administrator account and the technical contact account. Your management should make sure you have a technical account level of access. This lets you change settings, but in an emergency the administrative contact can override those settings, or reassign the account to someone else.

On the web server side, you should have a fairly robust level of access. Unfortunately, on many hosts this type of access means you have access to the billing and accounting information for the account. I would suggest first contacting the hosting company, and finding out if they have a 'developer only' type of account that will give you full run of the account's functionality without necessarily having the ability of adding or cancelling services.

Most businesses require checks and balances. When you take business classes they drill into you the importance of internal controls, which means limiting access and maximizing oversight to prevent loss. For technical people however, this can be very inefficient.

The scenario I describe above will give you, as webmaster, the ability to quickly make the changes you need to make in the daily operation of the site, as well as the access needed to respond to emergencies without having to bother management with every little issue you encounter, making both sides more productive, while still giving management the final say for issues such as adding space to the server, because they maintain control over the financial side of the accounts.

I can see where security issues can be a problem. Especially with this company that is so very paranoid about money, I would'nt WANT to be responsible for accounting & financial information. I'd be perfectly fine with a system of putting in for a "purchase order" in order to make a credit card charge for a service or something (if they had such a system in place.) Although, it IS a small company (only 10 employees which includes the owners) - plus, the general manager is the ONLY one with access (user names and passwords) to everything. Since the owners are, as I had described them, "anti-technology", they haven't even thought about bugging the G.M. for that information (so that they have access to their own virtual assets), but it's not my place to say. Something happens to our general manager, we've got NOTHING to fall back on (and it extends further than just the web stuff, but it's not my place to talk about it!)

I will look into those optional access rights you mentioned such as the technical account level access to the Register.com account and I'll see if our hosting company has that "developer" access that will let me do administrative functions on the server, without compromising security of the financial end of the service.

However, something needs to be done. I feel like a little kid having to ask "the grown-ups" for help with everything I have to do on the site! You talk of security? Right now our shopping cart/online ordering system has NO SSL certificate, but I can't GET an SSL certificate because I don't have administrative rights to the server! The general manager has been off on vacation and going out of the office to do on site installations of some of our products. Right now he's in Texas and won't be back until Friday - and even THAT is questionable (he usually takes an extra day after a trip). Now it pushes this until next week! I could have had this done weeks ago if I had the administrative access!

I almost wish he did NOT have any access to the site. He's added things on his own that have screwed up the look of the site, and then I have to go in and fix it. Problem is, he used to do the website before I was hired, so I guess it's kind of a "p-on" contest going on (he knows better than me, I guess).

I know the condition you are in. I have faced similar situations in the past and it can be difficult especially since everything is as tangled up as it is. From the sound of it, you are working to improve the online transaction capabilities of the site. If you do not sort out these basic issues beforehand, you could run into legal issues in the future with credit card companies and with auditors.

Before you implement a more advanced shopping cart system, these issues need to be sorted out. It is (at least in most areas) either illegal or a contract violation to gather credit card information over an unsecured connection, and if credit card information is stolen, your company could be liable and lose a lot more money.

Typically the ideal situation is that the owner of the company (or the lawyer or some other designated person) maintains a backup hard copy of the administrative passwords for the domain name, the hosting account and other online assets. The technical person is then granted 'technical' or 'developer' access to those assets to create content. THE ONLY PERSON who should EVER be able to access the server is the technical person. You. If something happens to you, the custodian of records (whoever was assigned to manage the hard copies) would use that documentation to transfer your access to someone else. If you process credit cards through the server, you could be violating the PCI standards established by the credit card companies governing who has access to the financial information on the server.

My recommendation would be to contact the registrar and hosting company first and find out what types of access are allowed, and what the administrative person needs to do to give you that second-tier access. Write out in detail the steps involved as simply as possible. Create an action plan, and present it to both the owners and the GM, and make sure they are aware that not only will this help your site be more secure, it will also increase your productivity because you won't constantly have to wait for your GM to change a setting, and it will free your GM from always having to stop and make those changes. Additionally, making this change will help the business conform to industry best practices, and in the event of an audit or a disaster, having this type of access control can help mitigate damages (someone breaks in to the server, you can show investigators and the insurance company that you took steps to control access to the server data, etc.).

By having an actionable plan ready when you bring this to your management can help them make the decision to change the system, especially supported by the many benefits of changing this access.

In this system, however, there still would need to be someone to unlock more complex features on the server such as SSL. You would be able to do most of what you need, however, such as managing the nameservers, subdomains, etc.

Your employer has ZERO security, IMO!

Should the GM either go postal or fall ill or even die, you are up &^$£ Creek without a paddle.

You need at least one more person with access to the passwords.

Your employer has ZERO security, IMO!

Should the GM either go postal or fall ill or even die, you are up &^$£ Creek without a paddle.

You need at least one more person with access to the passwords.

On the contrary if we are talking about security it is wise to only allow limited access to everyone(where it pertains to job responsibilities and skill).
For example a Department of Defense employee forgot to change permissions on a certain sensitive directory, it was found and exploited and an unknown hacker had four months to play around in the DOD's database.
I am sure the GM is not the only individual with access to sensitive data,
It's just a fact of life and the workplace, someone is always going to have a bigger keyring than you with more keys and keycards that let them go where you cannot. And probably more company funded PDAs, cell phone, pagers etc. that are used to call home or Ticketmaster.
If you truly can provide evidence that your current level of permissions are hindering your job performance, talk to your supervisor.
You don't need to complain to upper management, just provide a good case for your beliefs with your Sup.
If that don't work slowly move up the chain. Be careful not to step on any toes along the way!
You'll probably at some time have to deal with the IT department. That's very dangerous territory, highly guarded and severely job scared.
Good luck, just don't push the issue.
Hope this helps, Dan

On the contrary if we are talking about security it is wise to only allow limited access to everyone(where it pertains to job responsibilities and skill).
For example a Department of Defense employee forgot to change permissions on a certain sensitive directory, it was found and exploited and an unknown hacker had four months to play around in the DOD's database.
I am sure the GM is not the only individual with access to sensitive data,
It's just a fact of life and the workplace, someone is always going to have a bigger keyring than you with more keys and keycards that let them go where you cannot. And probably more company funded PDAs, cell phone, pagers etc. that are used to call home or Ticketmaster.
If you truly can provide evidence that your current level of permissions are hindering your job performance, talk to your supervisor.
You don't need to complain to upper management, just provide a good case for your beliefs with your Sup.
If that don't work slowly move up the chain. Be careful not to step on any toes along the way!
You'll probably at some time have to deal with the IT department. That's very dangerous territory, highly guarded and severely job scared.
Good luck, just don't push the issue.
Hope this helps, Dan

From what was originally said: "plus, the general manager is the ONLY one with access (user names and passwords) to everything..."

It looks very likely that the GM IS the only one with such access.

This is not uncommon. Nor is it uncommon for this to cause Hellish problems when (note I say when, not if...) things go wrong.

In our shop I have root on pretty much everything.. But I also have a printed sheet with every single login and password that sits in a file in the owners desk.. Short of me going on a tear and changing all the passwords before I quit, they are covered if I should ever decide to leave, die, whatever.. And if something needs done while I'm on vacation it can still be done just by having the owner look up the password and type it in..

And no, not only do you not NEED that level of access.. If, or should I say when, something blows up, you can be secure in the knowledge that it wasn't your fault because you don't have access.. If you did have access and the GM blew something up, you would most certainly catch the blame for screwing up HIS job..

BTW, have you put together a new resume??

I knew of a situation where ONE person had all the accesses codes, passwords, etc.

He ran off with them. And yes it DID cause terrible problems.