Data Analyst Maliciously Complies After Not Getting Direct Access To The Database They Need For Their Job
Sometimes companies have rules that just don’t make sense and they actually prevent people from doing their jobs. No one knows why they exist and why they’re not changed so the only options that are left are to just accept it or abuse it to the point where the authorities will see how problematic it is.
The latter is what Reddit user node_of_ranvier did when they were denied access to a database. They couldn’t use it directly, only by submitting a ticket to request the information they needed. That took too long and stopped processes that needed to proceed, so the Redditor spammed the IT workers with tickets to achieve the goal of having access to the database.
More info: Reddit
A data analyst shared how they submitted hundreds of tickets to IT to make the head of IT want to give them access to the database
Image credits: Andre Charland (not the actual photo)
This is a longer story, but it’s definitely worth reading. If you go through the comments, people are amazed and fascinated at this malicious compliance that is a textbook example of seemingly innocent maliciousness and getting things done your way in the end.
So the Original Poster (OP) tells a story that occurred in 2018 when they worked as a data analyst at an ed-tech company. If it’s your first time hearing about educational technology, it’s essentially combining IT tools with educational theory to make the learning process easier and more efficient.
Image credits: node_of_ranvier
The Redditor made a report that helped the sales team to convince clients to renew their contracts
Image credits: node_of_ranvier
The company sold products and to prove to the clients that the products were well used, the OP thought that it would be a good idea to create reports about it to clients whose contacts were coming to an end. Then the sales team would have solid arguments why the clients should continue working with the company.
The reports were well liked and the biggest client was convinced to renew their contract, which was great news for the company. Not only that, the report was seen as such a good idea that the OP was asked to do them for all of the 5,000+ clients they had.
Image credits: node_of_ranvier
Now the OP had to do those reports for all their 5,000+ clients, but the problem was, they didn’t have access to the database and they were not granted it when asked
Image credits: node_of_ranvier
The Redditor node_of_ranvier started working on automating the process to make it more time-efficient, but the problem was that they needed information from the database, but they worked in the Research department, which didn’t have access to it.
They had to submit a ticket to the IT team instead and with 1 ticket, they could only submit 1 client’s name. On top of that, the IT department did their work in 2-week sprints, meaning that they would get back to you with the information you needed only after 2-4 weeks, which wasn’t great as the OP had to cooperate with the sales team, who didn’t plan that much ahead.
Image credits: node_of_ranvier
So the employee asked a list of clients who were due to renew their contracts and decided to submit the requests all at once
Image credits: node_of_ranvier
The logical thing to do here was just get direct access to the database so the data analyst could just take the information they needed by themselves immediately. However, their request was immediately denied because only the IT team could access the database and the OP had to use the ticket system.
So a malicious thought came into the OP’s head. They went to one of the sales managers to ask which clients would have to renew their contracts in the nearest 2-4 weeks and got a list of about 400 clients.
Image credits: node_of_ranvier
The IT team were struggling to keep up, but they took care of all the tickets, even if that meant they were working overtime
Image credits: node_of_ranvier
What is important to note here is that the IT team plans their work one day before a new sprint begins and they have to resolve all the tickets they receive on that day during the next sprint, no matter how many tickets they get.
The OP knew that and found out when the new sprint should have begun. They waited until that day, calculated how long it would take to submit all those tickets, and spent all that day spamming IT with their requests.
Image credits: node_of_ranvier
A fun fact for the OP and not so fun for the IT team is that when someone submitted a ticket, the IT workers would get a push notification and when they were getting tickets every minute, that must have been frustrating.
But the IT team was doing their job and the OP was getting all the data they needed. The Redditor admitted that they were impressed with the job IT was doing and saw that they were working after hours too, just to keep up with the workload.
Image credits: node_of_ranvier
When the OP wanted to repeat the same thing the next time, they were interrupted by a worried head of IT who at last granted them access to the database
Image credits: node_of_ranvier
But the day before the next sprint, node_of_ranvier did the same thing: they went to the sales manager, requested a list of clients who were nearing the renewal of their contracts, and started submitting the tickets.
This time, after an hour of doing that, the head of IT came to the research department and asked how many tickets they would be submitting this time. The Redditor exaggerated a bit, saying it was going to be the same amount as the last time, and they claim they saw how the head of IT broke inside.
Image credits: node_of_ranvier
The OP didn’t want IT to be overworked or stressed about all these tickets, they just wanted to be able to do their job well and in time, so they didn’t continue with the tickets and asked again if they could have access to the database. This time the people in charge realized why the data analyst wanted access in the first place and gave them all the authorizations they needed.
So, if you came to the end of the story, was it satisfying for you to know that the OP got what they wanted? It was quite a genius plan and nobody could say they were trying to spam the IT team because they were just doing their job as best as they could in the given circumstances. What are your thoughts on this? Let us know in the comments!
People in the comments admired the malicious compliance and applauded the OP for getting what they intended to reach
Image credits: __hotdogwater__
Image credits: mysteresc
Image credits: Eagleheardt
Image credits: nictheman123
Image credits: CoderJoe1
Image credits: fullmetalguy
Image credits: alumpoflard
33Kviews
Share on Facebook
Does anyone here actually read all the text in between the stuff cut from Reddit? I don't know why these always have someone explaining what is already evident in the original text
It's so they can say that BP has original content ;-)
Load More Replies...
Working in IT, I can see why the IT team would not want to let someone from another department have direct access to the database. They could have made their lives a lot easier though by directly linking the database to the researcher's report system so he could automatically generate the reports on request.
I first read the headline and my hackles went up - there are myriad excellent reasons not to just give someone (even a data analyst who knows their way around MSSQL) access to a database. But access comes at many levels, and unless you believe your analyst is going to take the data and manipulate it so it no longer resembles what is held in the database (e.g. gives the impression that the database holds a less than representative sample of customers or whatever), there's this little thing called read-only. Can't do any damage to the data or the code, but can extract data to their hearts content. Depending on how they've set up the database, there are also plenty of front end GUIs designed to allow access to database backends for user-created queries. Really, and I'm not one to diss IT, but they really made it hard for themselves with this policy.
I reckon they running reports off a transactional system, with 400 users that's a lot of page reads and a fair bit of index management. They should be warehousing it and reporting from there, it takes the load off the transactional system. But then the company sounds a bit 541t tbh.
Load More Replies...
I don't always enjoy malicious compliance stories but as an IT/development veteran, I approve of this post.
This is a very good way of annoying the IT dept. It would have been much better to have discussed the change in requirements with them, or if they won't listen, then go to the level above them. However something in me admires the malicous compliance. I also know that JIRA has an API for creating tickets automatically... :D
Not granting access to SQL for reporting is such a dumbass move. It's SO friggin easy to give read-only access to just the tables that the report needs. What's more, with MSSQL there's SQL Server Reporting Services included, so you can just dump the report onto the reporting server and don't even need to grant specific access, just limit who's allowed to run the report. It gets so frustrating when IT managers don't even know the technology they manage, won't ask, don't trust, or are just plain incompetent. IT isn't hard per say, but it can be damn stressful when policies and practices are excessively constrained for no good reason.
If I worked in that IT dept I'd get a self serve reporting system like Business Objects and put you out of a job.
OP said it's MSSQL, which comes with SQL Server Reporting Services (SSRS). Nothing extra to buy, it uses the same Server license and CALs you're already paying for. The report builder in SSRS is pretty robust and functions a lot like the MS Access forms builder. It's stupid easy to use and you can limit who has access to which reports, who can create and edit reports, etc.
Load More Replies...
What a lot of commenters are forgetting is that IT could also give this person limited access to the database, so they couldn’t get into anything they shouldn’t. So yeah, it would’ve been a whole lot easier to just start with limited access, and be open to expand access if they 1) have already proven they’re very trustworthy and 2) they can actually prove they have a genuine need for it.
Why could "nothing" be done to give him access? Does IT run the company? Typically, when something generates revenue companies will do whatever it takes to make it happen. So, there wasn't a single person at this company that could direct IT to give this employee access? I've had minor issue like this at my job. I just go over IT head and explain the situation to my supervisor. Then my supervisor runs it up the chain of command until IT is directed to grant my request.
I work in IT and or clients are other businesses. We have STRICT security protocols. In order for our company to keep ISO27001 certificate, acces to clients' data are restricted to a limited part or personnel !!! TL;DR: THERE WAS A REASON TO RESTRICT ACCESS!!!
Having seen a similar post, I read the first four snips and immediately figured out what was going on
As someone who worked in sales I would have been so frustrated to have to wait two weeks for the data. Seems like there should be a way that they could have granted a read only system with logging. Hospitals have databases that allow users to access only the data they need and a system that shows who accessed it. But I'm not an IT person so what do I know.
This was 2018?! Just wow. Seriously, everyone and their mothers have been harping on self service data platforms for years at this point. They know about agile management but pulling data manually?
you are sales/marketing. You don't need access. They should have provided API's for you
I'm running a similar scheme as we speak. HQ won't give us (a country branch) open editable file with pictures of bottles and labels for our products (with which our graphic designer would do all the work herself and quickly) so now every banner, post, picture for a brand magazine - they need to make it for us or at least edit it with correct high-res picture so the end result won't be pixely looking. And yes - I asked to have access to this photo database and was denied. We'll see how it goes
If you can get the PDF of it you can disassemble it with a suitable PDF editor...
Load More Replies... Does anyone here actually read all the text in between the stuff cut from Reddit? I don't know why these always have someone explaining what is already evident in the original text
It's so they can say that BP has original content ;-)
Load More Replies... Working in IT, I can see why the IT team would not want to let someone from another department have direct access to the database. They could have made their lives a lot easier though by directly linking the database to the researcher's report system so he could automatically generate the reports on request.
I first read the headline and my hackles went up - there are myriad excellent reasons not to just give someone (even a data analyst who knows their way around MSSQL) access to a database. But access comes at many levels, and unless you believe your analyst is going to take the data and manipulate it so it no longer resembles what is held in the database (e.g. gives the impression that the database holds a less than representative sample of customers or whatever), there's this little thing called read-only. Can't do any damage to the data or the code, but can extract data to their hearts content. Depending on how they've set up the database, there are also plenty of front end GUIs designed to allow access to database backends for user-created queries. Really, and I'm not one to diss IT, but they really made it hard for themselves with this policy.
I reckon they running reports off a transactional system, with 400 users that's a lot of page reads and a fair bit of index management. They should be warehousing it and reporting from there, it takes the load off the transactional system. But then the company sounds a bit 541t tbh.
Load More Replies... I don't always enjoy malicious compliance stories but as an IT/development veteran, I approve of this post.
This is a very good way of annoying the IT dept. It would have been much better to have discussed the change in requirements with them, or if they won't listen, then go to the level above them. However something in me admires the malicous compliance. I also know that JIRA has an API for creating tickets automatically... :D
Not granting access to SQL for reporting is such a dumbass move. It's SO friggin easy to give read-only access to just the tables that the report needs. What's more, with MSSQL there's SQL Server Reporting Services included, so you can just dump the report onto the reporting server and don't even need to grant specific access, just limit who's allowed to run the report. It gets so frustrating when IT managers don't even know the technology they manage, won't ask, don't trust, or are just plain incompetent. IT isn't hard per say, but it can be damn stressful when policies and practices are excessively constrained for no good reason.
If I worked in that IT dept I'd get a self serve reporting system like Business Objects and put you out of a job.
OP said it's MSSQL, which comes with SQL Server Reporting Services (SSRS). Nothing extra to buy, it uses the same Server license and CALs you're already paying for. The report builder in SSRS is pretty robust and functions a lot like the MS Access forms builder. It's stupid easy to use and you can limit who has access to which reports, who can create and edit reports, etc.
Load More Replies... What a lot of commenters are forgetting is that IT could also give this person limited access to the database, so they couldn’t get into anything they shouldn’t. So yeah, it would’ve been a whole lot easier to just start with limited access, and be open to expand access if they 1) have already proven they’re very trustworthy and 2) they can actually prove they have a genuine need for it.
Why could "nothing" be done to give him access? Does IT run the company? Typically, when something generates revenue companies will do whatever it takes to make it happen. So, there wasn't a single person at this company that could direct IT to give this employee access? I've had minor issue like this at my job. I just go over IT head and explain the situation to my supervisor. Then my supervisor runs it up the chain of command until IT is directed to grant my request.
I work in IT and or clients are other businesses. We have STRICT security protocols. In order for our company to keep ISO27001 certificate, acces to clients' data are restricted to a limited part or personnel !!! TL;DR: THERE WAS A REASON TO RESTRICT ACCESS!!!
Having seen a similar post, I read the first four snips and immediately figured out what was going on
As someone who worked in sales I would have been so frustrated to have to wait two weeks for the data. Seems like there should be a way that they could have granted a read only system with logging. Hospitals have databases that allow users to access only the data they need and a system that shows who accessed it. But I'm not an IT person so what do I know.
This was 2018?! Just wow. Seriously, everyone and their mothers have been harping on self service data platforms for years at this point. They know about agile management but pulling data manually?
you are sales/marketing. You don't need access. They should have provided API's for you
I'm running a similar scheme as we speak. HQ won't give us (a country branch) open editable file with pictures of bottles and labels for our products (with which our graphic designer would do all the work herself and quickly) so now every banner, post, picture for a brand magazine - they need to make it for us or at least edit it with correct high-res picture so the end result won't be pixely looking. And yes - I asked to have access to this photo database and was denied. We'll see how it goes
If you can get the PDF of it you can disassemble it with a suitable PDF editor...
Load More Replies...
133
36