Help Desk Priveledged Accounts Question

[NicoleBeau]

Our organization provides the Support Desk staff with a user account and a priveledged user account that gives them limited administrative rights on the network.

I believe that this policy was implemented to provide a fail safe so that the HD would think twice before doing things and to ensure that they are truly doing things that they should be doing.

The administrator who implemented this is no longer with the company and my new Manager is questioning it's validity and logic.

My question is what does ITIL say about providing priveledged accounts to users on the Help Desk? What is the Best Practice and/or does anyone have any other suggestions on how to keep the network secure from erros and oversites?

[Skinnera]

In general isn't it desirable to have as much front-line fix capability as possible?

Sending lots of queries to 2nd & 3rd line resources is costly and not the best customer experience you can get.

In that sense - and unless I'm missing something from your query - I'd say keep the capability at Service Desk.

[dam]

I don’t think ITIL gives details about this topic. Respecting the ITIL point of view (and good sense) the more the service desk staff is able to provide directly a solution to the incidents the better your service desk will react.

You should give privileged account to service desk operator in relation with their skills/knowledge. I think this is a valid way to make the service desk truly reactive (and not only the personal assistant of the 2nd level specialist) and to qualify the service desk employees.

But of course don’t give the keys of the car to someone with no driving license!

DAM

[dboylan]

I will agree with everyone else that ITIL doesn't say anything specific about who should be performing specific IT operations. I also agree that putting the tools in the Service Desk's hands to resolve issues on first call is a good idea (assuming that they know what they are doing). I would have issue (as would a security audit) on the sharing of the privileged account.

You lose your accountability for actions taken with a shared account. If you trust your analysts to perform privileged actions, then give their named accounts those rights. That way you can't have a disgruntled employee wreck your network anonymously.

Don

[Mark-OLoughlin]

WHat ITIL does say is to look at increasing your capabilities to resolve issues at first contact via the Service Desk - reduce other costs of support ect.

So if having elevated access at the Service Desk does this in a COntrolled and Security enabled way - then yes it is valid to do this. look into the securoty aspect and ensure tat this does not alloe for a security breach.
_________________
Mark O'Loughlin
ITSM / ITIL Consultant

[ITIL_Girl]

Hi,

ITIL v3 does speak to the Super User role within an organization. I would make careful consideration to allocating Super User access to a Service Desk Agent. As controls for Security Audit conformance would get very muddy quickly and that wouldn't be a desired scenario. If you do perform the resource leveraging in that manner, prior to implementation ensure there is a well documented process that outlines the controls in place and the specific criteria for utilizing the Super User access. Hope this helps.