Greetings-
Forgive me if this post was submitted to the wrong place.
My question/concern is about sharing accounts between multiple users... so the scenario is.. one username/password may be shared by 3 or more people (within reason, of course).
We are just beginning the implementation process and I have a question about User Accounts going forward. We have a central location, and 26 or so historic 'sites' located throughout Minnesota. We have legions of people who work for us that can be categorized as part-time, seasonal, volunteer, intern, etc...
As you can see, maintaining all of these people who come and go at various intervals with a separate, and possibly short-lived username/password, could turn into a nightmare. I'm wondering if anyone knows about any PCI compliance guidelines that can be followed that either reenforce the 'shared login' practice, or strictly prohibit the practice in a system like Tessitura.
Or... if anyone has any advice or tips on the subject, feel free to let me know!
Thanks!
Jason
Minnesota Historical Society
Hi Jason,
First and foremost, I'm so excited that Split Rock Lighthouse will be part of The Network. I'm originally from Superior, WI and drove up the North Shore a lot in my life.
As for shared login credentials, I would suggest you stay away from this. By doing so, you remove a valuable layer when it comes to auditing work (like if someone made a mistake or if someone gets compliments from a patron). With shared login, you'd have to know who was working that day and if, let's saw, all three people who share that login are working that day, you'd never know who did what work.
What I would suggest you do is give one key person at each of your satellite locations access to Security and teach them how to create new users and inactivate those user accounts once they no longer are part of Minnesota Historical Society as a staff member. You could make this process be part of the on-boarding of new staff. I would imagine PCI compliance requires a unique login for each user (especially if they will be processing credit cards in Tessitura). Without that unique login, you have no way to definitively know who did the work in Tessitura.
In my experience, and I've worked with a few different Tessitura using organizations, I've never seen shared login credentials.
Great to hear about Spitrock!
Yeah... audit trail was obviously a big concern of ours that i forgot to touch on. Great advice and thanks much for the tips! We were thinking along just these lines but wanted to make sure that a short-cut wasn't the best approach in this case.
Take care.