. . __ __._____._____:_____._____._____._____:_____._____._____ : Y : _ : _ Y_ _ : _ : . : ___Y __ : . : ____: --------| _ | _ | | _/ ___j _ | | l___ | \_ | | | \_ |-------- _\\//_ | : : : : : | L : | :__: : | | / : | : | : _\\//_ (_o,O) `--'--'--'--'--'--^-----'--'--' `--'-----^-----'-----'-----' (O.o_) " " " "
I thought i'd better get this file out seen as it's the most recent system that bt have set up. I believe it will actually be in mass use in the near future - about 3 / '96. It's basic use is to request axs on most , (not all) bt internal systems (eg CSS) for a particular work team. The requests are made by the team manager as the rest of the team does not have access to this system. The accounts are set up using a hierarchy structure. It is a big but relatively simple system when compared to others... Read and understand. More at the end. This file is for informational purposes only.
Contents:- ======== Introduction 1. Logging On 2. Updating/Checking User Details 3. How to Enter a Request a) current/existing users b) new users c) temporary/agency people d) modify existing access 4. Notification of Passwords and UserID's 5. Displaying Existing Requests DAR DOR 6. Expired Temporary/Agency ID's 7. Deleting Access 8. Transfering UserID's 9. Temporary Substitution 10. Projects 11. Administrators 12. Responsibilities 13. Security Appendix A Appendix B
Introduction:- ============ Request Handling System (RHS) has been introduced to provide a standard and secure method of requesting access to mainframe systems. RHS is a management only application and will not be made available to non-management grades under any circumstances. The system is OUC/hierarchy built and will allow line managers to submit access requests for their direct reports and the reports of their peer managers with the same OUC structure.
RHS is a menu driven system like CSS and will enable you to, generate a request for system access, monitor any existing access requests input by yourself or by others in your hierarchy, and generate a temporary/agency ID.
It would be advisable on your first entry to RHS to spend a small amount of time (15 mins) checking and where necessary updating your work team members using transaction MPD with their Employee Identification Number (EIN) . You can screen dump these details to check at your leisure and update at your convenience.
In the appendices at the end of this document are listed all the database identifiers and some general searches for common systems.
Please note that when requesting access you can not ask for tnet and ibm applications on the same request. These must always be kept separate as it may cause a delay in reiceiving your requests.
When first loaded RHS will show the last option on your NC menu. Log on to RHS in the normal manner with your UserID and password. You will be automatically be presented with your personal details screen.
______________________________TOP__OF__SCREEN________________________________ DATE:06/11/95 Modify Personal Details for AG00006 EIN:80197794 Time:14:04:17 User:lcjap04 Panel:EBT0522 Terminal:W41MOA53 EIN ==> AG00006 Surname <R> BODY Building code First Initial <R> A Post Point <R> 301 Second Initial Addr line 1 <R> TELEPHONE HOUSE Familiar Name <R> ANDY Addr line 2 MOOR LANE User OUC <R> NDO651 Addr line 3 PRESTON Employee Status<R> AGEN Post Code <R> PR1 1BA Job function User Phone <R> 01772267454 Grade User Fax EMAIL ID Home TNET site Business unit TNET Userid CSS Profile Home M/S site CSS User Manager M/S Userid NC userid NC Acc NODE <R> LC Managers EIN <R> 811977945 Network Type <R> SNA Owned by LCJAP04 Transfered to LCJAP04 Expiry Date 30/01/96 Please confirm personal details are correct: Y/N < > Enter "Y" and press ENTER to update the profile F1-Help F£-End F9-Applications F11-Authority ______________________________END__OF__SCREEN________________________________
If all your details are correct:- type Y in the selection field and press ENTER If any of your details are incorrect or omitted:- type N in the selection field and press ENTER This will change your screen to enable you to MODIFY your details. When all your personal details are correct press ENTER. If you have omitted any mandatory fields <R> you will be unable to exit this screen and will reiceive a red error message at the bttom of the screen. Enter the missing details and type Y in the selection field and press ENTER. You will now return to the initial screen. Type Y in the selection field and press enter to confirm your details are correct.
You should now be looking at the Managers Main Menu.
NB:You will be asked to check your personal details are correct at each logon. Please ensure that your details are always correct and are kept up to date. RHS is built with OUC hierarchies to ensure that no problems occur you must always keep your own and your direct report's details correct at all times.2. Updating/Checking User Details:- ============================== Enter a transaction MPD - Modify Personal Details or type 5 - onto the command line from your managers main menu or type 5 on command line and press ENTER.
Type the EIN of the person requiring update in the selection field and press ENTER.
This will provide you with an an updatable version of the personal details screen. This is similar to your own personal details screen and must be completed in the same way.
On this screen you can also change the UserID, this would be used when accepting the ownership of transient ID's, for temporary/agency people or when people are transfering between OUC's (for more info see section 8).
When you have completed the required changes and all mandatory fields have been completed, type Y in the selection field and press ENTER to confirm details are correct.3. How to Enter a Request:- ======================
Please note : Always make a note of the job referance number for future use.
a)Entering a request for an existing user.
Enter transaction RUAA onto the command line of the main menu. Press ENTER. Enter the EIN for the relevent user into the selection field and press ENTER. You will now have a screen containing the user's details. Confirm user details are correct and if they are type Y into the selection field and press ENTER. If the details areincorrect type N into the selection field to enable you to MODIFY the user. Once you have corrected the details press PF4 to return and press Y to confirm the changes.
You will now be presented with the Application Selection List. To select the required option(s) type S on to the adjacent command line, multiple selections can be made. Press ENTER when you have selected all the required options.
You are also able to search for specific options by entering a generic key into the search field at the top of your screen. For example by entering the key +++CICP1 you should be presented with a list of all CSS databases. If you enter the database identifier i.e. A41* you will be presented with all applications running on that database.(see appendices).
Once your search is complete you must enter * into the search field and press ENTER to return to the main application list. Searches can be made any many times as needed.______________________________TOP__OF__SCREEN________________________________ Date:06/11/95 Available Applications screen EIN:80197794 Time:14:28:38 User:LCJAP04 Panel:EBT0222 Terminal:W41MOA53 Search for Application => * TYPE S against he application you require access to or H for help. S System Name For At Applid Symbolic - ------------------------------- -------- -------- -------- -------- LONDON WEST END NETVIEW AOC A#OAO A#OAO LONDON WEST END LTS A#OCICIP A#OCICIP LONDON WEST END CSS A#OCICP1 A#OCICP1 LONDON WE/LW/WR CSS TRAINING A#OCICT1 A#OCICT1 LONDON WEST END EQUIFAX A#OCICWP A#OCICWP LONDON WEST END CONTROL-D A#OCTMS A#OCTMS LONDON WEST END PHOENIX/CBT A#OF A#OF LONDON WEST END IDMS READ ONLY A#OIDMRD A#OIDMRD LONDON WEST END IDMS MAINTENAN A#OIDMSM A#OIDMSM LONDON WEST END IDMS PRODUCTIO A#OIDMSP A#OIDMSP NOTE : If NC, TNET or Multsess is required request them as an application. F1-Help F4-Cancel F7-Back F8-Forward ______________________________END__OF__SCREEN________________________________
NB:Please note only ten applications are allowed per request reference number, but if one of the applications need to be rejectedto you for any reason, the whole of the request will be rejected/returned to you and you will need to re-submit.
Once you have selected all your options you will be asked to validate your selections. If you select an option that already exists on the users NC menu the word duplicate will appear in red next to the option on your validation screen. If the applications listed are correct you must then state what network modifications are needed, either TNET/MULTSESS/NC. NB:If the user already has the option on their MULTSESS/NC menu as in the case of NSVM there would be no network modification therefore all selection fields would read N. Please note you should never enter TNET and NC modifications on the request.
Also this screen has the option for additional TEXT. If further information is required to enable the access to complete successfully ie. printer details or where a user needs reinstating after none use and the option still shows on their menu, it should be entered into the text. Now type Y in the selection field to generate the request. If the options are incorrect type N and drop back to reselect.__________________________TOP__OF__SCREEN____________________________________ Date:06/11/95 Application selection validation EIN:80197794 Time:14:39:25 User:LCJAP04 Panel:EBTO242 Terminal:W41MOA53 Access is required to the following applications : System name For At Applid Symbolic
LONDON WEST END CSS A#OCICP1 A#OCICP1 Menu changes :- NET menu..Y/N <N> M/S menu..Y/N <N> NC menu,,Y/N <N> Text Y/N => N Category(Pri) => 3 Target date => 14/11/95 Type Y if correct - N if incorrect => < > PRESS ENTER to generate the request. F1-Help F4-Can __________________________END__OF__SCREEN____________________________________
If you entered Y into the text selection field you will now drop to the text screen. Enter your required text and press PF3 to drop back to the generated request. You should now see a display of your generated request, take a note of the request number for fututre use, check all of the user details are correct then press ENTER.
b)Requests for BT people with no UserID
If you need to enter an access request for a new user (someone who has NEVER accessed ANY mainframe computing system.) Enter the request as a current user but leave the UserID field blank. RHS will automatically enter TBA and an id will be issued during the processing of the request. You will see the UserID on completion.
c)Requests for new Temporary/Agency people
All non BT people must be issued with a Temporary / Agency EIN, which is easily identifiable by its format of AG000001. All these EIN's are programmed to be reviewed at regular intervals. Before these EIN's are issued you must be holding a signed copy of the confidentiality agreement and no request should be made until this has been obtained. Please note as reqesting manager you are responsible for these user's, for the access and for any work they undertake. Temporary / agency EIN's can be transferred between managers but must not be reissued to new incoming people. When you have decided that a temporary / agency ID should be issued enter the transaction RNAID onto the command line from the main menu. Read the warning message on the screen and type Y in the selection field and enter a review date no later than the expected date of leaving._________________________TOP__OF__SCREEN_____________________________________ Date:06/11/95 Add a new AGENCY / TEMP userid EIN:80197794 Time:14:47:47 User:LCJAP04 Panel:EBT0902 Terminal:W41MOA53 RNAID _________________________________________________________________ WARNING You are about to allocate a userid for a non-BT person. As a manager you must hold a signed copy of the CONFIDENTIALITY AGREEMENT for the agency or contract person to support this request. The use of this ID will be monitored and you will be liable for any unauthorized access or misuse. By typing Y in the field below you are accepting full responsibility for this user in line with the Computer Misuse Act and the BT Security Manual & the Data Protection Act. Please confirm you understand and accept the above: (Y/N) < > Please enter a review date for user ID : (DD/MM/YY) <04/02/96> Press "ENTER" to flow to the available application list. F1-Help F4-Can _________________________END__OF__SCREEN_____________________________________
At the top of the next screen is the temp/agency EIN for your user, in the format, AG00001, please keep a note of this for future use.
You must now enter ALL known personal details for the user, taking care that all mandatory fields are completed, now type Y to confirm that all details are correct.
You should now be in the application selection list and from here be able to enter the request as for a normal user. NB : Please ensure that you have read and understood the warning message on the initial screen of transaction RNAID before issuing a temp/agency ID.
d)Modifying Existing Access
Transaction RUAM allows you to modify existing access.i.e.:adding datasets to existing TSO applications.
Take transaction RUAM from the main menu and enter the EIN of the user requiring the modification.
You will be presented with a list of users with existing access. Select the application requiring modification with an S on the blue command line and press ENTER.
Leave all network details as N as there is no cahnge necessary to the users network details. Check the details and enter Y into the completion field if they are all correct.
Then you will be presented with an additional text screen. You enter the details of the required changes here. (You may not enter profile changes for CSS).
Press PF3 to quit the text screen and you will be presented with a screen showing your modified request. Press enter to complete the transaction.4. Notfication of ID's and Passwords:- ================================= For the initial release of RHS the user will still be notified of his
UserID and password by letter from CSO or the adminisratator.
The letter is notification that CSO have completed their element of the request. Any system adminisrators must complete their work before the user can gain access the the system. If after the letter is received access cannot be gained, the system administrator must be constacted to ensure that their work has been completed.
If the people still cannot gain access after password and ID's have ben issued then please report this lack of access as a fault via the Service Desk on 0345 414243.5. Displying a Request:- =================== a) DAR - Display Access Request To display individual jobs use transaction DAR, these requests are
entered by yourself or your peer managers from the hierachy structure.
From the main menu enter transaction DAR onto the command line and press ENTER. You will then be presented with a multiple choice menu for different search options.Request = > If you have the number of the request you wish to view enter it here and no further fields need be completed. This will then display your individual request. OUC = > By entering a line managers OUC All requests entered for that OUC will be available to any line manager in the same OUC hierarchy.
Symbolic = > If you enter the symbolic of any system (i.e. a41cicp 1 LCCSS) you will bring up a list of requests containing that symbolic , including mixed requests. EIN = > If you search by EIN you will bring up a list of all current requests for that user.
From Date = > A list of all requests on and from tha particular date.
To Date = > A list of requests on or before a particular date.
Closed Y/N = > All closed requests for your OUC structure. Rejected Y/N= > All rejected requests for your OUC structure.
From any of the above you will be presnted with an Access Request List. To select request details type S on the adjacent command line and press enter. This will display the individual request.
From here you can check the progress of the request, the individuals User ID and any other details.
Using PF keys you can navigate your way around extra detail, a list of accessible information is available at the bottom of the screen. A help screen is available on PF1.
b) DOR - Display Outstanding Requests
This will give you a breakdown of all your recent requests.
Type DOR on to the command line from your main menu and press enter.
This will bring up a multiple choice screen, from here you can have a quick over view of the progress of your requests.
Please take note of the requested and completed queues as it is your responsibility to to close these requests once you have read and understood any messages the user has physically accessed on the systems.i) Rejected Requests:- These are your responsibility to close. Please ensure that you always monitor this queue. Take option 1 off the multiple choice menu and you will be presented with a list of the rejected requests. To check the details of any of these requests type S on the adjacent command line and the reason for rejection appears on the bottom of the screen. Please ensure that you read and understand the reason for rejection before closing the request. To close the request -press PF4 to return to the main list -type C on the adjacent command line and press enter. If you have closed the job successfully the request will disappear from main list.ii) Completed requests Like the rejected requests these are your responsibility to close. It is advisable that you do not close any request until the user has access the system. Although RHS will tell you that the job has been completed, users must not attemp to access the system until they have received their password etc. After the user has physically gained access to the required system you can now close the request. Take option 2 from the multiple choice menu of DOR. You now have a choice -if you are sure the user has gained access and you know the request number concerned you can close the job from this screen by typing C on the adjacent command line. -if you do not know which request number you wish to close you can check the details by typing S on the adjacent command line and then returning via PF3 to close. Once the request is closed it should disappear from the list. iii) Waiting Authorization When selecting this option you will be presented with a list of all your jobs awaiting authorization. To check the detail of any of these type S on the adjacent command line and navigate around the details screen using the PF keys. To return to the main list press PF3. iv) Waiting Completion This option will provide you with a list of all your requests held by computer services and operations (CSO). These requests have been authorized and are now awaiting completion. The letter you receive is sent out on the day of completion so this is a good check to see if your user has access to the system. As before you can check the details of individual requests.6. Expired Temporary / Agency Ids:- ==============================
When you have entered a temp/agency ID you were gived or stated a request review date. When the IDs reach this expiry they show on the transaction DUPPU option 2.
This will bring you up a list of all temp/agency IDs which are past their review dates.
You now have two alternatives.
If the temporary / agency ID user is still working for the company, you can select the user ID by typing S on the adjacent command line. You can now modify personal details with a new expiry date.
If the temp/agency person has left the company - all that pesrons company must be deleted using transaction RDTUA.
This queue must be monitored and kept up to date at all times. As a manager you are responsible for these IDs and the people who have access via them. This is inline with the Computer Misuse Act , the BT Security Manuel and the Data Protection Act. The use and user of this ID will be monitored and you are liable for any unauthorized access or misuse and as such are auditable.7. Deleting Access:- ===============
- RUDA - Request User Deletion from ApplicationThis option is to delete specific applications from your main menu when other access is still required. Reqest transaction RDUA from a users main menu. Enter the persons EIN that requires an application deleting from their TNET/NC/MULTSESS menus. You will be presented with a list of the users applications. From this list select the application requiring deletion by typing S on the adjacent command line. You will be asked to validate your request. Before doing so check the applications listed are the correct ones you wanted. You are also asked to state where the option requiring deletion resides, NC , MULTSESS , or TNET. There is also a text option on this screen for you to add extra information where necessary. To use this option type Y in the text selection field. Once you have completed this screen to your satisfaction type Y in the selection field and press enter to generate the request. Take a note of the generated request number and then press enter to complete.
b) RDTUA - Request Deletion of Total Users AccessThis transaction is for total deletion of of the user computing access. It must only be used when people:- a)are leaving or have left the company b)no longer require ANY computing access to BT systems. For the total deletion of a users access select transaction RDTUA from the main menu and enter the users EIN. You will now be presented with the users personal details and a list of their current applications. There is also a text field available if required. Check the automatic target date is agreeable with your time scales if so type Y in the confirmation field and press enter. If not then type a realistic timescale date. If you entered Y in the text selection field you will now have opportunity to enter your required message. To return to the generated request press PF3. Make note of the generated request number and press enter to complete. NB : This transaction is yet to be installed but bt will probably have it done by may i suspect...8. Transferring UserID's:- =====================
RHS also gives you the ability to transfer users between managers. You do this using transaction MPD from the main menu.
Go into the transferring persons details and type the receiving managers User ID into the transfered ID field remembering to update the users OUC and address details.
When the ID's are transferred they appear on the receiving managers DUPPU queue option 1.
To accept ownership of the ID's just type Y in the selection field and then press enter to confirm.9. Temporary Substitution:- ======================
Non managers will not have access to RHS.
This means that during periods of annual leave a managers substitute will not be permitted to submitt any requests.
However any other manager in the same tier three group will have the facility to enter any necessary requests for your people.
10. Project Work:-
Occasionally in BT you find that all of your people need access to the same option. For example when all engineers needed access to CSS to input their time sheets. We realise that in cases like this it would be unrealistic to expect managers to input requests for each work team member.
In this case N&SO Access Management would be willing to treat these requirements as a project and would expect to receive a paper (available from Access Management on request) listing all details and input this information direct. This would only be done once managers and N&SO Access Management had dates and required timescales.
If any further information is required on the requesting of project work please contact your local N&SO Access Management group.
Some systems require background work done by adminisrators to allow you to access your required system successfully. Although you can see the option on your screen, there may be extra work to be done.
The administrators in most cases are contacted by N&SO Access Management and you would never have to have any dealings exept with access management. Unfortunately some system administrators require their own forms completing and the managers signature for audit purposes.
Users must refer to local documentation issued by the administrators to confirm whether a separate form must be completed. Failure to complete this criteria could result in a lack of access to the reqired system.
With RHS there are clear responsibility demarcation lines.
- Line Managers - Line managers are responsible for the upkeep of their peoples personal information. They must always ensure that they are kept up to date.
Managers are auditable on their peoples access. Users should only have access to the systems required for their present jobs. All non-relevant access should be deleted from the users menus.
Managers are responsible to ensure that their RHS queues for completed or rejected requests are up to date.
They must also keep DUPPU lists up to date.
b) N&SO Accesss Management -
Access managememt is responsible for the authorizing of all N divisions access request. All N division access requests come through NDO65 access teams.
Access management must ensure that:--the requested access is relevant to the users job. -the user has not already got access to the system. -all administrators of the required systems have been contacted and have done their extra work. -check that system profiles are proper to the users job description. -requests are entered on to CSO's work queues correctly. -new UserID's are issued in the correct format according to the National Access Manual.
Access Management must also:--liaise with CSO / administrators / users about any problem jobs. -liaise with / advise managers where they have queries about which access is applicable for their people.
CSO - Computing Service and Operations.
CSO are responsible for:--the addition of the option to the users network menu. -providing the network links from terminal to required systems. Software only, any hardware required requests must go through on computing services requests forms which are obtained via the helpdesk. -completing the requests and issuing the users with letters informing them of their UserID's and passwords.
BT's security policy is documented in the new COMPUTER SECURITY MANUAL available from ISIS distributors.
RHS has been introduced to provide a SECURE and auditable medium for the control of access to all BT's mainframe systems. All requests must be input by a manager - line managers are the only people who will have access to RHS.
RHS is OUC based and managers will be able to access the requests of their peer managers within the same Tier 3 structure.
Managers are also responsible for the deletion of any access no longer required by their people. Be that through change of responsibility or the user leaving BT. If the access is no longer needed for any user, a manager MUST issue a deletion request.
MANAGERS WILL BE AUDITED ON HIS PEOPLES ACCESS.Appendix A:- =========
All the databases have identifiers, here is a short list of the most common ones.BLETCHLEY A - AFA BLETCHLEY B - A10 BRISTOL RDC - A2D CENTRAL MIDS - A37 CITY OF LONDON - A98 COSMOSS - ACOA EAST ANGLIA - A19 EAST OF SCOTLAND - A8A EXETER RDC - A2DID GLASGOW FOMIS - AFMG HARMONDSWORTH A - AHWA HARMONDSWORTH B - AHWB IPSWICH A - AIPA IPSWICH B - AIPB LANCS & CUMBRIA - A41 LIVERPOOL - A09 MANCHESTER - A4B NEWCASTLE - A23 PRESTON RDC - A5F SCOTTISH STORES - A5FAPPENDIX B:- ==========
TNET APPLICATIONS :
TNET application symbolics are usually the same as the name on your TNET menus but you are still able to search on these to be sure on your request before you send it. Here are a few of the most common TNET applications.
WORKMANN - Workmanager networks
WORKMANC - Workmanager customer facing.
To check if there is more that one symbolic for these applications enter a (*) after the application name to check for extra symbolics. For example WORKMAN* will bring up all workmanager symbolics.
COMMON SYMBOLICS :
You will find once you start requesting your peoples access using smbolics that you will use some of them over and over again. Here is a list of the most common cymbolics used by N&SO Access Management.
SEARCH STRING SYSTEMA1DCIC* ACPS +++CICP1 CSS ++++CIZ* COSMOSS AFMG* FOMIS-Glasgow A1MCICPC LONDON FORMIS AT OSTERLEY A2D* MIDLANDS STORES A14CICPB MID WALES & WEST FOMIS +++MULT* MULTSESS +++NCAC NC ACCESS A32CICPC NI FOMIS AFMGCIPC NORTH AND SCOTLAND FOMIS AIPACI1F OHMS A5FSNWUR PRESTON RDC STORES
OFFICIAL END OF DOCUMENT
hmmmmmm... the security on this system looks to be relatively high as there are so many people involved in validating an account , I would be willing to bet that the actual method of validating accounts detailed in this document is not what actually has to happen. BT seem to have these rigid structures which look very strict and secure , but is reality the officials are cutting corners all the time - if an engineer needs access to css to continue with a job , he isnt gonna want to wait for a few weeks just so that all the highly ranked people can look at his request form before validating it and say hmmmmmmmm look what power we have. It all seems to be a waste of time. Anywaze this system looks to be pretty important and i suspect after a while it will be looked upon as the 'central' BT mf system.
hav' phun ... P/meD@BEGIN_FILE_ID.DIZ _________________________________ o \_ _ _ \__ _ \______ \_O _/ \_/ _/ ______/ | __/ +-\ | \ | \ l \-+ : \____l____/\_________/\_________/ : : present : :a breakdown of bt's newest mf system: : the Request Handling System : : by Psyclone | `-------- -- -- -------- -- - -- ---' @END_FILE_ID.DIZ