User management

This page is to develop the problem statements and material to frame research on user management.

Problem

TIS ID management is not up to scratch with basic standards and we are uncompliant.
User roles that dictate what a user can see, are confusing. The description of the roles is not transparent.
There is no understanding whether the system for suspicious activity.
The existing user management tool is not fit for purpose e.g. not knowing when a user last logged in.
- Does not work in a way that supports admins.
- Is not user friendly.
We are not assured that the processes for adding and removing users are sufficient.
- Adding and removing users
- Changing a users roles
We do not have accountable named persons / roles who support user management.

Passwords
- no complexity rules or regular changes (against good practice)
- no self-reset of password (adds admin burden)
Multi-factor authentication (now the norm and best practice)
Single sign on (using NHSE credentials) for staff should be investigated (access is simpler), which already has MFA.

Need to be reviewed and if necessary amended.

Background and links in Confluence


	User management 2018	https://hee-tis.atlassian.net/wiki/x/LgATMw
	Series of meetings in 2020 to advance user management	https://hee-tis.atlassian.net/wiki/x/CQBzjg
	User Roles Descriptions	https://hee-tis.atlassian.net/wiki/spaces/NTCS/pages/71958539
	User Roles Descriptions - Reval

Possible further reading


	Password standards	Password administration for system owners - NCSC.GOV.UK
	ID and authentication	Identity proofing and authentication - GOV.UK (www.gov.uk)