Seeing the administrator as a user

Usability of administration tools often leaves a lot to be desired

by Dr. Klaus Gheri, CTO phion

In general, administrators are very enthusiastic about technology and are definitely not fazed by code and scripts. However, the fact that administrators are technically literate users is too often used as a poor excuse by software developers for offering administration tools that are seldom appealing and user-friendly. Administrators are, after all, people too. They respond just as positively to an improvement in ergonomic function as any Office user just a few offices along the corridor. Confusing GUIs with too much or even wrong information hamper efficiency, while unnecessarily long-winded and complicated work processes detract from job satisfaction. This can even result in security risks.

Unlike ordinary users, administrators require detailed technical information to enable them to carry out routine analyses or look into faults in the environment where the products are being used. This means that administration tools must be designed so that, on the one hand, they can present dense information in a clear, concise manner, while also allowing access to details and settings with just a couple of mouse-clicks. The ideal scenario is that based on the Pareto principle, 80-90% of all troubleshooting actions can be carried out quickly, without having to spend ages trawling through log files.

Getting to grips with the system’s inner workings
At the moment, most network administration centres are nowhere near achieving this situation. An administrator’s daily work typically involves using tools offering a variety of functions, but which can only handle operational activities to a limited extent. They force administrators to exit frequently from the GUI, and only for trivial reasons, such as to use a capture tool (e.g. Tcpdump) to record certain network activities on the system or to get involved in the inner workings of the system via the system console, which can, as is well known, end in grief.

If we look at the typical interaction administrators have with their system tools, we can clearly see three basic, effort-intensive areas of activity:

1. Systems operation, diagnostics and troubleshooting
2. Reporting
3. Configuration and lifecycle management.

The first area, systems operation, diagnostics and troubleshooting, is the one where companies generally expend the most effort. In this case, using smart tools to reduce the number of steps involved improves the administrator’s lot, thereby cutting costs and boosting productivity in the company, as resolving problems in particular can now be carried out more efficiently.

In practice, providing administrators with an information architecture which allows them to get down to the required information level quickly has proved to be a success. This concept should be applied in the GUI in the form of the following items:

a)Real-time status information – this is required to provide a quick overview of the current system activities going on. One key aspect in terms of making it user-friendly is to provide a simple option for setting filters. This will allow administrators to decide in a rough manner what is of interest to them.

b)Apart from providing real-time status, a cumulative short history of activities has also been helpful. It provides another higher level of abstraction than the log file analysis and makes it possible in many cases to quickly say: “The client never accessed the gateway” or even “Access was refused because the password was wrong”.

c)As administrators do not always want to be stuck in front of the console, there should be some way for important messages to reach them. Eventing is a form of active log where it is important that the delivery of event messages can be configured in a flexible manner. For instance, administrators can indicate the urgency of a problem using visual warnings on screen and acoustic warning signals on the computer. In even more urgent cases, they could send a message via SMS to the mobile. The administrator can adapt the process to the team’s usual way of working so that any incident will be dealt with in a sufficiently prompt manner.

d)Statistics and graphs are a 4th level which can be used to help people gain a better understanding of what is going on. A picture does not always say more than a thousand words, but it always says more than a long column of figures. In this case, it is important to focus on the fact that visual representations are available in real time to support time-critical analyses.

e)Finally, the log file is the last level of analysis where the other options are no longer of any use. But this does not mark the point where the concept of usability reaches its limits. A functionally rich viewer should be used to speed up the analysis of log files, especially one offering flexible filter options. Otherwise, it takes a huge amount of time working through the large quantity of data in the log files.

The statistics and graphs mentioned above already cover many of the typical reporting requirements, the second area referred to above. If administration tools make it possible to display all current parameters graphically and a fully centralised management console collates all the information from the individual components, very large parts of the reporting task can be automated.

As far as the third area is concerned, configuration and lifecycle management, it is essential that there is also an administration tool really capable of covering the entire scope of the configuration. This places a great demand on the systems’ architecture as the benefits of easy management cannot be added on whenever it suits afterwards. Manufacturers must include these benefits in their plans right from the outset during product development, based on a bottom-up principle. In contrast to this, administrators are often faced with an umbrella-type management that has evolved over the years where every management feature is integrated individually, but only relates to a partial aspect of the system, for instance, the set of rules for firewalls, but not for the rest of the system configuration.

In addition, administrators can use management concepts which can facilitate their everyday work, such as object orientation and a good user interface. Object orientation improves the configuration’s consistency and can help speed up immensely the task of making changes to the configuration. For example, IP addresses or networks can be used as objects with meaningful names in configuration files. When the object’s content is modified this applies to every instance where it has been referred to.

Good GUIs prevent mistakes
As administrators are, fortunately, just ordinary people, even they can make mistakes. A well-designed user interface can help prevent many mistakes which can easily occur. One typical area, for instance, is when checking the details input in screen forms. A MAC address must only comprise quite specific characters, therefore making it easy to check. It should not be possible to activate configurations where mistakes in the content have been recognised. The number one method for checking input is to carry out a comprehensive consistency check where a major part of the configuration is checked for its consistency. A good example in this case is checking the consistency of a gateway’s complete network configuration. This will prevent administrators from shooting themselves in the foot as a result of changes made. Another example of what is potentially a very complex configuration is a rule tester for firewall rules, which indicates what effect scheduled changes have on important connections.

In 2008 administrators must expect to use tools such as drag-and-drop to speed up input and make it more attractive. Configuration tasks involving several systems, which are renowned for being unpleasant and prone to errors, can be simplified dramatically by combining the use of configuration templates with a graphical editor. For instance, this tool makes it possible to draw the desired VPN tunnel topology simply using the mouse.

One feature which is very valuable in multi-administrator environments is integrated version control, which is based, for instance, on the tried-and-tested Revision Control System (RCS). This makes it possible to establish which administrator has changed what, when and from where. The scope of application here is versatile. Firstly, it is very easy to make changes retrospectively. Secondly, this type of system can be used to quickly roll back the configuration to an older version in order to be able to calmly analyse the side effects that may have suddenly arisen as a result of a complicated change. The key point is that this kind of function is fully integrated in the interface and that the authentication system provides for the appropriate roles.