Position Based Access Control (PBAC) Guidance for NHS Organisations Implementing the ESR Interface to UIM This document details an approach that has been used by a number of ‘fast follower’ organisations to define NHS CRS Access Control Positions and map these to ESR positions as part of their Position Based Access Control (PBAC) activity. The accelerated approach to implementing the ESR interface to UIM, as detailed within the IIM Initiation Guide, allows organisations to activate the interface with a minimum of one ESR position mapped to an NHS CRS Access Control Position. This document is therefore relevant to: a) NHS Organisations that have already activated the interface – The approach outlined within this document can be used to assist with the deployment of the interface across an organisation following activation. b) NHS Organisations planning to activate the interface – The approach outlined within this document can be used to define NHS CRS Access Control Positions and map these to ESR positions prior to activation. The interface can however be activated with a minimum of one ESR position mapped to an NHS CRS Access Control Position. This document is intended as a template and should be amended in line with local requirements/preferences as appropriate – It is not directly supported by the NHS ESR Central Team. The feedback received from organisations that have adopted this approach suggests that it is beneficial to all organisation types. The approach utilises a ‘bottom up’ approach to PBAC (please refer to the PBAC toolkit for further details) and can be been broken down into the following steps: Step 1 - Request an ESR CRS data matching report from the NHS ESR Data Team Step 2 - Establish current CRS user access report via the NHS CRS ERS reporting Step 3 - Link the ESR CRS data matching report to the CRS user access report (2 above) by using the UUID Step 4 - Define NHS CRS Access Control Positions Step 5 - Match users to NHS CRS Access Control Positions Step 6 - Create Consolidated Position Report including the mapping of NHS CRS Access Control Positions to ESR positions
Page 1 of 18
Important Note: This document contains a number of screen prints to help explain key points. The data within these screen prints has been pseudonymised for reasons of data protection. The following spreadsheet (ACP_v1.0.xls) has been designed to be used in conjunction with this guidance. Double click on the Excel Spreadsheet icon to open and if prompted select Enable Macros. The spreadsheet should then be saved to your local device/network. NOTE: As the spreadsheet contains a macro you will need to ensure that your Excel Security settings allow macros to be run. To check the status of security settings you will need to open Excel and select Tools > Options. Select the Security tab and click Macro Security. You should then select the Medium security level and click OK to close out of the security settings and then click OK to close the options configuration tool. Any changes to security settings within Excel should be made in line with local IT policy and guidelines. ACP_v1.0.xls
Page 2 of 18
Step 1 – Request an ESR CRS data matching report from the NHS ESR Data Team Organisations deploying the interface will have a number of employees in ESR who have access to NHS CRS applications and will therefore already have a record on the Spine User Directory (SUD). For the ESR interface to function, the employee records in ESR need to be matched and then linked to their equivalent records in the Spine User Directory (SUD). The actual link between the two systems at employee level is achieved by adding the Unique User Identifier (UUID) from the SUD record into the ESR employee record. Organisations requesting activation of the interface are offered a free data load service by the NHS ESR Data Team. This facilitates the loading of the UUID and e-GIF flag into ESR, for all matching records between ESR and NHS CRS. The data load ensures that all ESR person records are linked to the appropriate record on NHS CRS prior to the activation of the interface. In advance of the data load organisations are issued data matching reports to help identify inaccuracies which will need to be amended locally to ensure consistency across both systems. Data matching reports can be requested through your Regional RPP Project Manager or by emailing firstname.lastname@example.org. Guidance on working through the data matching process can be found at http://www.electronicstaffrecord.nhs.uk/uploads/media/M3980_NHS_CRS_to_ESR_Data_Matching_User_Guidance_1.2.pdf. Note: Further details regarding the ESR interface implementation activities are available within the ‘ESR-RPP0005 ESR Interface to UIM Implementation_Approach Guide’ available via http://www.electronicstaffrecord.nhs.uk/esr-projects/integrated-identity-management/ Step 2 - Establish current CRS user access report via the NHS CRS ERS reporting The ERS (Enhanced Reporting Service) is available through the NHS Portal and to run the CRS user access report you need to have RA Manager CRS access. Note: The ERS is supported by NHS CfH, there are instructions for this service in the NRD (National RBAC Database) user guide. A help link is also available within ERS on specific commands and usage. (http://nww.connectingforhealth.nhs.uk/iim/documents/nrbacdataguide.pdf). This ad hoc ERS report is similar to the Registered Organisation Person Report but allows you to filter users and group job roles/activities for analysis of current user access rights prior to creating NHS CRS Access Control Positions. The following steps should be followed to generate the report: 1. Launch the Enhanced Reporting Service 2. Select New Web Intelligence Document 3. Select RA ad hoc reporting universe 4. In Results Objects add the following in Order •
National Administrative Code Service (NACS) Organisation Code
Page 3 of 18
Person Family Name
Organisation Person Role / Job Role Code
Role Based Access Control (RBAC) Job Roles / Job Role Name
Organisation Person Role / Area of Work Code (Optional - it is recommended that Positions do not include an AoW since these are in the process of being withdrawn)
Organisation Person Role / Work Group Codes (Optional - If you want to interrogate the Workgroups)
Organisation Person Role / Activity – Business Functions Codes
5. In Query Filters add the following •
NACS Organisation Code •
Change to ‘Equal to’ and add your 3 digit NACS code
Filter / Job Role Status ‘Active’
Organisation Person / left organisation date •
Change to ‘Equals Null’
6. Optionally you could also add a filter for only those with a Smartcard The screen should look like this but with your NACS code and User Name included:
7. Click Run Query 8. The report should look similar to this – but with UUIDs in the UUID fields:
Page 4 of 18
9. Click on the Save Icon (top left) 10. Select Save to my computer as 11. Select Excel 12. Tip: if you want to run this report again you can also use Save to put it in the Inbox rather than re-creating each time 13. Select Save at the following screen
14. Rename the document to something meaningful to you 15. Select Open
Page 5 of 18
16. Excel should open â€“ Note in the example below these are not real UUIDs 17. You now need to separate out the compound data items (i.e. multiple data items contain in one cell) that have been returned by the query 18. Delete rows 1-3 and column A 19. Insert 3 new columns to right of Job Role code column 20. Select Job Role Code Column
21. Under the Data Tab select Text to Columns 22. Select Delimited
Page 6 of 18
23. Click on Next 24. Select Other and enter a Colon (â€˜:â€™) as below
25. Click on Next 26. Leave as General then Select Finish 27. This will separate out the elements of the roles to allow the Role (R) code to appear in separate cells 28. You should now copy and paste the entire contents (Ctrl+A or click on the box to the left of column 1 and above row A to select all) of your report into the CRS Access
Page 7 of 18
tab/worksheet of your spreadsheet (ACP_v1.0.xls). Once the contents have been pasted successfully save your document locally. Step 2.1 Sorting the Activities It is now necessary to sort the activity codes relating to a users current CRS access within each record. This task can be completed in two ways. •
Option A: Separate the activity codes so that each one appears in a different cell – to achieve this option you will need to follow steps 29 - 36
Option B: Sort the activity codes into numerical order within the current cell – to achieve this option you will need to follow steps 37 – 43
Note: The preferred option for this is option B as this is a more manageable solution, however should you wish option A provides similar results. Option A The following option will enable you to split all of the activity codes relating to a users current access and place them in separate columns within the same row. Once they have been split, they should be sorted in ascending order to enable you to compare individual’s access levels more easily. 29. Open ACP_v1.0.xls and click on the CRS access tab. 30. Select the column containing the CRS activity (‘B’) codes and convert Text to Columns as in step 21 above 31. Select Delimited 32. But this time you need to select Other and copy and paste the item within the brackets (|) into the box, as shown below.
33. Select Next and Finish. 34. You will now have a report that looks similar to the following.
Page 8 of 18
35. You now to sort the contents of your work sheet. 36. You can remove the columns that you don’t require at this stage to make life easier and add appropriate headers (Titles), for example: •
Delete NACs Organisation
Delete Job Role Name
Delete the column with the ‘S’ & ‘G’ codes (columns D & E in example above)
Rename the 1st cell of the column containing the activity codes (I1 in the example above) to Activity Codes
Option B The following option is achieved using Visual Basic code. This will enable you to sort the activity codes (‘B’ codes) into order within each Job Role and keep them all within the same cell. 37. Having copied the data from your CRS report across, open ACP_v1.0.xls and click on the CRS access tab 38. Select Tools > Macro 39. Click on Macros…
40. There should only be one option available but if not, click on Sort_Activity_Codes and then click on Run
Page 9 of 18
41. You will be prompted for the column number containing the Activity Codes. This will need to be typed in and click OK.
42. The macro will then run and sort your data. You will then receive the following message where you need to click on Delete. Don’t worry that you are deleting anything important it is just that the macro creates a temporary sheet in order to run.
43. The macro will now complete and you will receive a confirmation message.
Step 3 – Link the CRS user access and data matching reports The next step is to amalgamate the data from your CRS User Access Report and ESR CRS Data Matching report using the UUID as the common denominator, as per the following examples (note – in the following examples all of the data has been pseudonymised but you will want to include the individuals name). Through linking the two reports you will be better able to focus on your current access requirements. The data matching report contains information relating to a users position which is not available in the CRS Access Report. The primary purpose of this is to establish the Employee number so that information can be linked to the staff report in subsequent steps. There are also two other benefits to linking these reports together. The first one is to ensure that you are ‘sense-checking’ your access control positions by comparing these on a per person basis against the jobs they do within your organisation. This will highlight staff that are doing the same job but also have different access levels, it will also highlight where staff may have moved to different jobs where they no longer require the access they have been given and RA have not been notified to have the access removed. The second opportunity for this linking is to complete your positions mapping in readiness for deploying CRS access via the ESR Interface if your organisation. Using this (and building in the main staff list at a later time) will identify staff in positions that should have CRS access
Page 10 of 18
who have not yet been issued with a Smartcard. Following Interface activation these users can be identified via the RA Workbench and through using the integrated functionality, Smartcards produced. Using the attached spreadsheet, in which you now have the CRS access data, paste the data from the Matched Successfully tab/worksheet from within your data matching report into the Data Mapping tab/worksheet. The first step is to check and highlight any staff that have more than one job role in the CRS access report (i.e. in the CRS Access worksheet of your spreadsheet). 44. To highlight duplicate UUID’s/Job Roles, sort the CRS Access worksheet by UUID 45. Select the cell in the 2rd row of the Column containing the UUID data (in the following example this is A2, the first UUID data entry) 46. Then click on Format > Conditional Formatting
47. The Conditional Formatting tool will then open. Change the value in the first box to ‘Formula Is’ and enter the following formula in the next box, =COUNTIF(A:A,A2)>1, (where A is the column containing the UUID data, if not change A in the formula as necessary to reflect the relevant column) as shown below.
48. Click on the Format… button and select the formatting of how you want the cells containing the duplicates to be displayed in (in the example shown duplicate UUID’s will change the cell background to red and the text bold). 49. Click on OK. 50. You will now need to copy the conditional formatting from A2 down to the other cells in your range, so with the cursor still in A2, do Edit > Copy. 51. Press Ctrl & Spacebar to select the entire column. 52. Then Edit > Paste Special. In the Paste Special dialog, select Formats and click OK. This will copy the conditional formatting to all cells in the column. Now - finally - you may see some cells with the red formatting, indicating that you have a duplicate.
Page 11 of 18
53. If you appear at first glance to have no duplicates it is a good idea to select any cell in the column and look at the conditional format (through clicking on Format > Conditional Formatting) to ensure that it has copied successfully. 54. Unfortunately you are not able to sort data by conditional formatting. So if you want to sort your data so that the duplicates are in one area you will need to follow the subsequent steps. 55. Firstly you will need to insert a column. This can be achieved through clicking on the letter of the column immediately adjacent to the one containing the UUID data and right-click the mouse to select Insert. You can then give it a heading, for example, "Duplicate?". 56. Type the following formula into the cell below the heading: =COUNTIF(A:A,A2)>1, (where A is the column containing the UUID data, if not change A in the formula as necessary to reflect the relevant column). 57. With the cell pointer in this cell, click the auto-fill handle (the little square in the lower right corner of the cell) and drag it down to the end of the data to copy the formula all the way down the range. 58. This will generate True values where duplicates exist which you will be able to use to sort the data. 59. You should now see the duplicates highlighted, in the following example in red.
Page 12 of 18
60. The duplicates now need to be merged together so that the Job Role Code and Activity Code(s) data is not lost during the amalgamation of the ERS report and the data matching report as per the screen below. 61. This can be done manually using a full colon (:) as a separator or for those of you adept in using Excel automated through amending the following steps. 62. In the example above Karl Barron has three (duplicate) entries so we will take you through how to sort this into a single entry containing all his access. 63. Firstly insert a column immediately adjacent to the one containing job role code data (in the example above this would be between columns E & F) 64. Paste the following formula contained within the brackets (=""&E21&":"&E22&":"&E23&"") into the cell next to the first job role code of a user with duplicate entries: (in the example above this would be in the ‘new’ blank column F, cell F21 - the job role codes are in column E and the user has three duplicates in rows 21-23). 65. The formula can be extended/reduced by adding additional or removing :"&cell reference&" elements. (if you are inserting additional elements insert the code between the last two sets of quotation marks in the formula. 66. If you use the merge function you will need to copy the cell containing the merged data and use Edit > Paste Special and select paste as Values to transform the formula output to data. The column holding the original job role code data, including duplicates can now be deleted. 67. The same process then needs to be followed for the Activity Code(s) data which should give you something similar to the following example.
68. Now you can begin to merge elements of the CRS Access and the Data Matching report. 69. If you haven’t already done so, copy and paste all the successfully matched data from within the Data Matching Report into the Data Matching tab/work sheet. 70. Open the Data Matching work sheet and sort the Data Matching Data by UUID 71. Add the extra column name information at the top of the columns where you intend to pull through the Job Role Name, Job Role Code and Activity Code(s) from the CRS Access tab/worksheet (in the following example they will go into F1, G1 and H1)
72. To add the Job Role Name in cell F1 type in ‘=VLOOKUP(A2,'CRS Access'!A:F,4,FALSE)’ where A2 = the UUID,
Page 13 of 18
'CRS Access'!A:F = columns 1-6 in the CRS Access worksheet 4 = the column information from the CRS Access sheet to be put into the new spreadsheet. 4 refers to column (D). FALSE = only return a value where there is a match on the UUID 73. To add the Job Role Code in cell G1 ‘=VLOOKUP(A2, 'CRS Access'!A:F,5,FALSE)’ where A2 = the UUID, 'CRS Access'!A:F = columns 1-6 in the CRS Access worksheet 5 = the column information to be put into the new spreadsheet. 5 refers to column number. FALSE = only return a value where there is a match on the UUID 74. To add the Activity Codes in cell H1 ‘=VLOOKUP(A2, 'CRS Access'!A:F,6,FALSE)’ where A2 = the UUID, 'CRS Access'!A:F = columns 1-6 in the CRS Access worksheet 6 = the column information to be put into the new spreadsheet. 6 refers to column number. FALSE = only return a value where there is a match on the UUID Note: If you need/wish to add any other information such Areas of Work and Workgroups use the formulae above and change the relevant column numbers where required. You can now copy all three sets of cell information down to the bottom of the spreadsheet. And you will be displayed with something similar to the screenshot below
ESR Primary Assignment Position
75. You now want to remove the formulae from the cells where you have pulled across data. 76. Highlight all the relevant cells (in the example above this would be columns F, G & H). 77. Click on Copy. 78. Right click and select Paste Special. 79. Click on Values. 80. Click on OK.
Page 14 of 18
The next step is to sort the data by Job Role Code and Activity Codes and start building your suggested NHS CRS Access Control Positions. Step 4 - Define NHS CRS Access Control Positions For guidance on building your NHS CRS Access Control Positions please reference the PBAC Toolkit (http://nww.connectingforhealth.nhs.uk/iim/documents/pbactoolkit.pdf) or liaise with your RPP Project Manager to obtain examples of PBACs being used by other Trusts. It is a good idea to involve the Trustâ€™s area Subject Matter Experts/Leads (Choose and Book, Secondary Usage Service, etc.) at this stage to gain their support/involvement and approval. 81. Type in the names of your NHS CRS Access Control Positions, the roles and activity codes in the relevant columns into the ACPs work sheet of your ACP.xls file (see example below).
82. Now that you have some values we recommend adding a look-up list of NHS CRS Access Control Positions that you can utilise across all the worksheets within your spreadsheet. 83. Your ACP.xls spreadsheet has this built in but if this doesnâ€™t work you will need to work through the following steps. 84. To do this firstly highlight the cells containing the NHS CRS Access Control Position titles (values in column A in the example above) and select Insert>Name>Define from the menu bar. 85. The Define Name box should appear. 86. Enter a name for your NHS CRS Access Control Position values in the box beneath Names in workbook: and enter the following =OFFSET(ACPs!$A$2,0,0,COUNTA(ACPs!$A:$A),1) in the bottom box, beneath Refers to: (see example bow) and click OK.
Page 15 of 18
87. This will create a dynamic range of values which will automatically reflect any changes to your list of NHS CRS Access Control Positions in column A. Step 5 - Match Current User Access to NHS CRS Access Control Positions It should be fairly clear to see who should be associated with which NHS CRS Access Control Position based upon current access but the recommendation is to involve the area Subject Matter Experts/Leads for approval and clarification if necessary. 88. To use your list of NHS CRS Access Control Positions values open the Data Mapping worksheet and highlight the column in which you wish to enter the NHS CRS Access Control Positions by clicking immediately above the column reference letter (e.g. H, J, etc.). 89. Next select Data>Validation from the menu bar. 90. The Data Validation box should appear. 91. Select List from the selection of values in the box beneath Allow: and enter =the name of your look up values created in the previous section and click OK.
92. When you now click in a cell in the column that you highlighted you should now see a drop down list of values NHS CRS Access Control Positions from which you can select the appropriate value for the individual in the row. 93. By sorting the data within your spreadsheet you should to be able to identify groups of users requiring the same CRS Access Control Position. Where you have done this you can select the ACP for the first user and through clicking on the box in the bottom right hand corner you can then drag the value down to add this to the relevant users. Step 6 - Create consolidated user/access through matching CRS users to current ESR staff list (PBAC Mapping Document) Once all users have been mapped to NHS CRS Access Control Positions it is necessary to match the now consolidated current user/access/ACP report to the ESR staff list to identify any potential impacts of ACPs upon the Trustâ€™s ESR Workstructure. Possible scenarios include:
Page 16 of 18
• • •
A position having 20 users and 18 of which currently require CRS access but the other 2 don’t, should everybody have access? A position having 10 users of which 5 users required one ACP and the other 5 a similar ACP with a higher level of access, should they all have the same access? Can the ACPs be combined? A position has 12 users and only 1 user has CRS access, does this person need this access?
94. The first step is to obtain a Staff List from your HR department (containing First Name, Family Name/Surname, Assignment, Employee and Position Numbers, Position and Role. UUID may also be incorporated as a sanity check). 95. Copy the data into the Staff List tab/worksheet in the Spreadsheet that you have been working on previously. 96. You will need to highlight any duplicate staff data by using the Conditional Formatting example above (steps 44-59) but this time using the employee number (to highlight multi assignment holders). 97. The data from the Data Matching tab/worksheet can now be merged into the Staff List data using a variation of the VLOOKUP formulae above (71-80) but instead of using the UUID you will now need to use the Person No. I. Sort the Data Matching worksheet by Person Number. II. Sort the Staff List data by Person Number. III. Copy the relevant header/title into the Staff List worksheet e.g. Suggested Access Control Position(s) from the top of the column. IV. Apply the VLOOKUP formula in each field and copy the formula down to the bottom of the worksheet. 98. This will leave some staff that cannot be matched because they either don’t have a UUID or they could not be matched within the data matching report (see Additional Considerations, point a) below), they will be displayed as ‘#N/A’ 99. As before highlight the column contents, copy, right-click and select Paste Special followed by Values and OK. 100. Now when you sort the data by ESR Position Title you can check to see if there are any positions that have different suggested ACP’s assigned to them. 101. Where these exist you will need to either create a new ESR Position or change the CRS Access Control position for the user(s), so that everyone in an ESR position has the same access. 102. You may also wish to check to see if there are staff in ESR Positions that have suggested ACPs but do not have a Smartcard (although they may actually require one). It must be noted that, in point 98, if a staff member does not currently have a Smartcard once the ESR-UIM Interface is activated and their position linked, the registration process can be completed through the Interface. Once any impacts on the ESR work structures have been resolved the ACP Mapping Document should be formally signed off, ideally by Information Governance, Clinical Governance and/or the Caldicott Guardian. Once the document has formal approval the Positions will need to be loaded into UIM and downloaded into ESR before the deployment of the CRS Access Control positions can begin. It is worth noting that once a PBAC approach has been utilised your NHS CRS Access Control Positions will need to be maintained/refined as new applications, systems or functionality
Page 17 of 18
utilising CRS smartcard access is deployed. Therefore look to involve Information Governance in supporting/defining this process. Additional considerations a) …….My data matching report doesn’t include everybody that is currently registered! • The Matched Successfully tab/worksheet in the Data Matching report will only include records that can be successfully matched between ESR and CRS so data cleansing should be completed ahead of the data load. • This is possible where you have registered new users after beginning the data matching process. • In this eventuality you will need to match registered CRS users directly to the staff list. As you do not have UUIDs to match on you will need to create the best common values that you can. This can be done by inserting a new column adjacent to the first name, Last name, columns in both spreadsheets and entering the following into the first row: o =B2&C2; where B2 is the first name and C2 is the surname. • This should create a concatenated value (e.g. John Smith – JohnSmith) but please not that this assumes that the values are consistent between both CRS and ESR and does not consider staff with the same name. • With the cell containing the new value selected you should be able to click on the square in the bottom right hand corner of the cell and drag the formula down to the bottom of the sheet. • Once you have done this for both sheet you can use a VLOOKUP formula (similar to that used above) to pull the UUID data through to a new column in the staff list. • Note: where the names in CRS and ESR are not the same you will not be able to link the users so please ensure that you have everybody matched. • In this scenario you would also probably need to insert NHS CRS Access Control Positions into both the Data Mapping and CRS worksheets and use a vlookup to pull the data through from both sheets into the staff list worksheet. …….we are currently deploying a CRS enabled Electronic Patient Record or other CRS application so should we wait to begin our PBAC work? • The short answer is no, as you can insert an additional worksheet into your PBAC mapping document and use a VLOOKUP to pull the data into a further column in the stafflist highlighting where ACPs can be merged.
Page 18 of 18