I wanted to just add one thought to the discussion. Without knowing the organization and the history of how decisions are made, I would add one thought. IT may have to choice but to implement the policy.

What? you may ask. No choice? Surely, they do. Alas, if the organization has to live to any of the many regulations such as SOX, HIPPA, GLBA, etc. that means that IT is being audited heavily. And when auditors "suggest" new policies such as this, Board level committes or people that have a lot of "Cs" in their titles, those groups tend to listen without really understanding. "Of course the auditors are right, implement policy X immediately so we are COMPLIANT!" is the command given to the CIO.

I know everyone wants to blame IT for "getting in the users way" but sometimes there is just nothing that can be done other than to pick the right battles. Remember that what could have been suggested may have been worse that what was implemented and IT actually negotiated it back as much as they could.

There is an "advantage" to having IT do the job and that is more people are employed by IT. It doesn't seem wise, but when groups are building empires it is to be expected.

Erik is correct about the compliance aspects of document sharing and document access. Moreover, it is wholly appropriate for corporate policy to play a significant role in determining document access. These are the corporation's documents, even if they are created by an individual or a department.

That having been said, technology - in the form of Active Directory or its equivalents - is not adequate for purposes of controlling computer files that are "documents." So it is not at all surprising that IT can't keep up with the ever-evolving demand for document access changes. What is called for is the implementation of document management systems. They are designed specifically for the flexible yet controlled access of corporate documents.

So, don’t blame IT, blame the folks (whomever they are) who don't have the foresight to implement document management systems!

Gary L. (an ever-so-slightly biased vendor of document management systems)

The thing we routinely face in IT in terms of granting access:

1). Yes, we want the business units to be the ultimate granting authority. IT can implement (although even this perhaps isn't ideal), but authority should be based on business needs;

2). The business units often don't themselves understand the security structures and concepts. They often don't want to! A common perception is that this is "low-level busy work. Just get it done." When they do want to understand, the tools are usually laughably inadequate to make the job easy for them;

3). It is problematic for client departments to be wholly responsible for authority. They are normally concerned with their local business needs. This is understandable.

However, in the real world, it often leads to subverting the security requirements of the organization. Passwords get shared, security groups get bypassed, everything starts to be treated as an exception, granting authority "all" can become the norm (because it's easiest).

As to the original post, well, it seems they have a problem. The solution is classic. Build a business case to support the idea that this is a genuine problem. Suggest an acceptable alternate arrangement (or two), but only if this won't step on somebody's toes.

I just hope this works for Sharer. If their organization doesn't want to hear, or is too busy fighting fires of various types, then it may not. You won't know until you try.

Another thing to throw into the discussion:

1. Allow the user to control access.
2. The user removes all access except for himself, including admin rights.
3. Backups on the file fail, and IT doesn't catch it fast enough.
4. The user deletes the file accidentally and requests a restore.
5. Restore fails, and whose fault is it?

Yes, it's happened here.
Ed