This page is to develop the problem statements and material to frame research on user management.
Problem
TIS ID management is not up to scratch with basic standards and we are uncompliant.
User roles that dictate what a user can see, are confusing. The description of the roles is not transparent.
There is no understanding whether the system for suspicious activity.
The existing user management tool is not fit for purpose e.g. not knowing when a user last logged in.
Does not work in a way that supports admins.
Is not user friendly.
We are not assured that the processes for adding and removing users are sufficient.
Adding and removing users
Changing a users roles
We do not have accountable named persons / roles who support user management.
Security
Passwords
no complexity rules or regular changes (against good practice)
no self-reset of password (adds admin burden)
Multi-factor authentication (now the norm and best practice)
Pass-through authentication Single sign on (using NHSE credentials) for staff should be investigated (access is simpler), which already has MFA.
User roles
Need to be reviewed and if necessary amended.
Monitoring
Monitoring access by users (to ID suspicious activity)
Background and links in Confluence
User management 2018 | ||
Series of meetings in 2020 to advance user management | ||
User Roles Descriptions | ||
User Roles Descriptions - Reval |
Possible further reading
Password standards | ||
ID and authentication |