ESR Active Directory Integration - North Cheshire Hospitals
In 2001 the Trust were faced with the task of creating and maintaining E-Mail accounts for every employee. To reduce the risk of security issues occurring and the dependency on increasing expensive technical resources, North Cheshire Hospitals identified the need for a new approach to managing computer user accounts in Microsoft Active Directory.
The Trust opted to engage BDS Solutions, providers of existing directory solutions, to adapt their existing Active Directory management software to provide facilities to automate user administration using data fed from the Trust’s HR system.
The solution delivered by BDS Solutions has been operational for five years. The primary objective to avert the need for increased investment in technical and administrative resources, estimated to be a three-fold increase on the current resource levels, has been achieved. Improvements in account security and data quality has increased end-user confidence in the accuracy of the local directory information, encouraging the take up of email and thus establish the technology as primary means of communication between staff. Recently the user account management process has been successfully updated to use data obtained from the NHS national Electronic Staff Record (ESR) system.
Situation
North Cheshire Hospitals NHS Trust is located in the North West of England, serving around 310,000 people in the locality. The Trust employs around 3,200 staff based in two busy acute hospitals, Warrington Hospital and Halton General Hospital in Runcorn. The Trust handled 75,000 A&E patients alone last year, delivering a vital service to the local community. To support the delivery of first-class health services to the general public, the Trust relies on the latest Microsoft computing and network technologies, Microsoft Active Directory and Microsoft Exchange messaging services.
It was identified that the existing manual administration of the Active Directory presented a security risk as often there was a delay in key elements of human resource data entering the administration process. These difficulties were compounded by a lack systematic auditing of user accounts assigned to employed staff and limitations in respect of the quality of personnel data available. An effective and reliable method for maintaining the local network and directory service with up-to-date and quality assured user information was a key requirement of the Trust's IT managers.
The Trust recognised that these shortcomings would be best resolved by the integration of human resource data directly with the account management functions provided by Microsoft Active Directory. Primary aims of the exercise were to:
- Create user accounts before new employees started work to avoid unnecessary delays.
- Manage user security group membership according to the employee's department.
- Ensure employee name changes were applied consistently and in a timely manner to Active Directory.
- Provide a single resilient management point for the directory.
- Deliver cost savings and productivity gains.
Steve Nicholson, IT Manager, North Cheshire Hospitals NHS Trust, says:
" We recognised that it would be a major challenge to accurately identify changes in HR and translate events such as new users or staff changes into appropriate actions in Active Directory. The short-listing of technological solutions to be considered by the Trust was heavily influenced by this requirement. Any third party tool or application employed would need to be flexible enough to make those changes based on a number of business rules applied during the processing of the HR data.
BDS Solutions were identified as having considerable expertise in this area and a successful track record providing directory solutions to the NHS. Their business knowledge combined with technical capability was essential in helping us delivery a solution to address the problem of user account management."
Solution
BDS Solutions adapted their existing Directory Manager™ software to meet the requirements for automated user account management. Utilising data provided from the HR system, each user account in Microsoft Active Directory was matched to the corresponding employee record. Once these relationships were established, the software was implemented to provide ongoing account administration of new starters, changes and the disablement of computer accounts for leavers.
Business rules defined within the software dictate what action is taken when HR data is changed as well as defining the process of introducing new users to Active Directory. These rules also determine how security group policies and permissions are applied to resources such as home folders, computer profiles, email and other network services.
Paul White – Product Directory at BDS Solutions says
"We have a well and long established pedigree in the delivery of bespoke software solutions servicing NHS address book and directory data synchronisation requirements. Our products service local organisation messaging and directory service business needs, as well as NHS National Directory data sharing and management requirements.
Our agile software development architecture and approach is ideally suited to supporting adaptation and early delivery of solutions. This capability, along with our wealth of experience and NHS business knowledge enabled us to progress and deliver North Cheshire NHS Trust requirements in a very short timescale."
Benefits
By automating the management of Active Directory user accounts, the Trust has been able to increase directory security and release resources to focus on servicing other business needs.
- Reduced security risk Previously, the IT team were reliant on receiving notification from departments when an employee left in order to disable the directory account. If this notification was not received, live accounts were left on the directory, causing a high security risk. Using Directory Manager, accounts expire once staff leave and are disabled by Directory Manager, thus greatly enhancing network security.
- Single point of administration With Directory Manager performing all primary functions of directory management, administration has been reduced to the verification of action reports produced by the software. Removing the responsibility for directory updates from a number of technical, human resource and departmental management staff, the consistency and quality has been significantly improved.
- Reduction in time and cost The exercise has significantly reduced user administration time. This has allowed technical resources to focus on other projects requiring their specialist input thus providing excellent returns on investment.
Testimonial
Steve Nicholson says:
"In a business operational environment that involves a considerable rate of staff changes the resource effort required and cost involved in ensuring that computer and information access is appropriate and timely is very high. Integration and automation between ESR and Active Directory has delivered a considerable reduction in this effort and cost and at the same time increase the reliability and security in our account management procedures."
