We have been struggling with an unweildy set of resources and accounts for the last year.  We plan to move away from a large number of unique resources that each have a small number of accounts (with a very high level of work needed to manage permissions per account) to the following structure......

 

A far smaller numebr of generic resource names such as follows:

 

1      AD - Admin level.

2      AD - General user level.

3      AD - Service accounts only.

4      Application A specific.

5      Application B specific.

6      WLAN SSID & Keyphrases

 

etc etc.

 

Where we see this as a great advantage is being able to set permissions at the resource level and have this automatically filter down to all accounts unless specified otherwise.

 

In the above exmaples permissions would be set something like the following:

 

Network support team: Modify access to 1,2,3 & 6

HelpDesk: View access to 2 & 6

Desktop support team: Modify access to 2,3 & 6.

Applications support team: Modify access to 4 & 5

 

etc etc.

 

 

I would be grateful if existing users and ManageEngine staff would comment on the viability of our suggestion.

 

We have already identified the following cons with the idea, but still think it is workable..........

 

Con 1 - You cannot have dupe account names.  Only an issue with the likes of Routers etc with admin as n unchangeable account that will be replicated across many devices - Plan to work around this by "dnsname/accountname" as the account name.

 

Con 2- Still need some account level permissions - but not many, thats why we think this will work well.

 

Con 3 (also an advantage!) - Admins will have to manage resource level permissions - This will keep the resource structure lean but add extra admin for them on bespoke account level permissions.

 

Thanks in advance!