ESR Active Directory Integration - Mersey Care NHS Trust
Mersey Care NHS Trust introduced a service to automate their Active Directory user management using data from their Human Resources system.
To reduce the risk of security issues occurring and the dependency on expensive technical resources, Mersey Care NHS Trust identified the need for a new approach to managing computer user accounts in Microsoft Active Directory. The Trust opted to use BDS Solutions Directory Manager™ to automate directory administration using data from the national NHS Electronic Staff Record (ESR) system as the source.
Managers are now confident that security risks have been minimised whilst benefiting from a significant reduction in their user account management and administration costs. A significant improvement in user data quality and end-user confidence in the accuracy of their local directory information has also been achieved.
Situation
Mersey Care NHS Trust is located in the North West of England, providing care for over 200,000 people in the locality. The Trust employs around 4,700 staff based in 32 locations.
To support the delivery of first-class health services to the general public, the Trust relies on the latest Microsoft computing and network technologies, Microsoft Active Directory and Microsoft Exchange messaging services. It was identified that the existing manual administration of the Active Directory presented a security risk as often there was a delay in key elements of human resource data entering the administration process.
It was identified that the existing manual administration of the Active Directory presented a security risk as often there was a delay in key elements of human resource data entering the administration process.
These difficulties were compounded by a lack of systematic auditing of user accounts assigned to employed staff and limitations in respect of the quality of personnel data available. An effective and reliable method for maintaining the local network and directory service with up-to-date and quality assured user information was a key requirement of the Trust's IT managers.
The Trust recognised that these shortcomings would be best resolved by the integration of human resource (ESR) data directly with the account management functions provided by Microsoft Active Directory.
Primary aims of the exercise were to:
- Create user accounts before new employees started work to avoid unnecessary delays.
- Manage user security group memberships.
- Ensure employee name changes were applied consistently and in a timely manner to Active Directory.
- Provide a single resilient management point for the directory.
- Deliver cost savings and productivity
Solution
BDS Solutions provided the Trust with their Directory Manager™ software that met all of the requirements for automated user account management.
Utilising data from the ESR system, each user account in Microsoft Active Directory is matched to the corresponding employee record to provide the mechanism for automating ongoing account administration of changes / updates, and the disablement of computer accounts for leavers.
Business rules defined within the software dictate what action is taken when HR data is changed as well as defining the process of introducing new users to Active Directory. These rules also determine how security group policies and permissions are applied to resources such as home folders, computer profiles, email and other network services.
Mark Bostock, IM&T Director at Mersey Care NHS Trust, says:
"We recognised that it would be a major challenge to accurately identify changes within the HR data and automate the user account management process. Source data attributes were required to be sufficient in terms of type and content to enable events such as new users starting or staff changes to be acted upon accordingly. BDS Solutions were identified to be a company that had considerable expertise in this area due to a successful track record providing directory solutions supporting the sharing of data between NHS Trust messaging services and the NHS National Directory. This business knowledge combined with technical capability was essential in helping us delivery a solution to address the problem of user account management."
Solution
BDS Solutions provided the Trust with their Directory Manager™ software that met all of the requirements for automated user account management. Utilising data from the ESR system, each user account in Microsoft Active Directory is matched to the corresponding employee record to provide the mechanism for automating ongoing account administration of changes / updates, and the disablement of computer accounts for leavers.
Business rules defined within the software dictate what action is taken when HR data is changed as well as defining the process of introducing new users to Active Directory. These rules also determine how security group policies and permissions are applied to resources such as home folders, computer profiles, email and other network services.
Paul White, Product Director at BDS Solutions, says:
"Microsoft Active Directory is an extremely powerful network management solution. It represents the frontline when it comes to security and as a directory service, provides the primary point-of-contact for people within an organisation. It is vital that the directory accurately reflects staff information if the NHS is to fully exploit the opportunity for increased information sharing and collaboration, and with this, greatly enhance service delivery. Directory Manager, and the other products from our Integrated Directory Services portfolio, provides NHS organisations with an opportunity to maximise the return on investment in Microsoft technologies. We are pleased to have been able to help Mersey Care NHS Trust in this respect."
Benefits
By automating the management of Active Directory user accounts, the Trust has been able to increase directory security and release resources to focus on servicing other business needs and NPfIT deployments.
Reduced security risk
Previously, the IT team were reliant on receiving notification from departments when an employee left in order to disable the directory account. If this notification was not received, live accounts were left on the directory, causing a high security risk. With the introduction of the Directory Manager, leavers are identified from ESR and their accounts are disabled by Directory Manager, thus greatly enhancing network security.
Single point of administration
With Directory Manager™ performing all primary functions of directory management, administration has been reduced to the verification of action reports produced by the software. Removing the responsibility for directory updates from a number of technical, human resource and departmental management staff has significantly improved consistency and data quality.
Testimonial
The significant reduction in administration time will allowed technical resources to focus on other projects requiring their specialist input thus providing an almost immediate return on investment.
Mark Bostock says: "the demand for our specialist resources is increasing as the deployment of NPfIT applications and solutions increases. By automating Active Directory administration, we are now able to dedicate more time towards servicing these new requirements".
