TSS - User Management
This is a starting point to look at the User Management process for onboarding and managing self-service users.
Users can be managed using the AWS console or the API.
Pilot
It’s expected that we’ll use the bulk-create function in the console to create the users for the pilot. The basic process is:
Create the csv (Amazon Cognito Console > Manage User Pools > Select User Pool > Users tab > Import users > Download CSV header. This will give you a .csv file with the header row already included. It should be in utf-8 format.
The following attributes are required:
username
mfa_enabled
email_verified or phone_number_verified
email (if email_verified is true)
phone_number (if phone_number_verified is true)
any other attributes marked as required when the User Pool was created (I assume there are none)
Create and run the User Pool Import Job - choose Create Import Job, give it a name, upload the csv and click Create Job. Then click Start.
You can view the User Pool Import Results in the CloudWatch Console
Users will need to create their password when the first sign in. *** Need to test out a bulk create with a csv and look at how we send out the welcome email ***
Notes on the csv:
attribute values that are strings should not be in quotes
username must be unique in the User Pool and not contain spaces or tabs
birthdate attribute needs to be in US format (urgh) mm/dd/yyyy
mfa_enabled needs to be true for all users
max line length 16000 chars
max csv size is 100MB
max users in the file (i.e. rows) is 500,000
updated_at field value is epoch time in seconds e.g. 1471453471
leading or trailing whitespace will be trimmer
What this means in non-technical terms…
This is the first attempt at defining the actual process in terms of TIS/Oriel etc. It’s a guess so will need to be added to, fixed, scribbled over etc
Users (Trainees) will need an email address and mobile number. The email address will be the username. The phone number will be used for 2FA. Q1 - should we require the email and phone number to both be verified?
Q2 - when do trainees get sent their login details? Do LOs need to do this or could it be automated - when a trainee gets created on TIS for example?
We need to signpost trainees to the support site if they have problems logging in etc.
Wider Roll-out
The TIS team doesn’t have the resource to manage the users once we get past the initial pilot phase. This will be delegated to local offices - to people who already have access to TIS-Admin as administrators.
There is an API - further details tbc. I expect we’ll need to add some basic functionality to the usermanagement service that is used for managing users in keycloak/profile. We should be able to add a connection to the Cognito User Pool API, which will allow admins to CRUD users individually or bulk create (you can get a pre_signed_url response using the cli to create an import job and then curl the url to upload the csv, so I assume* we should be able to give local office users the ability to bulk upload users)
*I should never assume
Slack: https://hee-nhs-tis.slack.com/
Jira issues: https://hee-tis.atlassian.net/issues/?filter=14213