automating emss security and access from the internet
DESCRIPTION
Automating EMSS Security and Access from the Internet. Presented by: Amy Cordell September 29, 2009. About Truman Medical Center. Two-Hospital, not-for-profit located in the Kansas City Metro Area Primary teaching hospital for University of Missouri-Kansas City Schools - PowerPoint PPT PresentationTRANSCRIPT
Automating EMSS Security and Access from the Internet
Presented by: Amy Cordell
September 29, 2009
About Truman Medical Center Two-Hospital, not-for-profit located
in the Kansas City Metro Area Primary teaching hospital for University of
Missouri-Kansas City Schools Specializes in asthma, bariatrics, diabetes,
women’s health, and trauma services Downtown location is the largest provider of
outpatient care in Kansas City Busiest adult emergency room in the city with more than
60,000 visits per year
Objectives
Binding to Active Directory
Automating Adding / Deleting Users in EMSS
Access to EMSS from the Internet
Advantages of Binding to Active Directory Eliminates another user name and password
No separate administration for the Lawson app
If AD account is terminated / inactivated, so is access to the Lawson application
Identifies if duplicate AD accounts are being used
AD account was added as a user field in Lawson on HR11 and a daily import runs to add this information for use in Lawson Security
Disadvantages of Binding to AD Unable to log in as other users to test
production issues in test
Must delete and reload user if AD account is changed (name change, middle initial added)
Adding Users in Lawson Security Automation process will depend on the
organization’s tools Process Flow Integrator (PFI) is the most efficient tool to
accomplish automation
Perl Script in combination with MS Addins or another query tool may be used if organization doesn’t own Process Flow Integrator Doesn’t fully automate the process Limits the amount of data entry More streamlined than adding the account through the
security application
Process Flow Integrator (PFI) to Add Users Add users by hire date or employee ID
Query for employees with input data of hire date or employee ID
RM action is to add Message Builder to capture output from each record
for adding by hire date Write to File for review
Input Data When process flow is ran either put in the employee
ID or the hire date
Hire date used must not return large amounts of records or process flow will fail. If user is an older hire then it is best to add by the employee ID
Deleting Users with PFI Similar process to adding users
Query for employees with a termination date in a specified range
RM action is to delete Message Builder to capture output from each record Write to File for review
Access to Employee Self Service from Anywhere
Access to EMSS from the Internet Internal DNS name created for ME.TMCMED.org
This DNS entry points back to the Lawson server and is set up on the server in the configs for the application as ME.TMCMED.org
The SSL Certificate for ME.TMCMED.org is bound here
External DNS name created for ME.TMCMED.org This DNS entry points to the publicly available address for
TMC That address terminates on our external firewall and is
translated back to the DMZ where we have Microsoft ISA (Internet Security and Acceleration) Server Intrusion detection and additional network security is applied
before ISA server receives traffic.
ISA Server ISA Server securely publishes the content from that
point In addition, Intrusion Detection and IP Protection
occur here as well All HTTP and HTTPS requests that do not match
paths or other security stated below are redirected to https://me.tmcmed.org/lawson/portal
The SSL Certificate for ME.TMCMED.org is bound here
ISA Server inspects traffic and forwards to the internal server, Lawson production server
ISA Server
Authentication #1
Access to the Lawson Server The only allowed paths are:
/ssoconfig /sso /sites/hr /servlet /sePlugins /Lawson /cgi-lawson
In order to limit access to only required paths on the Lawson server
If a subdirectory is included, then access to other subdirectories under the parent directory are not
Network Security Precautions All incidental HTTP (unsecure) traffic is redirected to
SSL port 443 Only authenticated Domain users are allowed to
connect through the rule Customized forms were created to allow for
authentication to the domain Once authenticated, access to Lawson prod server can
occur Delegation was not possible due to the configuration of the
Lawson application Access to Lawson production server is through another
web form on that server
Logging into Lawson
Authentication #2
Lawson portal is only compatible with Internet Explorer Firefox, Mozilla will not function properly with Lawson
portal
Questions?