For example, only give query/renew
capability to your Support crew, only give payment capabilities to your
finance folks, only give "messaging and crypt key" access to your technical
crew.
For legal reasons I would at least prefere to restrict
- lock/unlock(!)
- renew
- transfer(!)
with other word all the domain management
and there should be a log file showing which
action was taken by which authorized person
(perhaps you might just add an additional column to your
already existing log files with the 'subuser name')
Personally I do not care much about the other things
like payment, messaging, ...
But if somebody unlocks a domain and if the domain
will be 'stolen', this might have big legal/financial consequences.
Matthias
