What controls should my help desk team have over our user's accounts?

Question

We are building a software, which we have companies registering their products. We (the administrator) will have the help desk team that'll be able to help our users (companies) in case of problems.

Our platform performs transactions, and with such, we expect user support.

What controls should my help desk team have over our user's account?

For example, may they...

• Change account basic information? (Address, phone numbers, names, e-mails)
• Change account password? Or send new password email?
• Change transaction info?
• Cancel a transaction?
• Refund a transaction?
• Add or delete users? (users inside their area can delete their account, and can create new account in log in page)

As you've seen, I'm new to this area and I'm not sure what are the market standards for these settings.

Thank you very much.

Answer 1

None of these should be directly under anyone's control

What I mean is, no-one should be able to simply delete an account/transaction change a password etc. Each of these processes needs to be created in such a way that when executed all the relevant audit trails and checks are made.

Once you have done that, you are no longer trusting an individual, whomever initiates the action becomes less important because whatever happens the process is guaranteed to be followed.

Program your system so that no "admin" account is ever needed.