This document details what needs to be done to help new starters get up and running.
Office based
User account NBT
Before the new starter arrives they need their NBT account set up. This is done through https://servicedesk.nbt.nhs.uk/app/itdesk/HomePage.do all new accounts need to be signed off by an authorised user currently this is Tim Whitlock (Deactivated) (This is being changed to include Joel Collins and Jennifer Barwell) so requests are best done by them to avoid complications and delays. In the default signees absence Retha is able to authroise a new account. NBT now quotes >8 days to set up an account. As part of the setup the appropriate group memberships need to be added to the account and access to shared mailboxes setup. This is most readily done by suggesting another user form the same team's memberships to be copied. New accounts require a DOB which is used when authenticating the user for their initial password when they first login. After the account is set up the new starter will need to call the NBT IT Support on ext 2020 (0117 414 2020 if not in office) quoting the ticket number of the request to get their initial password which they will be required to change when they first logon. First logon needs to be done in the office. ANy new laptop needs to have been login to in the office before it can be used remotely.
Once an email has arrived to confirm account set up it should be forwarded to HR Jennifer Barwell and the new starter will get online as part of their initial induction. It is also useful to check the AD entries for the new user to ensure they have been added to the correct groups etc. (Common mistakes are to not set the email to default to @renalregistry.nhs.uk or to miss out email groups. )
Staff members with @renal.org email (there is a request in to update this to ukkidney.org) are slightly more complicated because they are configured with both a @renalregistry.nhs.uk email and @renal.org email but with send set to default to using @renal.org They will also need a redirect setup on the renal.org and ukkidney.org that forwards incoming mail to these domains for them to their email @renalregistry.nhs.uk. There are often difficulties now with the setup of this since the switch to O365 where the email is setup but the login details are expecting the @renalregistry account and not the the @renal.org account.
Shared Mailboxes
The form for getting a new account created (Access Request) is the same as used for adding shared mailbox access. When creating new users it is better to add any shared mailboxes there. Just telling them they need the same access as a.n.other user is nolonger sufficient due to the move to O365. Shared Mailboxes are (awaiting a confirmed list from NBT):
- UK Renal Registry Systems
- UK Kidney Association
- UK Renal Registry
- UK renal Registry Admin
- ukrr-research
- KQUIP
- Think Kidneys
- British Association for Paediatric Nephrology
- Events-Renal Association
- Nephwork
User Security Groups
We have anumber of security groups setup in the AD to help manage rights for different teams they are:
- RR Systems
- RR Statitstics
- RR SMT
- RR Informatics
- RR Data Managers
- RR Business Support
- RR Validation Test
- RR Renal Association
- UK RR Renal Registry
We still have some local version on rr-storage-live (which were used to define ACLs before the AD versions and are still in use to some degree) these probably should be moved to the AD
- RR Research - in use
- RR Programmes
- RR PersonnelAccess - in use
Missing - RR Information Governance ?
MFA Authentication
All users should setup their MFA account settings (add a phone number to their microaoft profile) this should then allow for proper authetnication when trying to use things like virtual desktop. Users shoudl go to the url https://myprofile.microsoft.com (If on the NBT network you should get logged in, if not you will be asked your password). Once there select security settings and add a phone number to your profile. This will be used to text/call a number through as part of the two factor authentication process.
NBT Documentation is here Remote working - IT information - LINK (nbt.nhs.uk) and here Multifactor authentication security requirement - (Work in Progress) - LINK (nbt.nhs.uk)
Atlassian Logins
All new starters will need adding to Atlassian with access to confluence and the appropriate JIRA groups. This can be done via https://www.okta.com/uk/login/ and using renalregistry or just using the url https://renalregistry.okta.com. Once they have the OKTA account configured with the approriate group memebrships then their account can be activated and they will get an email to configure their password etc. This can only be done once their account is configured and active otherwise the email will never arrive. It is usually useful to point new starters to the urls for Jira and confluence.
ACT! if relevant
If the user needs access to act then they will need an account configured on ACT!. Currently all the read/write accounts are used so read only accounts are the only option. Due to the age of the ACT! version we can no longer install ACT! on computers so it is only available on machines that have it installed. It is planned that ACT! will be replaced by CIVICRM as part of the new website development so it is likely that accounts on the new website will replace the current ACT! accounts.
NHS.NET email
Usually the email from HR will identify if an NHS.NET email is required. This can be configured by either Tim Whitlock (Deactivated) or George Swinnerton. If the new starter already has an NHS email from their previous employment that email can be transferred to the UKRR account but must be marked by their previous employer for transfer before we can take it over. Since the switch to O365 the nbt email service has been signed off by NHSDigital as being as secure as nhs.net meaning that sending data via the @renalregistry emails to nhs.net and vice versa is secure so a separate nhs.net account should not be necessary however some sites will still require us to use nhs.net.
Remote Working
With the introduction of hybrid working all users need to be able to work from home. This means all users need either an NBT laptop which is configured to work remotely or to use the virtual desktop (https://link.nbt.nhs.uk/Interact/Pages/Content/Document.aspx?id=10310) from any normal laptop. In general all users will be issued with a laptop however due to NBTs supply timescales sometimes new users will need to use a normal laptop and the virtualdesktop until the laptop arrives.
Laptop
Each remote worker will have their own NBT laptop. These laptops are configured to use the NBT VPN and are encrypted.
Remote access has been made a lot easier with the roll out of global protect. Laptops will have this installed by default and it will magically know if the laptop is connected via the internet or on the local hospital network and ensure all a secure connection exists. The drives will all be encrypted with bitlocker as the roll out of win10 on all machines is completed. New users will need to have logged into the laptop once whilst connected to the NBT internal network for global protect to work remotely. This uses their normal login to maintain an always on connection and is now the only way to access systems remotely.
Personal Devices
As part of a security update NBT have removed access to any NBT services from an non NBT device unless it is registered using the InTune software (What is Intune? - LINK (nbt.nhs.uk)). So if you want to access NBT emails from your personal phone you need to register your device with NBTIT. Non NBT laptops are not supported their documentation states: "In Tune is not supported on these devices and will not work. Please use Windows Virtual Desktop " The access provided is only via the web and not via email clients unless the device is a registered NBT device. This change is particually annoying for Phones.
Phone
Some remote workers have a separate work phone. These should be set up in the normal way but if emails are required on the phone they will need to be registered in the same way as Personal devices.
Workshare (This is now no longer used)
The programmes team used workshare to share and manage documents.