ITIL Service Request or Incident: Account Lockouts

General discussion on all aspects of the IT Infrastructure Library (ITIL)
Post Reply
User avatar
Volume123
Newbie
Newbie
Posts: 1
Joined: Mon Jun 24, 2013 8:00 pm

Tue Jun 25, 2013 5:49 am

Should AD Account Lockouts by logged as an Incident or Request?

This week there has been a divide on the IT Service Desk I work on were some of us think when a customer locks out their account and asks us to unlocked the account “Account Lock Outs” it should be logged as an incident and others think “Account Lock Outs” should be logged as a Service Requests.

I guess the first thing we have to look at are the definitions a “Service Requests” and the definitions of an “Incident”.

Both Incidents and Requests fall into the “Service Operation”.
Incident: An unplanned interruption to an IT Service, reduction in the quality of an IT Service, Failure of a configuration that has not yet impacted a service
Requests: Provides a mechanism for customers to request and pre-define, pre-authorised stand services. Access to a service

Now my argument is:
An "Account lockout" should logged as a Service Request because it is a "planned interruption", it is meant to happen when a customer locks out their account, it is not our fault that the customer has locked out their account

Customers do argue the case:
"I did not enter the password incorrectly 5 times"

What do you all think? Please could you justify your answer if possible?


User avatar
UKVIKING
ITIL Expert
ITIL Expert
Posts: 3639
Joined: Fri Sep 15, 2006 8:00 pm
Location: London, UK

Tue Jun 25, 2013 6:50 am

Volume123

Is not the user's service interrupted when his account is locked out ?

This is one of those - Am I fat in this dress - questions. There is really no good answer as it can be answered bot as an Incident - ie account locked out because user cant type password and a service request - customer/ user asking for the account to be reset so that they can use it

It all depends on how the issue is resolved. If it requires action on your part - over and over and over - make it an incident so that you can track it better - ie against the user

If it is merely a click and it is unlocked - automate
John Hardesty
ITSM Manager's Certificate (Red Badge)

Change Management is POWER & CONTROL. /....evil laughter
User avatar
atlex123
Newbie
Newbie
Posts: 4
Joined: Fri Jun 14, 2013 8:00 pm

Tue Jun 25, 2013 9:48 pm

Yes, I agree with UKVIKING, its all depends on how you look at it.
Its like chicken first or egg first scenario. But IMO its Incident
I think if we go by sequence of action, it should be Incident first as user is not able to log in to the system. From the user perspective, they are not able to access services and they want this to be corrected ASAP,so they want us to logged in as Incident.
And if the cause behind account lock , it could be any reason not only 5 wrong passwords, it could be like his permission changed at back end due to some other service request and he is not aware of it or like some issue at DB level to get authentication failed error or password expired or somebody stolen his password anything.
Its depends on reason behind account locked i.e. user is trying to logged in after several days and his password got expired(then its SR) or user is confident that his password is correct but still not able to logged in(then Incident)
But the first point is he is not able to log in and hence service is interrupted so its Incident
ITIL® Expert
User avatar
usg
Newbie
Newbie
Posts: 1
Joined: Sun Jun 30, 2013 8:00 pm

Mon Jul 01, 2013 12:43 am

Look at the bigger picture. If you have 1000 users and get 10% of the user to complain of account lockout it would be 100 cases.

Following points needs to be considered:
1. Process to unlock is pre-defined.
2. It can be deployed as standard change.

Severity of the SR can be determined by its priority(Example CEO's account locked out, it could turn up as an outage) So priority matters.

As atlex123 mentioned various causes should be defined in " Information Security Policy" and inputs should be obtained from their.

My take: This should be SR rather than Incident.
Post Reply