/ESR-RPP0009_ESR_Interface_to_UIM_Business_Proc by NHS ESR

THE ELECTRONIC STAFF RECORD PROJECT

NATIONAL HEALTH SERVICE ESR INTERFACE TO UIM: BUSINESS PROCESS SCENARIOS Information Classification: ESR User Base Author:

Chris Price

Creation Date:

29 July 2009

Last Updated:

27 October 2011

Document Ref:

ESR-RPP0009 ESR Interface to UIM Business Process Scenarios

Version:

1.1

Approvals:

Lee Pacey Title ESR Head of Development Chris Price Title RPP Implementation Manager

1. Document Control 1.1. Change Record Date

Author

Version

15 Aug 09 27 Aug 09 19 Sep 09 06 Oct 10 22 Nov 10

Allan Morris Allan Morris Allan Morris Tess Martin Chris Price

0.1 0.2 0.3 0.4 0.5

10 Dec 10

Chris Price

1.0

27 Oct 11

Chris Price

1.1

Change Reference First draf

First Draft Added new scenario 16 Release for pilot organisations only Amendments following completion of pilot phase. Significant amendments following pilot feedback and document review. Process flows also updated. Approved version following NHS ESR Central Team Review. Updated to reflect ESR Release 11 enhancements allowing for a Smartcard to be prepared in advance of hire.

1.2. Reviewers Name

Position

Lee Pacey

ESR Head of Development

Nick Adcock

ESR Design Team Lead

Maria Scott

NHS Development Team

David Booth

ESR Interface Team Manager

1.3. Distribution Copy No.

Name

Location

1 2

Library Master

Project Library Project Manager

ESR Interface to UIM Business Processes v1.1.doc

Page 2 of 42

2. Contents 1.

2. 3.

4. 5.

7. 8. 9. 10. 11.

12.

13. 14.

15. 16.

Document Control ................................................................................................ 2 1.1. Change Record ............................................................................................. 2 1.2. Reviewers ..................................................................................................... 2 1.3. Distribution .................................................................................................... 2 Contents................................................................................................................ 3 Introduction and Document Purpose ................................................................. 5 3.1. Readership.................................................................................................... 5 3.2. Document Purpose ....................................................................................... 5 3.3. Background ................................................................................................... 5 3.4. What does the ESR interface to UIM enable? .............................................. 5 3.5. Reference documentation and other information sources ............................ 6 3.6. Key Terminology ........................................................................................... 6 3.7. Process Pack components ........................................................................... 7 3.8. Assumptions ................................................................................................. 7 Table of Business Processes ............................................................................. 8 New Starters: Scenarios 1, 2, 3 (ID recorded at hire)........................................ 9 5.1. Match or partial match to correct record found (open record): Scenarios 1(ID recorded at hire) .................................................................................. 11 5.2. Match not found: Scenario 2 (ID recorded at hire) ...................................... 12 5.3. Closed record found: Scenario 3 (ID recorded at hire) ............................... 13 New Starters: Scenarios 1a, 2a, 3a (ID recorded at recruitment) .................. 14 6.1. Match or partial match to correct record found (open record): Scenarios 1a (ID recorded at recruitment) ........................................................................ 15 6.2. Match not found: Scenario 2a (ID recorded at recruitment) ........................ 15 6.3. Closed record found: Scenario 3 (ID recorded at recruitment) ................... 16 6.4. Hire Stage (ID recorded at recruitment) ...................................................... 17 Change of Personal Details: Scenario 4 .......................................................... 18 Termination: Scenario 5 .................................................................................... 19 Long Term Absence: Scenario 6 ...................................................................... 20 Change of ESR Position: Scenarios 7 – 11...................................................... 22 Move from an ESR position linked to an NHS CRS Access Control Position to another linked to a different NHS CRS Access Control Position: Scenario 7 ........................................................................................................................... 23 Move from one ESR position not linked to an NHS CRS Access Control Position to one that is: Scenario 8 ................................................................... 24 12.1. Where employee already has a UUID: Scenario 8a ................................... 24 12.2. Where employee does not have a UUID: Scenario 8b ............................... 25 Move from one ESR position linked to an NHS CRS Access Control Position to another which is not linked: Scenario 9 ...................................................... 26 New secondary assignment to an ESR position linked to an NHS CRS Access Control Position: Scenario 10 ............................................................. 27 14.1. Where primary assignment is also linked to an NHS CRS Access Control Position: Scenario 10a ................................................................................ 27 14.2. Where primary assignment is not linked to an NHS CRS Access Control Position and the ESR employee record has a UUID: Scenario 10b ........... 28 14.3. Where primary assignment is not linked to an NHS CRS Access Control Position and the ESR employee record has no UUID: Scenario 10c ......... 29 End Secondary Assignment to an ESR position linked to an NHS CRS Access Control Position: Scenario 11 ............................................................. 30 ESR position(s) linked to an NHS CRS Access Control Position (new or existing): Scenario 12 ........................................................................................ 31

ESR Interface to UIM Business Processes v1.1.doc

Page 3 of 42

17.

NHS CRS Access Control Position link is removed from an ESR position which has employees assigned to it: Scenario 13.......................................... 33 18. Create New ESR Position: Scenario 14............................................................ 35 19. Create New NHS CRS Access Control Position: Scenario 15 ....................... 38 20. Close NHS CRS Access Control Position: Scenario 16 ................................. 40 Appendix 1 – Key terminology...................................................................................... 42

ESR Interface to UIM Business Processes v1.1.doc

Page 4 of 42

3. Introduction and Document Purpose 3.1. Readership This guide is aimed at project managers, implementation managers, ESR and RA leads responsible for the delivery of HR, RA and ESR who need to understand how to set up and deploy the ESR interface to UIM. It is also aimed at any staff group impacted by the procedural changes following the activation of the interface which may include: • Recruitment/HR • RA • Line Managers • Finance • Recruitment

3.2. Document Purpose The purpose of this document is to provide an understanding of how business processes will operate following the introduction of the ESR interface to UIM. Business processes which may be affected include new starters, leavers, changes to personal details and changes to jobs/assignments. Each process is described in the document along with an associated process flow chart. Organisations deploying the ESR interface to UIM may choose to conduct process reviews and/or workshops in the period of time leading up to implementation. Ideally, to ensure the maximisation of benefits are realised, revisions to current business processes and procedures should be considered in conjunction with the new functionality of the interface. It should be noted however that the amendment of existing business processes and integration of HR/RA is not a mandatory pre-requisite for the activation of the interface.

3.3. Background The ESR interface to UIM is applicable to those organisations that have chosen to deploy the interface as part of their strategy for Integrated Identity Management (see the ‘Developing a Strategy for Integrated Identity Management’). The deployment of the interface requires other components of the Integrated Identity Management initiative to have been completed before implementation commences, these are: • Strategic decision regarding choice of implementation model based on ‘Developing a Strategy for Integrated Identity Management’. • Position Based Access Control (PBAC) including the mapping of ESR positions to NHS CRS Access Control Positions– A minimum of one NHS CRS Access Control Position must be defined and mapped to a corresponding ESR position. • Smartcard enabled access for core ESR users (i.e. all ESR users with the exception of those with access only to NLMS and Employee Self Service). Organisations should also have an awareness of the activities outlined within the HR/RA Process Integration toolkit, although the completion of these activities is not compulsory for the activation of the interface.

3.4. What does the ESR interface to UIM enable? The activation of the ESR interface to UIM completes the deployment of the Integrated Identity Management (IIM) initiative. The interface, utilising mappings between ESR positions and NHS CRS Access Control Positions as defined in UIM, automatically updates an individual’s access rights to NHS Care Records Service (NHS CRS) systems when a change is made to that individual in ESR.

ESR Interface to UIM Business Processes v1.1.doc

Page 5 of 42

3.5. Reference documentation and other information sources The following table lists documentation referenced within this guide and other sources of relevant information. Title ESR-RPP0005 ESR interface to UIM implementation approach guide ESR-RPP0006 A quick reference guide to activating the ESR interface to UIM ESR-RPP0007 ESR set up pre-interface activation quick reference guide

ESR-RPP0008 ESR set up post interface activation quick reference guide

ESR online user manual

ESR e-Learning Captivates ESR Integrated Identity Management website

UIM Implementation Guide (Link accessible via N3)

Developing a strategy for Integrated Management (Link accessible via N3) HR/RA Process Integration toolkit (Link accessible via N3)

Identity

Position Based Access Control (PBAC) Toolkit (Link accessible via N3) NHS CfH Integrated Identity Management website (Link accessible via N3)

Purpose Provides guidance regarding the implementation of the ESR interface to UIM. Provides an overview of the technical steps required to activate the ESR interface to UIM. Provides instructions regarding the ESR set-up activities that must be completed no later than 2 weeks prior to the activation of the ESR interface to UIM. Provides instructions regarding the ESR set-up activities that must be completed as soon as possible following the activation of the ESR interface to UIM. The standard ESR user manual covering all aspects of using the ESR solution including the new interface and RA functionality. E-learning tools covering the end to end processes between ESR and UIM All user documentation regarding the ESR interface to UIM is available via the ESR website http://www.electronicstaffrecord.nhs.uk/esrprojects/integrated-identity-management/ Provides instructions regarding the UIM set-up activities that must be completed no later than 2 weeks prior to the ESR set-up activities being undertaken. Provides the structure to key decisions that need to be made by NHS organisations to realise the benefits of Integrated Identity Management. Helps NHS organisations move towards the integration of business processes between Human Resources and RAs, or between RAs and other identity capture processes. Describes how to simplify the assignment of access rights to the NHS CRS. All user documentation for UIM is on the NHS CFH NWW web site.

3.6. Key Terminology It is essential that any reader of this document understands the key technical terms and acronyms that are referenced throughout. Please refer to Appendix 1 for key terms relating to the technical solutions. In addition the following concepts are used in this guide: • Linking. A link means creating a connection between types of information stored in ESR with equivalents in UIM. For example, an ESR position will be linked to an NHS CRS Access Control Position in UIM when an ESR user selects an NHS CRS Access Control Position from a list of values to link it to the ESR position. • Mapping. A mapping defines the relationship between types of information that will be or are stored in ESR with equivalents that will be or are stored in UIM. This is a precursor activity to ‘linking’. For instance the mapping of ESR positions to NHS CRS Access Control Positions can be done using reports or spreadsheets showing all ESR positions and for each entering the equivalent NHS CRS Access Control Position. Such mappings must be agreed and signed off and used when performing linking.

ESR Interface to UIM Business Processes v1.1.doc

Page 6 of 42

3.7. Process Pack components This document forms part of the business process pack for the ESR to UIM interface. The other items are: Item Process Flow charts

E-learning Captivates

Description Business Process Flow Charts for each of the scenarios listed in this document. Reference numbers are provided in the flow process steps to correlate to the steps in the scenarios below.

E-learning tools covering the end to end processes between ESR and UIM â&#x20AC;&#x201C; The Captivate sessions Include screen prints of key steps from both ESR and UIM.

Link

ESR_Interface_to_U IM_Process_flow_cha

ESR e-Learning Captivates

3.8. Assumptions 1. It is assumed that readers are familiar with the operation of ESR and specifically that of the ESR interface to UIM but also HR and workstructures. It is recommended that the ESRRPP0005 ESR interface to UIM implementation approach guide is read and understood before using this document. 2. The descriptions given in the following sections assume that these scenarios are operating in a business as usual situation at an NHS organisation â&#x20AC;&#x201C; i.e. beyond initial activation/implementation.

ESR Interface to UIM Business Processes v1.1.doc

Page 7 of 42

4. Table of Business Processes The following table lists key business processes impacted by the ESR interface to UIM for employees on ESR who will be managed via the interface. The processes in each scenario are detailed in subsequent sections of this document and are indexed from the table below.

No Scenario 1

4 5

New Starter / rehire (ID recorded at hire) New Starter / rehire (ID recorded at hire) New Starter / rehire / reverse termination (ID recorded at hire) New Starter / rehire (ID recorded at recruitment) New Starter / rehire (ID recorded at recruitment) New Starter / rehire / reverse termination (ID recorded at recruitment) Change of personal details Termination

Long term absence

Change of ESR position

Change of position

ESR Position Link added to NHS CRS Access Control Position (New or Existing) ESR Position Link removed

2 3

1a 2a 3a

13 14 15 16

Creation of a new ESR position Creation of a new NHS CRS Access Control Position Close an NHS CRS Access Control Position

Variations Exact or partial match found on NHS CRS SUD 1 No match found on NHS CRS SUD Closed record found on NHS CRS SUD

Exact or partial match found on NHS CRS SUD No match found on NHS CRS SUD Closed record found on NHS CRS SUD

When person is linked on ESR to NHS CRS SUD record Leavers / Death in Service / Redundancy / Retirement / Dismissal Maternity leave / Suspension / Career Break / Inactive â&#x20AC;&#x201C; not working (for Bank or Long Term Sickness) Move from an ESR position linked to an NHS CRS Access Control Position to another linked to a different NHS CRS Access Control Position. Move from an ESR position not linked to an NHS CRS Access Control Position to an ESR position that is linked to an NHS CRS Access Control Position. Move from an ESR position linked to an NHS CRS Access Control Position to another ESR position which is not linked. New secondary assignment to ESR position linked to an NHS CRS Access Control Position where primary assignment also linked to an NHS CRS Access Control Position End assignment to ESR position linked to an NHS CRS Access Control Position where employee also has other assignments Linking of an ESR position to an NHS CRS Access Control Position (new or existing) Removal of a link between an ESR position and an NHS CRS Access Control Position For organisational management purposes Where new / changed NHS CRS systems are introduced or as part of the accelerated approach to deployment. 2 Closing an NHS CRS Access Control Position and ensuring that all associated users have been removed first either via ESR or UIM.

Spine User Directory (SUD) The accelerated approach to deployment allows organisations to activate the interface with a minimum of one ESR position linked to an NHS CRS Access Control Position â&#x20AC;&#x201C; Refer to the ESR Interface to UIM implementation approach guide for further details.

ESR Interface to UIM Business Processes v1.1.doc

Page 8 of 42

5. New Starters: Scenarios 1, 2, 3 (ID recorded at hire) No 1

Step title Recruitment

Who Users of Recruitment URP / HR

Description Follow existing recruitment steps up to the point that an applicant is ready to be hired

Decision point

Recruitment / HR

Decision point – should the new starter have a record on ESR?

Applicant Hired

HR / Self Service Manager or Administrator

Identity Checks to set e-GIF flag

HR / RA Agents

Applicants may be hired in ESR via one of the following means: • Direct Hire (without first coming through the recruitment process) • Applicant Hire via HR Data Entry or HR Administration URPs • Using Inter Authority Transfer (IAT) to pull employee data from another ESR VPD At hire RA agents / HR users with RA responsibility must either: 1. Verify that identity checks have been completed by Recruitment (i.e. where these have previously not been recorded in ESR to set the e-GIF flag) or; 2. Carry out full identity checks as per Identity Check standards.

System sets e-GIF flag

ESR System

Following the recording of identity checks in ESR (at hire) the system automatically sets the e-GIF flag to ‘E’.

Assign employee to ESR position

Recruitment / HR / Manager SS / Admin SS

This may be done using a number of the standard URPs including Recruitment (for applicants); HR and Self Service after applicant hire

ESR Interface to UIM Business Processes v1.1.doc

Actions / Comments Identity checks may be carried out by recruitment for applicants (e.g. at interview stage) and recorded in ESR If ‘YES’ continue with steps below; if ‘NO’ then the new starter may still need to be added as user on NHS CRS in which case the relevant RA procedure needs to be followed. • All applicants hired via Self Service will be placed on the RA Workbench for action as the subsequent steps must be carried out via an RA agent. • IAT transfer pull all employee data except Smartcard UUID and identity checks, which need to be redone on any new hire regardless of previous checks having been made as per the identity check standards. Using one of the following URPs: • HR Data Entry with RA • HR Administration with RA • RA Workbench This is normally done by a central function however can be devolved if required. It should be noted that in ESR the URPs by default allow access to the entire employee base and must only be issued to those staff that have the RA Agent NHS CRS role assigned. There is no user input required to set the flag. It is possible that a period of time may elapse between hire and identity check completion but this is not recommended to ensure that where NHS CRS access is required that new starters are able to access the systems that they need to do their job. Where the ESR position(s) that the employee is assigned to is / are linked to an NHS CRS Access Control Position in UIM inheritance of the access rights defined by the NHS CRS Access Control Position will take place once the new starter is also linked to an NHS CRS SUD user Page 9 of 42

Step title

Who

Description

Employee appears on RA workbench

ESR System

Search and Lookup employee user record on NHS CRS

HR user with RA agent responsibility / RA agent

The new employee will appear on the RA workbench in one of several ‘tabs’ depending on whether they have had their id checks completed or not and whether or not they have been assigned to an ESR position with a linked NHS CRS Access Control Position. The search and Lookup can be initiated from either: • Assignment form or • RA workbench

Actions / Comments record. The workbench is accessed from the following URPs: • HR Data Entry with RA • HR Administration with RA • RA Workbench

Up to 10 possible matches will be returned along with thumbnail pictures. The user may select any record to retrieve further information. Note that both Open and Closed records may be found for any one person. Where Open records exist always select one of these in preference to a Closed record.

Based on an assessment of the possible matches 3 options are available and given in the following sections. • Exact (or partial match) found (open record in NHS CRS) • No record found on NHS CRS • Closed Record found on NHS CRS Steps given for each of the 3 options carry on from Step 8 above.

ESR Interface to UIM Business Processes v1.1.doc

Page 10 of 42

5.1. Match or partial match to correct record found (open record): Scenarios 1(ID recorded at hire) This scenario is most likely where employee was at a previous organisation with a Smartcard. No 9

Step title ‘Associate Person’ option selected UUID added to the ESR employee record

Who HR user with RA agent responsibility / RA agent ESR System

Select relevant UIM worklist and RA sponsor

ESR System

Information sent to UIM via the worklist

ESR System

Association of NHS CRS Access Control Position to NHS CRS user record

ESR System

ESR ‘takes control’

ESR System / UIM system

Employee checks they have correct access

Employee (NHS CRS User)

Description Select the associate person option where an exact match is found. The system then performs the subsequent steps: UUID returned from NHS CRS SUD entry and added to the ESR employee record. The eGIF flag will automatically change to ‘Y’ ESR selects relevant UIM worklist and RA sponsor from information contained within the organisation units above the position in the hierarchy. UIM worklist updated with all relevant details from the employee entry in ESR (see below in personal changes for a list of these fields), including the UUIDs of the employee, the user making the change and of the RA sponsor. Automatic assignment of the NHS CRS Access Control Position that is linked to the ESR position the employee is assigned to thereby granting relevant access rights to NHS CRS systems. A refresh of person details will also be sent via the interface when associated. ESR takes control of the organisation person record in NHS CRS (i.e. Access rights are locked to ESR and cannot be changed in UIM). Employee checks that they have relevant access rights using NHS CRS Smartcard. This may trigger a Terms and Conditions check – ref RA Terms and Conditions process.

ESR Interface to UIM Business Processes v1.1.doc

Actions / Comments Ensure that the correct person has been selected by using the photo. Performed by the system

Performed by the system

Performed by the system Assignment of NHS CRS access rights will bypassed if the ESR position does not have a linked NHS CRS Access Control Position.

Performed by the system

The link between the two systems allows the correct access to be granted in real time. Therefore the access should be available by the time the user is ready to use their Smartcard.

Page 11 of 42

5.2. Match not found: Scenario 2 (ID recorded at hire) This scenario is most likely where the employee is entirely new to NHS CRS. No 16

Step title ‘Create NHS CRS Person’ option selected Select relevant UIM worklist and RA sponsor

Who HR user with RA agent responsibility / RA agent ESR System

Information sent to UIM via the worklist

ESR System

RA workbench status updated for the employee Grant create NHS CRS User request by RA agent in UIM

ESR System

Cut Smartcard for new user Status of employee in RA workbench is updated Associate the person record in ESR to their UUID record in NHS CRS

UIM user (RA agent)

ESR System

HR user with RA agent responsibility / RA agent

Description This option allows a request to be sent to the user in UIM to ‘grant’ a new record on NHS CRS SUD. ESR selects relevant UIM worklist and RA sponsor from information contained within the organisation units above the position in the hierarchy. UIM worklist updated with all relevant details from the employee entry in ESR (see below in personal changes for a list of these fields) the user making the change and of the RA sponsor. RA Workbench in ESR updated to show the request is made and response is pending.

Actions / Comments

Performed by the system

RA agent, accessing the relevant worklist, will pick up the action sent from ESR and grants add NHS CRS user request as per standard procedures. RA agent in UIM cuts the Smartcard

This will create the SUD record along with a UUID for the new starter. RA agent in UIM does not have to re-key any data as it is all passed through by the system.

RA workbench in ESR is updated to show that the employee is available for retrieval (the UUID will also be populated in ESR). ESR user redoes the search from Step 8 (either via the assignment form or RA workbench) and then follows steps for Scenario 1a above.

Performed by the system

ESR Interface to UIM Business Processes v1.1.doc

As per standard RA procedures

Page 12 of 42

5.3. Closed record found: Scenario 3 (ID recorded at hire) This scenario will apply where a person record has been closed because they do not require any NHS CRS access for the foreseeable future (includes leavers) and have not previously been associated with any NACS organisation. No 24

Step title â&#x20AC;&#x2DC;Re-open Person on NHS CRSâ&#x20AC;&#x2122; option selected Select relevant UIM worklist and RA sponsor

Who HR user with RA agent responsibility / RA agent

Description This option allows a request to be sent to the user in UIM to have a closed record re-opened.

Actions / Comments Ensure that the correct person has been selected by using the photo.

ESR System

Performed by the system

Information sent to UIM via the worklist

ESR System

RA workbench status updated for the employee Re-open closed NHS CRS person record in UIM Cut Smartcard (if required) Status of employee in RA workbench is updated Associate the person record in ESR to their UUID record in NHS CRS

ESR System

ESR selects relevant UIM worklist and RA sponsor from information contained within the organisation units above the position in the hierarchy. UIM worklist updated with all relevant details from the employee entry in ESR including the UUIDs of the employee, the user making the change and of the RA sponsor. RA Workbench in ESR updated to show the request is made and response is pending.

RA agent

UIM user (RA agent) ESR System

HR user with RA agent responsibility / RA agent

RA agent, accessing the relevant worklist in UIM, will pick up the action sent from ESR and grant the request to re-open the relevant record. RA agent in UIM cuts a Smartcard where user does not have their old card. RA workbench in ESR is updated to show that the employee is available for retrieval.

Performed by the system

As per standard RA procedures

Performed by the system

ESR user redoes the search from Step 8 (either via the assignment form or RA workbench) and then follows steps for Scenario 1a above.

ESR Interface to UIM Business Processes v1.1.doc

Page 13 of 42

6. New Starters: Scenarios 1a, 2a, 3a (ID recorded at recruitment) No 1

Step title Recruitment

Who Users of Recruitment URP

Description Applicant status at offer accepted.

Identity Checks to set e-GIF flag

HR / RA Agents

Identity checks recorded in ESR at recruitment.

System sets e-GIF flag

ESR System

Search and Lookup employee user record on NHS CRS

HR user with RA agent responsibility / RA agent

• Following the recording of identity checks in ESR at recruitment (at ‘offer accepted’ stage) the system automatically sets the e-GIF flag to ‘E’. The search and Lookup can be initiated from the Assignment form (applicants will not appear on the RA workbench until hire)

Actions / Comments Identity checks may be carried out by recruitment for applicants and recorded in ESR. The e-Gif flag is only set to ‘E’ when the applicant is at the ‘Offered Accepted’ stage. Organisations that wish to record identity hecks at any other stage (e.g. interview stage) may do so but this will not set the e-Gif flag to ‘E’. In this scenario organisations will need to revisit the form when the applicant is at ‘Offer Accepted’ and then reselect the RA Agent in the LOV on the ‘Enter Name of RA Agent that verified ID’ field, and save the record. This activity triggers the process to set the eGif flag to ‘E’ . Using the following URP: • Recruitment with RA This is normally done by a central function however can be devolved if required. It should be noted that in ESR the URPs by default allow access to the entire employee base and must only be issued to those staff that have the RA Agent NHS CRS role assigned. • There is no user input required to set the flag.

Page 14 of 42

6.1. Match or partial match to correct record found (open record): Scenarios 1a (ID recorded at recruitment) If a match is found on NHS CRS it will not be possible to perform the ‘associate’ until the applicant has been hired. This ensures NHS access rights are not granted via the interface in advance of an employees hire date. Refer to section 6.4 for actions required at hire to perform the ‘associate’.

6.2. Match not found: Scenario 2a (ID recorded at recruitment) This scenario is most likely where the employee is entirely new to NHS CRS. No 5

Step title ‘Create NHS CRS Person’ option selected Select relevant UIM worklist and RA sponsor

Who User with RA agent responsibility / RA agent ESR System

Information sent to UIM via the worklist

ESR System

Grant access to NHS CRS by RA agent in UIM

UIM user (RA agent)

Cut Smartcard for new user

UIM user (RA agent)

Description This option allows a request to be sent to the user in UIM to ‘grant’ a new record on NHS CRS SUD. ESR selects relevant UIM worklist and RA sponsor from information contained within the organisation units above the position in the hierarchy. UIM worklist updated with all relevant details from the employee entry in ESR (see below in personal changes for a list of these fields) the user making the change and of the RA sponsor. RA agent, accessing the relevant worklist, will pick up the action sent from ESR and grants access (add user to NHS CRS) as per standard procedures. RA agent in UIM cuts the Smartcard

Actions / Comments

Performed by the system

This will create the SUD record along with a UUID for the new starter. RA agent in UIM does not have to re-key any data as it is all passed through by the system. As per standard RA procedures

Following the creation of the NHS CRS person record it is not be possible to perform the ‘associate’ until the applicant has been hired. This ensures NHS access rights are not granted via the interface in advance of an employees hire date. Refer to section 6.4 for actions required at hire to perform the ‘associate’.

ESR Interface to UIM Business Processes v1.1.doc

Page 15 of 42

6.3. Closed record found: Scenario 3 (ID recorded at recruitment) This scenario will apply where a person record has been closed because they do not require any NHS CRS access for the foreseeable future (includes leavers) and have not previously been associated with any NACS organisation. No 10

Step title ‘Re-open Person on NHS CRS’ option selected Select relevant UIM worklist and RA sponsor

Who User with RA agent responsibility / RA agent

Description This option allows a request to be sent to the user in UIM to have a closed record re-opened.

Actions / Comments Ensure that the correct person has been selected by using the photo.

ESR System

Performed by the system

Information sent to UIM via the worklist

ESR System

Re-open closed NHS CRS person record in UIM Cut Smartcard (if required)

RA agent

ESR selects relevant UIM worklist and RA sponsor from information contained within the organisation units above the position in the hierarchy. UIM worklist updated with all relevant details from the employee entry in ESR including the UUIDs of the employee, the user making the change and of the RA sponsor. RA agent, accessing the relevant worklist in UIM, will pick up the action sent from ESR and grant the request to re-open the relevant record. RA agent in UIM cuts a Smartcard where user does not have their old card.

UIM user (RA agent)

Performed by the system

As per standard RA procedures

When the NHS CRS person record has been re-opened it is not be possible to perform the ‘associate’ until the applicant has been hired. This ensures NHS access rights are not granted via the interface in advance of an employees hire date. Refer to section 6.4 for actions required at hire to perform the ‘associate’.

ESR Interface to UIM Business Processes v1.1.doc

Page 16 of 42

6.4. Hire Stage (ID recorded at recruitment) No 15

Step title Applicant Hired

Who HR / Self Service Manager or Administrator

Description Applicant Hire via HR Data Entry or HR Administration URPs

Search and Lookup employee user record on NHS CRS

HR user with RA agent responsibility / RA agent

The search and Lookup can be initiated from the Assignment form (applicants will not appear on the RA workbench until hire)

‘Associate Person’ option selected UUID added to the ESR employee record

HR user with RA agent responsibility / RA agent ESR System

Select relevant UIM worklist and RA sponsor

ESR System

Information sent to UIM via the worklist

ESR System

Association of NHS CRS Access Control Position to NHS CRS user record

ESR System

ESR ‘takes control’

ESR System / UIM system

Employee checks they have correct access

Employee (NHS CRS User)

Select the associate person option where a match is found. The system then performs the subsequent steps: UUID returned from NHS CRS SUD entry and added to the ESR employee record. The eGIF flag will automatically change to ‘Y’ ESR selects relevant UIM worklist and RA sponsor from information contained within the organisation units above the position in the hierarchy. UIM worklist updated with all relevant details from the employee entry in ESR (see below in personal changes for a list of these fields), including the UUIDs of the employee, the user making the change and of the RA sponsor. Automatic assignment of the NHS CRS Access Control Position that is linked to the ESR position the employee is assigned to thereby granting relevant access rights to NHS CRS systems. A refresh of person details will also be sent via the interface when associated. ESR takes control of the organisation person record in NHS CRS (i.e. Access rights are locked to ESR and cannot be changed in UIM). Employee checks that they have relevant access rights using NHS CRS Smartcard. This may trigger a Terms and Conditions check – ref RA Terms and Conditions process.

ESR Interface to UIM Business Processes v1.1.doc

Actions / Comments Applicant hired. Identity checks can be recorded again in ESR ‘at hire’ if required. This will not have anu impact on the e-GIF flag already set at recruitment. Up to 10 possible matches will be returned along with thumbnail pictures. The user may select any record to retrieve further information. Note that both Open and Closed records may be found for any one person. Where Open records exist always select one of these in preference to a Closed record. Ensure that the correct person has been selected by using the photo. Performed by the system

Performed by the system

Performed by the system The assignment of NHS CRS access rights will be bypassed if the ESR position does not have a linked NHS CRS Access Control Position.

Performed by the system

The link between the two systems allows the correct access to be granted in real time. Therefore the access should be available by the time the user is ready to use their Smartcard. Page 17 of 42

7. Change of Personal Details: Scenario 4 Personal details changes can be made in a number of ESR URPs. This includes HR and Self Service URPs. Personal details that may be updated via the interface are: • Title • First name • Middle name • Family name (last / surname) • NI number • Date of birth • Work email address (from the ESR person form) • Work phone number (via the address button on the ESR person form) • Work mobile phone number (via the address button on the ESR person form) Where an employee record in ESR is linked to an NHS CRS SUD record by a UUID then all changes made to personal details as per the above list will be sent, via the interface, to UIM to update the equivalent SUD record (regardless of whether the employee is assigned an ESR position linked to an NHS CRS Access Control Position). These updates are automated via the interface as follows: No 1

Step title Personal detail changes made by ESR user

Who HR Self Service and RA agents users in ESR

Description Changes made using standard ESR screens as part of normal data update when personal details have changed.

Select relevant UIM worklist and RA sponsor

ESR System

Information sent to UIM via the worklist

ESR System

RA agent grants changes Re-cut smartcard as needed

RA agent

ESR selects relevant UIM worklist and RA sponsor from information contained within the organisation units above the position in the hierarchy. UIM worklist updated with all relevant details from the employee entry in ESR (see below in personal changes for a list of these fields), including the UUIDs of the employee, the user making the change and of the RA sponsor. RA agent in UIM must grant the changes via the worklist action

RA agent

Re cut Smartcard as per standard procedures

ESR Interface to UIM Business Processes v1.1.doc

Actions / Comments Any user of the following URPs can make these changes • HR data entry • HR data entry (with RA) • HR administration • HR administration (with RA) • Manager Self Service (payroll approvals required) • Manager Self Service (payroll approvals not required) • Supervisor Self Service • Administrator Self Service (payroll approvals required) • Administrator Self Service (payroll not approvals required) Performed by the system

Performed by the system

If changes are rejected a message is returned to the HR users in ESR Only required if the name has been changed .

Page 18 of 42

8. Termination: Scenario 5 This scenario applies when an ESR employee, whose record is linked via a UUID to NHS CRS leaves employment for one of a number of reasons. No 1

Step title Terminate employment on ESR

Who HR / Self Service

Reset e-GIF flag Archive identity checks

ESR System

Select relevant UIM worklist and RA sponsor

ESR System

Information sent to UIM via the worklist

ESR System

Remove association to NHS CRS Access Control Position Remove ESR control of record

UIM System

ESR System

UIM System

Description User in ESR terminates an employee (end employment) where their ESR record has a UUID and has access to NHS CRS. Applies to all reasons for leaving (i.e. voluntary leaving, death in service, retirement, redundancy, dismissal following disciplinary / appeal process). ESR resets the e-GIF flag to ‘N’ on the employee record Identity checks in ESR are archived (will allow fresh checks to be made in the event of a ‘rehire’ or IAT). ESR selects relevant UIM worklist and RA sponsor from information contained within the organisation units above the position in the hierarchy. UIM worklist updated with relevant details from ESR including the UUIDs of the employee, the user making the change and of the RA sponsor. Remove association of organisation person to NHS CRS Access Control Position and thereby remove access rights to systems.

Actions / Comments Applies to the following URPs: HR (data entry and administration (with or without RA) or Self Service (Administrator or Manager Self Service with or without Payroll Approvals)

UIM is automatically updated to relinquish ESR control of the organisation person record (record remains in place)

Performed by the system

ESR Interface to UIM Business Processes v1.1.doc

Performed by the system Performed by the system

Performed by the system

Page 19 of 42

9. Long Term Absence: Scenario 6 This scenario applies when the ESR assignment status is changed from an ‘Active’ status to an ‘Inactive’ status. The following assignment statuses are considered ‘Active’ in ESR: 1. Active Assignment 2. Acting Up 3. Internal Secondment ‘Inactive’ statuses include (this is not a definitive list); 1. Maternity 2. Career Break 3. Suspension 4. Inactive Not Worked (to cover Bank and other long term absence e.g. sickness) This is only applicable where the employee: • Has a UUID on their ESR record; • Are at e-GIF level 3 and • Are assigned to an ESR position which is linked to an NHS CRS Access Control Position No 1

Step title Assignment status is changed

Select relevant UIM worklist and RA sponsor

Information sent to UIM via the worklist

ESR System

Remove association to NHS CRS Access Control Position linked to that assignment Employee returns to work Assignment status is changed

UIM System

Who HR (with / without RA) Self Service, Payroll ESR System

Description Assignment status changed from ‘Active’ to one of the above list

Actions / Comments

Performed by the system

Employee

Manager / HR / RA notified of return to work

HR (with / without RA) Self Service

Following the return to work notification an ESR user updates the employee assignment status to ‘Active’.

Select relevant UIM worklist and RA sponsor

ESR System

Information sent to UIM via the

ESR System

ESR Interface to UIM Business Processes v1.1.doc

Performed by the system

Performed by the system Note that ESR retains control of the organisation person record in UIM if other assignments remain active and are linked to NHS CRS Access Control Positions. If not UIM regains control of the UIM organisation person record. Requirement on the employee to notify the relevant people. Note that if returning to work in a different position then existing assignments must be ended and new assignments to different positions established as per Scenarios 7-10. Performed by the system

Performed by the system

Page 20 of 42

Step title worklist

Who

Association of NHS CRS Access Control Position to NHS CRS user record

ESR System / UIM system

Employee checks they have correct access

Employee (NHS CRS user)

Description below in personal changes for a list of these fields), including the UUIDs of the employee, the user making the change and of the RA sponsor. Automatic association of the NHS CRS organisation person record to the equivalent NHS CRS Access Control Position (i.e. that which is linked to the ESR position the employee is assigned to) and thereby grant relevant access rights to systems. Employee checks that they have relevant access rights using NHS CRS Smartcard.

Actions / Comments

Performed by the system

The link between the two systems allows the correct access to be granted in real time. Therefore the access should be available by the time the user is ready to use their Smartcard.

Note: As access is revoked through ESR automatically you are not required to retain the employees Smartcard however, your organisation may decide that you are going to retain the employees Smartcard until they return. This is a local decision and the Smartcard must be returned to the employee upon their return. Note: Maternity Leave Keeping in Touch (KIT) Days If someone on maternity leave needs access to NHS CRS for a KIT day then either the assignment has to set to back to â&#x20AC;&#x2DC;Activeâ&#x20AC;&#x2122; for the day and the status changed back afterwards or a temporary Smartcard should be issued for the day.

ESR Interface to UIM Business Processes v1.1.doc

Page 21 of 42

10. Change of ESR Position: Scenarios 7 â&#x20AC;&#x201C; 11 These scenarios apply when employees move jobs (from an employment perspective) within an organisation resulting in a consequent change of access requirements. Assumptions are made that NHS CRS Access Control Positions have been set up in UIM and that both mapping and linking between ESR and NHS CRS Access Control Positions has been completed. There are 5 main variations to this scenario: 1. Move from one ESR position linked to an NHS CRS Access Control Position to another ESR 3 position linked to a different NHS CRS Access Control Position. Note: where a move takes place from one ESR position to another, and both of these ESR positions are linked to the same NHS CRS Access Control Position, no changes take place with regards to access rights from the end user perspective. 2. Move from an ESR position not linked to an NHS CRS Access Control Position to an ESR position that is 4 3. Move from an ESR position linked to an NHS CRS Access Control Position to another ESR position which is not linked. 4. New secondary assignment to ESR position linked to an NHS CRS Access Control Position where primary assignment is also linked to an NHS CRS Access Control Position. 5. End assignment to ESR position linked to an NHS CRS Access Control Position where employee also has other assignments.

The assumption is made that the employees will have a UUID on their ESR record and be identity checked to e-GIF level 3. 4 In this scenario the employees may or may not have a UUID on their ESR record ESR Interface to UIM Business Processes v1.1.doc

Page 22 of 42

11. Move from an ESR position linked to an NHS CRS Access Control Position to another linked to a different NHS CRS Access Control Position: Scenario 7 No 1

Step title Assignment changed

Who HR (with / without RA) Self Service, Payroll ESR System

Select relevant UIM worklist and RA sponsor

Information sent to UIM via the worklist

ESR System

Remove association to NHS CRS Access Control Position

UIM System

Association of NHS CRS Access Control Position to NHS CRS user record

ESR System / UIM system

Employee checks they have correct access

Employee (NHS CRS user)

Description Change of assignment from one ESR position to another

Actions / Comments

ESR selects relevant UIM worklist and RA sponsor from information contained within the organisation units above the position in the hierarchy. UIM worklist updated with relevant details from ESR including the UUIDs of the employee, the user making the change and of the RA sponsor. Remove association of organisation person to the NHS CRS Access Control Position which is linked to the old ESR position and thereby remove access rights to NHS CRS systems. Automatic association of the organisation person record in NHS CRS to the equivalent NHS CRS Access Control Position (i.e. that which is linked to the new ESR position that the employee has been assigned to) and thereby grant relevant access rights to systems. Employee checks that they have relevant access rights using NHS CRS Smartcard.

Performed by the system

ESR Interface to UIM Business Processes v1.1.doc

Performed by the system

Performed by the system Note that ESR retains control of the organisation person record in UIM.

Performed by the system

The link between the two systems allows the correct access to be granted in real time. Therefore the access should be available by the time the user is ready to use their Smartcard.

Page 23 of 42

12. Move from one ESR position not linked to an NHS CRS Access Control Position to one that is: Scenario 8 12.1. Where employee already has a UUID: Scenario 8a No 1

Step title Assignment changed

Who HR (with / without RA) Self Service, Payroll

Description Change of assignment from one ESR position to another

Select relevant UIM worklist and RA sponsor

ESR System

Information sent to UIM via the worklist

ESR System

Association of NHS CRS Access Control Position to NHS CRS user record

ESR System / UIM system

ESR â&#x20AC;&#x2DC;takes controlâ&#x20AC;&#x2122;

ESR System / UIM system

Employee checks they have correct access

Employee (NHS CRS user)

ESR selects relevant UIM worklist and RA sponsor from information contained within the organisation units above the position in the hierarchy. UIM worklist updated with relevant details from ESR including the UUIDs of the employee, the user making the change and of the RA sponsor. Automatic association of the organisation person record in NHS CRS to the equivalent NHS CRS Access Control Position (i.e. that which is linked to the new ESR position that the employee has been assigned to) and thereby grant relevant access rights to systems. ESR takes control of the organisation person record in NHS CRS (i.e. record is locked and cannot be changed in UIM) Employee checks that they have relevant access rights using NHS CRS Smartcard.

ESR Interface to UIM Business Processes v1.1.doc

Actions / Comments Where the old assignment was to an ESR position which had no link to an NHS CRS Access Control Position in UIM and the new assignment is to one with a link. Performed by the system

Performed by the system

The link between the two systems allows the correct access to be granted in real time. Therefore the access should be available by the time the user is ready to use their Smartcard.

Page 24 of 42

12.2. Where employee does not have a UUID: Scenario 8b This scenario is effectively the same as for a new starter (Scenario 1) and, based on an assessment of the possible matches, 4 options are available; i) ii) iii) iv)

Exact match found (open record in NHS CRS) Partial match found (open record in NHS CRS) No match found on NHS CRS Closed Record found on NHS CRS

For more information on how to complete this scenario please refer to Sections 5.1, 5.2, 5.3 & 5.4 above.

ESR Interface to UIM Business Processes v1.1.doc

Page 25 of 42

13. Move from one ESR position linked to an NHS CRS Access Control Position to another which is not linked: Scenario 9 This scenario will result in a removal of access rights to NHS CRS systems where the employee has no other assignments in ESR which are linked to NHS CRS Access Control Positions. No 1

Step title Assignment changed

Who HR (with / without RA) Self Service, Payroll

Description Change of assignment from one ESR position to another

Select relevant UIM worklist and RA sponsor

ESR System

Information sent to UIM via the worklist

ESR System

Remove association to NHS CRS Access Control Position Where there are other assignments to ESR positions with a link to an NHS CRS Access Control Position No other assignments, or other assignments are not linked to NHS CRS Access Control Position? Employee checks they have correct (or no) access

UIM System

ESR System / UIM System

Actions / Comments Where the old assignment was to an ESR position which had a link to an NHS CRS Access Control Position in UIM and the new assignment is to one without. Performed by the system

Performed by the system

ESR / UIM system

Where the person has no other assignments in ESR, or the other assignments are to ESR positions not linked to NHS CRS Access Control Positions: UIM regains control of the UIM organisation person record (record remains in place)

Performed by the system

Employee (NHS CRS User)

Employee checks that they have relevant access rights using NHS CRS Smartcard. This may trigger a Terms and Conditions check â&#x20AC;&#x201C; ref RA Terms and Conditions process.

The link between the two systems allows the correct access to be granted in real time. Therefore the access should be available by the time the user is ready to use their Smartcard.

ESR Interface to UIM Business Processes v1.1.doc

Page 26 of 42

14. New secondary assignment to an ESR position linked to an NHS CRS Access Control Position: Scenario 10 14.1. Where primary assignment is also linked to an NHS CRS Access Control Position: Scenario 10a This scenario may result in extra access rights to NHS CRS systems being granted. No 1

Step title Secondary assignment created.

Who HR (with / without RA) Payroll

Description Create new secondary assignment

Select relevant UIM worklist and RA sponsor

ESR System

Information sent to UIM via the worklist

ESR System

Association of NHS CRS Access Control Position to NHS CRS user record

ESR System / UIM system

Employee checks they have correct access

Employee (NHS CRS user)

ESR selects relevant UIM worklist and RA sponsor from information contained within the organisation units above the position in the hierarchy. UIM worklist updated with relevant details from ESR including the UUIDs of the employee, the user making the change and of the RA sponsor. Automatic association of the organisation person record in NHS CRS to the equivalent NHS CRS Access Control Position (i.e. that which is linked to the ESR position the employee is assigned to) and thereby grant relevant access rights to systems. Employee checks that they have relevant access rights using NHS CRS Smartcard. This may trigger a Terms and Conditions check â&#x20AC;&#x201C; ref RA Terms and Conditions process.

ESR Interface to UIM Business Processes v1.1.doc

Actions / Comments Where the existing primary assignment is to a position which has a link to an NHS CRS Access Control Position in UIM and the new assignment is also to one with. Note that Self Service users cannot currently create new assignments. Performed by the system

Performed by the system

Performed by the system If the access rights for the new position are the same as or less than the existing rights granted to the primary position then no change in access rights will be made otherwise extra access rights will be granted. The link between the two systems allows the correct access to be granted in real time. Therefore the access should be available by the time the user is ready to use their Smartcard.

Page 27 of 42

14.2. Where primary assignment is not linked to an NHS CRS Access Control Position and the ESR employee record has a UUID: Scenario 10b Will result in the granting of new access rights No 1

Step title Secondary assignment created.

Who HR (with / without RA) Payroll

Description Create new secondary assignment

Select relevant UIM worklist and RA sponsor

ESR System

Information sent to UIM via the worklist

ESR System

Association of NHS CRS Access Control Position to NHS CRS user record

ESR System / UIM system

ESR ‘takes control’

ESR System / UIM system

Employee checks they have correct access

Employee (NHS CRS user)

ESR selects relevant UIM worklist and RA sponsor from information contained within the organisation units above the position in the hierarchy. UIM worklist updated with relevant details from ESR including the UUIDs of the employee, the user making the change and of the RA sponsor. Automatic association of the organisation person record in NHS CRS to the equivalent NHS CRS Access Control Position (i.e. that which is linked to the ESR position relevant to the employee’s new secondary assignment) and thereby grant relevant access rights to systems. ESR takes control of the organisation person record in NHS CRS (i.e. record is locked and cannot be changed in UIM) Employee checks that they have relevant access rights using NHS CRS Smartcard. This may trigger a Terms and Conditions check – ref RA Terms and Conditions process.

ESR Interface to UIM Business Processes v1.1.doc

Performed by the system

Performed by the system Will grant new access rights

Performed by the system

The link between the two systems allows the correct access to be granted in real time. Therefore the access should be available by the time the user is ready to use their Smartcard.

Page 28 of 42

14.3. Where primary assignment is not linked to an NHS CRS Access Control Position and the ESR employee record has no UUID: Scenario 10c This scenario is effectively the same as for a new starter (Scenario 1) and, based on an assessment of the possible matches, 4 options are available; v) Exact match found (open record in NHS CRS) vi) Partial match found (open record in NHS CRS) vii) No match found on NHS CRS viii) Closed Record found on NHS CRS For more information on how to complete this scenario please refer to Sections 5.1, 5.2, 5.3 & 5.4 above.

ESR Interface to UIM Business Processes v1.1.doc

Page 29 of 42

15. End Secondary Assignment to an ESR position linked to an NHS CRS Access Control Position: Scenario 11 No 1

Step title Assignment ended

Who HR (with / without RA), Payroll

Description Secondary assignment end dated

Select relevant UIM worklist and RA sponsor

ESR System

Information sent to UIM via the worklist

ESR System

Remove association to NHS CRS Access Control Position Where there are other assignments to ESR positions with a link to an NHS CRS Access Control Position No other assignments, or other assignments not linked to an NHS CRS Access Control Position? Employee checks they have correct (or no) access

UIM System

Actions / Comments Where the assignment was to a position which has a link to an NHS CRS Access Control Position in UIM Performed by the system

Performed by the system

ESR System / UIM System

Association retained to NHS CRS Access Control Positions and relevant access rights.

Performed by the system

ESR / UIM system

Where the person has no other assignments in ESR, or the other assignments are to ESR positions not linked to NHS CRS Access Control Positions: UIM is automatically updated to relinquish ESR control of the organisation person record (record remains in place) Employee checks that they have relevant access rights using NHS CRS Smartcard. This may trigger a Terms and Conditions check â&#x20AC;&#x201C; ref RA Terms and Conditions process.

Performed by the system

Employee (NHS CRS User)

ESR Interface to UIM Business Processes v1.1.doc

The link between the two systems allows the correct access to be granted in real time. Therefore the access should be available by the time the user is ready to use their Smartcard.

Page 30 of 42

16. ESR position(s) linked to an NHS CRS Access Control Position (new or existing): Scenario 12 This task is carried out in ESR by the Workstructures Administrator. The action of linking an ESR position to an NHS CRS Access Control Position in UIM means that all employees assigned to that position (where they are also linked to the SUD by a UUID and are at e-GIF level 3) will inherit access rights to NHS CRS systems. This scenario will occur: 1. As part of initial systems implementation. 2. Whenever a new NHS CRS Access Control Position is defined in UIM and downloaded to ESR(e.g. following the introduction of a new NHS CRS system or changed usage of existing systems). No Step title Who Description Actions / Comments 1 Define NHS Executive(s) or This should follow procedures • Using the Position Based CRS Access senior managers established as part of the initial Access Control (PBAC) Control responsible for: PBAC work and mapping to methodology define NHS Position(s) ESR (see PBAC toolkit CRS Access Control • IG and then Appendix 1) Positions as part of initial • Sponsors who map access implementation or when can approve to ESR subsequent changes to positions, position(s) access are needed (e.g. • Establishment as part of the accelerated control plus approach to • Workstructures implementation). administrator • Determine which ESR positions (jobs) require the access rights conferred by the new NHS CRS Access Control Position. • Create an agreed mapping table and sign this off at senior level. 2 NHS CRS RA Sponsor / NHS CRS Access Control New NHS CRS Access Control Access Agent Position(s) created in UIM. Positions may be required in Control the event of: Position(s) This may be done during • The introduction of new or created in system implementation upgraded systems UIM (follow following definition of NHS • Definition of new NHS CRS steps in CRS Access Control Access Control Positions as Scenario 15) Positions or for the reasons part of the defined given on the right. deployment strategy (e.g. as part of the accelerated approach to implementation) • New uses for existing systems (e.g. may introduce a requirement for a higher grade or different staff groups to input certain data). 3 Update list Workstructures The refresh UIM Access Note that this is an overnight of NHS CRS administrator Control Position request process run from the Submit Access needs to be run to update the Request option in ESR. Control list of values in ESR with the Positions new NHS CRS Access Control Positions. 4 Link ESR Workstructures Perform the link using the May mean changing an position(s) to administrator updated list of values for each existing link to an NHS CRS ESR Interface to UIM Business Processes v1.1.doc

Page 31 of 42

Step title new NHS CRS Access Control Position

Who

Description ESR position in the mapping table. This puts the NHS CRS Access Control Position reference onto the ESR position.

Place employees who are assigned to the ESR position but do not have a UUID or have incomplete ID checks on the RA workbench For all employees assigned to the position with a UUID & completed ID checks: select relevant UIM worklist and RA sponsor Information sent to UIM via the worklist

ESR System

System does this automatically. RA agents using the workbench then need to process each employee to complete ID checks and perform the SUD lookup as per steps in the new starter scenarios (1-3)

ESR System

ESR selects relevant UIM worklist and RA sponsor for each employee from information contained within the organisation units above the position in the hierarchy.

Performed by the system

ESR System

Performed by the system

Association of NHS CRS Access Control Position to NHS CRS user record

ESR System / UIM system

UIM worklist updated with relevant details from ESR including the UUIDs of the employee, the user making the change and of the RA sponsor. Automatic association of the organisation person record(s) in NHS CRS to the equivalent NHS CRS Access Control Position (i.e. that which is linked to the ESR position the employee(s) is/are assigned to) and thereby grant relevant access rights to systems.

ESR ‘takes control’

ESR System / UIM system

Employee(s) check(s) they have correct access

Employee (NHS CRS user(s))

ESR Interface to UIM Business Processes v1.1.doc

ESR takes control of the organisation person record(s) in NHS CRS (i.e. record(s) is / are locked and cannot be changed in UIM) Employee(s) check(s) that they have relevant access rights using NHS CRS Smartcard. This may trigger a Terms and Conditions check – ref RA Terms and Conditions process.

Actions / Comments Access Control Position which would then involve a change of access rights where these are different between the old and new NHS CRS Access Control Positions.

Performed by the system • Where the individuals’ organisation person records in NHS CRS have other access rights (based on association to existing NHS CRS Access Control Positions in UIM), these will be superseded; unless those NHS CRS Access Control Positions are also linked to other ESR positions in the same organisation. Performed by the system

The link between the two systems allows the correct access to be granted in real time. Therefore the access should be available by the time the user is ready to use their Smartcard. Page 32 of 42

17. NHS CRS Access Control Position link is removed from an ESR position which has employees assigned to it: Scenario 13 The link to an NHS CRS Access Control Position may be removed if for instance: 1. it is deemed that the ESR position no longer carries relevant access rights on NHS CRS 2. Where a restructuring in workstructures means that employees are moved to other positions conferring access rights but that the existing position remains for other employees who have no requirement to access NHS CRS systems. The following steps only apply to employees assigned to the ESR position who have a UUID and have the e-GIF flag set to ‘Y’ in ESR. No 1

Step title Determine need to remove the link

Remove link between ESR position and NHS CRS Access Control Position Select relevant UIM worklist and RA sponsor for all employees assigned to the position Information sent to UIM via the worklist

Remove association to NHS CRS Access Control Position Where there are other assignments to ESR positions

Who Executive(s) or senior managers responsible for: • IG • Sponsors who can approve positions, • Establishment control plus • Workstructures administrator and • RA Manager Workstructures Administrator

Description Decision making based on above factors to remove a link from an ESR position to an NHS CRS Access Control Position.

Actions / Comments Confirmation of agreement to remove the link is required due to the significance and impact of the event on access rights for all employees assigned to the ESR position.

Remove link between ESR position and NHS CRS Access Control Position

Will impact all employees with an assignment to that ESR position.

ESR System

ESR selects relevant UIM worklist and RA sponsor from information contained within the organisation units above the position in the hierarchy for all employees assigned to the position.

Performed by the system

ESR System

UIM worklist updated with relevant details from ESR including the UUIDs of the employee, the user making the change and of the RA sponsor. Remove association of organisation person to NHS CRS Access Control Position and thereby remove access rights to systems.

Performed by the system

Association retained to other NHS CRS Access Control Positions and relevant access rights.

Performed by the system

UIM System

ESR System / UIM System

ESR Interface to UIM Business Processes v1.1.doc

Performed by the system

Page 33 of 42

Step title linked to NHS CRS Access Control Positions Employee checks they have correct access

Who

Description

Actions / Comments

Employee (NHS CRS User)

No other assignments linked to NHS CRS Access Control Position?

ESR / UIM system

Employee checks that they have relevant access rights using NHS CRS Smartcard. This may trigger a Terms and Conditions check â&#x20AC;&#x201C; ref RA Terms and Conditions process. Where there are no other assignments or the other assignments are to ESR positions not linked to NHS CRS Access Control Positions: UIM is automatically updated to relinquish ESR control of the organisation person record (record remains in place)

The link between the two systems allows the correct access to be granted in real time. Therefore the access should be available by the time the user is ready to use their Smartcard. Performed by the system

ESR Interface to UIM Business Processes v1.1.doc

Page 34 of 42

18. Create New ESR Position: Scenario 14 The following factors are drivers based on organisational change which will need to be reflected in ESR workstructures:

1. 2. 3. 4. 5. 6.

New job / post identified Organisation restructuring Changes to existing roles and responsibilities Merger / de-merger National / regional / local initiatives requiring a new job / post Where individuals assigned to a single existing position need differing access rights (i.e. requires a split of the position).

No 1

Step title Determine need for a new ESR position Decision making: does this new ESR position carry a requirement for access to NHS CRS?

Who HR Managers / Directors, Establishment Control, Finance 2 HR Managers / Directors, Establishment Control, Finance …plus… Executive(s) or senior managers responsible for: • IG • Sponsors who can approve positions, • Establishment control plus • Workstructures administrator and • RA Manager Where no access rights are required 3 Set up Workstructures position in Administrator ESR 4 Assign HR user(s) employees Self Service users to position

Where access rights are required 5 Determine HR Managers / access Directors, control Establishment requirements Control, Finance relevant to …plus… the new ESR Executive(s) or position senior managers responsible for: 6 Does required • IG NHS CRS ESR Interface to UIM Business Processes v1.1.doc

Description Decision making based on the above factors as to whether a new ESR position is required.

Actions / Comments

Decision making based on a review of the job role in relation to NHS CRS systems requirements and existing NHS CRS Access Control Positions. May result in a requirement for a new NHS CRS Access Control Position in which case follow steps in Scenario 15 before proceeding.

Managed entirely in ESR Set up new position in ESR

HR user assigns employees to the new position, it is assumed that these employees will have no requirements to access systems via NHS CRS Based on decision making at Step 2 above.

Check on UIM & with RA Manager to see if NHS CRS Access Control Position is Page 35 of 42

Step title Access Control Position exist? Define mapping between ESR position and new or existing NHS CRS Access Control Position Determine RA Sponsor and UIM worklist for the new position Set up position in ESR Check / update sponsor & worklists

Who • Sponsors who can approve positions, • Establishment control plus • Workstructures administrator and • RA Manager

Description already defined. If not got to Scenario 15 to create new NHS CRS Access Control Position. Formally agree which NHS CRS Access Control Position will need to be linked to the new ESR position

RA Manager, Workstructures Administrator

Decide who the Sponsor for this position is and also the UIM worklist. These may exist in the workstructures hierarchy already or may need to be changed / added. Set up new position in ESR

Workstructures Administrator Workstructures administrator

Check or update RA Sponsor and UIM worklist links on the organisation units above the position in the hierarchy based on agreements above. The refresh UIM NHS CRS Access Control Position list job needs to be run to update the list of values in ESR with the new NHS CRS Access Control Position

Update list of NHS CRS Access Control Positions

Workstructures administrator

Link ESR position(s) to new NHS CRS Access Control Position Assign employees to position

Workstructures administrator

Perform the link using the updated list of values for each ESR position in the mapping table.

HR user(s) Self Service users

HR user assigns employees to the new ESR position; it is assumed that these employees have requirements to access systems via NHS CRS.

Do the employees already have UUIDs and identity checks to eGIF level 3?

ESR System

Place employees who are assigned to

ESR System

Where they do they will be associated to the relevant NHS CRS Access Control Position on UIM and access rights updated accordingly. Where they do not they will be placed on the RA workbench for action. System does this automatically. RA agents using the workbench then need to process each

ESR Interface to UIM Business Processes v1.1.doc

Actions / Comments

Only required if a new NHS CRS Access Control Position has been added in UIM (ref Scenario 15). Note that this is an overnight process run from the Submit Request option in ESR.

All employees so assigned will need a UUID and e-GIF flag set to E following ID checks. Where this is not the case they will appear on the RA workbench following assignment to the ESR position and following the link of that position to the NHS CRS Access Control Position. Check performed by the system.

Performed by the system Reference also Scenario 10c

Page 36 of 42

Step title the position but do not have a UUID or have incomplete ID checks on the RA workbench For all employees assigned to the position with a UUID & completed id checks: select relevant UIM worklist and RA sponsor Information sent to UIM via the worklist

Who

Description employee to complete id checks and perform the SUD lookup as per steps in the new starter scenarios (1-3)

Actions / Comments

ESR System

ESR selects relevant UIM worklist and RA sponsor for each employee from information contained within the organisation units above the position in the hierarchy.

Performed by the system Reference also Scenarios 7, 8, 10a and 10b.

ESR System

Performed by the system

Association of NHS CRS Access Control Position to NHS CRS user record

ESR System / UIM system

ESR ‘takes control’

ESR System / UIM system

Employee checks they have correct access

Employee (NHS CRS user)

ESR Interface to UIM Business Processes v1.1.doc

ESR takes control of the organisation person record(s) in NHS CRS (i.e. record(s) is / are locked and cannot be changed in UIM) Employee checks that they have relevant access rights using NHS CRS Smartcard.

Performed by the system • Where the individuals’ organisation person records in NHS CRS have other access rights (based on association to NHS CRS Access Control Positions in UIM), these will be superseded; unless those NHS CRS Access Control Positions also are linked to other ESR positions in the same organisation. Performed by the system and done only if this was not previously the case.

The link between the two systems allows the correct access to be granted in real time. Therefore the access should be available by the time the user is ready to use their Smartcard.

Page 37 of 42

19. Create New NHS CRS Access Control Position: Scenario 15 New NHS CRS Access Control Positions may be required in the event of: 1. Definition of new NHS CRS Access Control Positions as part of the accelerated implementation approach/deployment strategy. 2. The introduction of new or upgraded systems 3. New uses for existing systems (e.g. may introduce a requirement for a higher grade or different staff groups to input certain data). No 1

Step title Determine need for a new NHS CRS Access Control Position

Define NHS CRS Access Control Position

NHS CRS Access Control Position(s) created in UIM Approval of new NHS CRS Access Control Position Granting of new NHS CRS Access Control Position

Is there a mapping required to ESR position(s)?

If map / link to ESR position required

Who Executive(s) or senior managers responsible for: • IG • Sponsors who can approve positions, Plus • RA Manager RA Manager Sponsor who can approve NHS CRS Access Control Position Systems administrators RA Sponsor / Agent

Description Decision making based on the above factors as to whether a new NHS CRS Access Control Position is required.

Actions / Comments

Agree title for the new NHS CRS Access Control Position and agree relevant access (RBAC) codes to define the profile for the position.

Requires a knowledge of RBAC

RA Sponsor Advanced (someone who can approve positions) RA Manager (or someone in RA who has been assigned the relevant RBAC activity code) HR Managers / Directors, Establishment Control, Finance …plus… Executive(s) or senior managers responsible for: • IG • Sponsors who can approve positions,

Approval done via worklist in UIM.

ESR Interface to UIM Business Processes v1.1.doc

NHS CRS Access Control Position(s) created in UIM.

Granting done via worklist in UIM before new NHS CRS Access Control Position can be used.

Decision making based on a review of the access control requirements in relation to existing job roles / positions as set up in ESR. May result in a requirement for a new ESR position in which case follow link with steps in Scenario 14. Go to Scenario 14

Page 38 of 42

Step title does the ESR position exist? Map /link to existing ESR position(s)? No map / link to ESR position

Who â&#x20AC;˘ Establishment control plus â&#x20AC;˘ Workstructures administrator and RA Manager RA Agents

ESR Interface to UIM Business Processes v1.1.doc

Description

Actions / Comments

Go to Scenario 12

Associate users to new NHS CRS Access Control Position in UIM

Page 39 of 42

20. Close NHS CRS Access Control Position: Scenario 16 Closing an NHS CRS Access Control Position may be required where new NHS CRS Access Control Positions have been created to supersede previous ones or where a change of systems and access requirements means that an existing position becomes redundant. This is essentially a housekeeping procedure but which is important where ESR positions are linked to the NHS CRS Access Control Position that is being closed. It is expected that this scenario may follow on from Scenarios 12, 13, 14 and 15. No 1

Step title Determine need to close an NHS CRS Access Control Position

Who Executive(s) or senior managers responsible for: • IG • Sponsors who can approve positions, Plus • RA Manager

Description Decision making based on the above factors as to whether the position should be end dated.

Determine if there are any NHS CRS users associated with the position Remove association of any NHS CRS users to the position in UIM who are not controlled by ESR Determine which ESR positions are linked to the NHS CRS Access Control Position Determine need to move employees to other ESR positions

RA Manager RA Agent

Use reports to assess which users are associated to the position. Assess if they are: • NHS CRS users not controlled by ESR or • NHS CRS users controlled by ESR Using the report created in Step 2 above remove association for these users.

RA Manager RA Agent

Actions / Comments An NHS CRS Access Control Position must not be closed unless: • All associated users in UIM have been moved to other positions where they are not controlled by ESR and • Where ESR controls any users associated to the position that they have first been moved to other assigned ESR positions and that the link to the ESR position has been removed.

RA Manager RA Agent ESR workstructures administrator

Using reports / records determine which ESR position(s) are linked to the NHS CRS Access Control Position.

If there are no linked ESR positions then no further action is necessary before the NHS CRS Access Control Position is closed.

Executive(s) or senior managers responsible for: • IG • Sponsors who can approve positions, • RA Manager • RA Agent • ESR

Assess access control requirements for the position(s) to determine if the employees assignments need to be changed to different ESR position carrying different linked NHS CRS Access Control Positions

Will depend on the reason why the NHS CRS Access Control Position is being closed. Some scenarios follow: 1. If a new NHS CRS Access Control Position has been created and this applies to all employees then you will simply need to change the linked position 2. If the NHS CRS Access

ESR Interface to UIM Business Processes v1.1.doc

Page 40 of 42

Step title

Who workstructures administrator

Description

Change NHS CRS Access Control position linked to ESR position(s) Remove NHS CRS Access Control Position linked from ESR position(s)

ESR Workstructures Administrator

Based on Scenario 1 in Step 5 above change the linked NHS CRS Access Control Position for all ESR positions affected.

ESR Workstructures Administrator

Based on Scenario 2 in Step 5 above remove the link to the NHS CRS Access Control Position for each ESR position affected.

Move ESR employees to another position

RA agent in ESR HR users

Based on scenario 3 in Step 5 above move employees to other positions.

Close NHS CRS Access Control Position

Sponsors who can approve positions

Finally when you are sure that they are no linked positions and no associated employees then the NHS CRS Access Control Position can be closed.

ESR Interface to UIM Business Processes v1.1.doc

Actions / Comments Control Position is redundant and the equivalent position in ESR no longer carries access rights then the link to the position in ESR will need to be removed. 3. If some of the employees as result of new / changed systems or job roles now need different access rights they may need to be moved to other positions. The interface will automatically remove association for assigned employees to the old NHS CRS Access Control Position and add an association to the new one.

When the link is removed the interface will remove the association (for all employees assigned to the ESR position) to the NHS CRS Access Control Position and relinquish control if they are not linked to any other NHS CRS Access Control Positions via other ESR assignments. As they are moved the interface will remove their association to the NHS CRS Access Control Position and UIM will regain control of the record if they are not linked to any other NHS CRS Access Control Positions via other assignments. If any users are still associated with the NHS CRS Access Control Position when you close it their access is immediately revoked. If these users were â&#x20AC;&#x2DC;controlledâ&#x20AC;&#x2122; by ESR via a linked position then the systems will now be out of sync. Hence it is essential to follow Steps 1 -8 first before closing the NHS CRS Access Control Position. NHS CRS Access Control Positions should then be downloaded to ESR to refresh the list available for linking to ESR positions (i.e. to ensure the closed NHS CRS Access Control Positions is removed from the ESR List Of Values).

Page 41 of 42

Appendix 1 – Key terminology The following terms are relevant to this document and have been extracted from the full Glossary of terms available via http://www.electronicstaffrecord.nhs.uk/esr-projects/integrated-identitymanagement/ • Access Control Position. An NHS CRS Access Control Position is defined in UIM and contains a set of access rights which have been approved and granted through the RA process. NHS CRS users can be associated to NHS CRS Access Control Positions directly in UIM or via the ESR interface. • Assignment. The assignment in ESR provides the link between employee and position. Each employee will have at least one assignment but may have more if they do more than one job. The assignment holds contractual data such as the grade, hours worked etc • e-GIF. Policies and standards to enable information to flow seamlessly across the public sector and provide citizens and businesses with better access to public services. All users of NHS CRS must be identity checked to e-GIF level 3. • ESR – Electronic Staff Record. The Electronic Staff Record (ESR) is the integrated Oracle Human Resource Management System (HRMS) (including Payroll) in use by the vast majority of organisations within the NHS; hosted and maintained by McKesson plc. • ESR Position. A position identifies the post/job that exists within each organisational unit as defined in the workstructures in ESR. Positions can be defined with certain default information such as grade and staff group which are inherited as defaults when an employee is attached to a position via their assignment. It will be possible to link positions in ESR to equivalent positions in UIM to be used for access control. • Integrated Identity Management – The development of closer integration between the currently separate processes involved in capturing and managing staff identity, and controlling access to the NHS Care Records Service (NHS CRS). • NHS CRS – NHS Care Records Service. The NHS Care Records Service will help NHS organisations in England to store patient health care records on computers that will link information together quickly and easily. An NHS CRS Smartcard will give a user access to the NHS CRS and other National Programme for IT applications such as Choose and Book and the Electronic Prescription Service. • PBAC – Position Based Access Control. The PBAC methodology groups access control requirements by job allowing for any number of employees to share generic access rights based on what they do rather than who they are. • RA Agent. Works under the direction of the RA Manager to administer the RA function. They are responsible for performing registration and maintenance of Sponsors and health care professionals/workers in the organisation(s) that the RA Agent holds this profile for. They also ensure that National and local RA processes are followed. • RA Sponsor. Sponsors approve access and the issue of NHS CRS Smartcards and are usually the line manager of users. In UIM Sponsors will manage approvals via worklists. • SUD – Spine User Directory. The Spine User Directory is the repository which stores users’ profiles and registration information both current and historic includes roles and organisations that an individual works for. • UIM – User Identity Manager. The new software which will provide the electronic management of access control which is replacing the current paper based registration process. • UUID – Unique User Identifier. The User’s Unique ID Number is used by all NPfIT applications to uniquely identify the user to the application. The UUID is the number displayed on the NHS CRS Smartcard. Occasionally called the UID (Unique ID Number). ESR will also hold the NHS CRS UUID against employee records so that it can validate that the employee has an active authenticated entry on NHS CRS. • Worklist. Worklists group actions in UIM, users login to their worklists to manage actions and approvals. ESR will automatically access and update worklists for many types of change initiated in ESR such as request for a new user, change access requirements based on positions and changes to personal details. • Workstructures. Workstructures is the area of ESR that allows the definition and management of the organisation structure and hierarchy within an NHS Organisation. Workstructures are hierarchical and consist of organisational units, departments, locations and positions. A specific URP manages workstructures.

ESR Interface to UIM Business Processes v1.1.doc

Page 42 of 42