Integrate staff identities to increase Information Security Access assurance
Active Directory (AD) and the benefits it introduces to an organisation are well recognised. However, timely and reliable administration is a critical requirement for attaining Information Security Assurance.
Directory Manager™uses data from NHS Electronic Staff Record (ESR) in conjunction with any other source of staff identity information to automatically administer user records in Active Directory, the first line of defence for information access management.
Using staff identity data sourced from ESR and / or other staff management systems Directory Manager™ can create and manage:
Manage Starters
- Active Directory user accounts
- Mailbox resources
- Home profile file folders
- Security and distribution group membership
Manage Updates
- Job / role changes (local position based access control)
- Marriages
- Change of email addresses
Manage Leavers
- Apply leaving dates
- Expire user accounts
- Revoke security permissions
Directory Manager™ hooks up to ESR, extracting data for an organisation. All changes made on ESR are then replicated onto Active Directory, reducing if not removing the need for manual administration.
Directory Manager ensures:
- Security - total control of leaver accounts
- Speed - starter accounts on AD immediately
- Accuracy - removes any chance of user error
- Efficiency - accounts processed in seconds
ESR Feed
The data held in the central ESR system contains sufficient information to manage an organisation's Active Directory. ESR provides an interface to allow this information to be easily extracted in a form that can be used by Directory Manager™(local HR or Payroll systems can also be used in place of ESR).
Matching Accounts
Directory Manager™ manages the relationship between ESR records and Active Directory accounts through a unique key field. This field is pre-populated into Active Directory prior to using Directory Manager. This key is present in all ESR records and determines the action taken for each.
Starters
People who join an organisation will appear as a new record in ESR. Directory Manager will act on this by creating the new account and associated properties. Once the account is created, it is continually managed by Directory Manager until the person leaves the organisation.
Employee Changes
Employee information changes often, when people have a new role, transfer department or get married. This information feeds from ESR and is recognised by Directory Manager. Using the existing relationship, the Active Directory record will be updated accordingly.
Leavers
When an employee leaves an organisation, their record will either be given a leave date if known or removed from the ESR extract. Either way Directory Manager controls the leaving process, ensuring that once the employee has left, their account is disabled and associated security permissions revoked.
Total Management of Active Directory
By using these processes, Directory Manager working with ESR provides a tightly-controlled management of Active Directory, ensuring security and usability is maintained with the minimum of administration effort.
Notification Services
All actions undertaken automatically or manually through Directory Manager are recorded as events. The events can trigger e-mail notifications for every aspect of the identity management process.
Reference links are provided if secondary action is required. Examples of notifications include:
- Line managers automatically notified on new staff, staff changes or issued leaver confirmations.
- Systems administrator / security managers notified of changes to staff roles / functions.
E-mail notifications types and content can be customised to deliver a specific message relative to the event and include attachments i.e., acceptable user policies or registration forms.
Option for Automated Deep Provisioning and Account Management
If required bespoke deep provisioning connectors can also be implemented with Directory Manager™ to support automated user account management requirements of any additional systems to Active Directory that are utilising the following interface standards:
- Database sources (ODBC), OLE DB or ADO.NET e.g., SQL Server, Oracle;
- Applications expose provisioning services accessible via Web Services, XML (e.g., SPML), SOAP or WCF.
Cross organisational benefits
Directory Manager™ Notification Service delivers:
- Demonstrable savings in costs and resource effort
- Reduction in Information Governance risk
- Improved business knowledge of staff functions / roles
- Increased data security and access rights validation
- Automation of staff update workflows:
- New starters
- Staff Changes
- Leavers
- Reliable and consistent staff identity management source of information
Click here to obtain this information in PDF format
North Cheshire Case Study NHS Trust
Click here to request additional information and contact a BDS solutions representative.
