Quick reference guide DKSH Corporate Shared Services ... Provisioning.pdf · Quick reference guide...
Transcript of Quick reference guide DKSH Corporate Shared Services ... Provisioning.pdf · Quick reference guide...
© DKSH
December, 2016
Active Directory ID provisioning
Quick reference guide
DKSH Corporate Shared Services Center Sdn. Bhd.
© DKSHPage 2
Contents
Item Page(s)
Overview 4 - 8
Capabilities 9 - 11
How do I access ? 12 - 13
AD ID creation for employees 14 - 24
Enable email account 25 - 29
AD ID & email creation for external 30 - 37
Enable Active Sync 38 - 40
Change password on next logon 41 - 44
Account Expiration 45 - 48
Phone number update 49 - 51
Revoke AD ID & email 52 - 55
Questions and answers 56 - 60
Overview
© DKSHPage 4
Improvement in Active Directory (AD) management
Outlook Address Book
Current challenges
Local IT is required to update user information in active
directory manually
Improvement
Off-load current local IT manual update process
Password
Current challenges
Increase in service desk support due to
password issue in both active directory & lotus
notes for non GAD country
Improvement
• Empower DKSH employees to have the
ability to change password from internet
• Synchornize Active Directory pasword with
lotus notes web
Email Group distribution
Current challenges
• IT have no visibility on the specified AD email
groups who should be inside the list
• Users doesn’t have access to update the member
list
Improvement
Empower DKSH employees to have the ability to self-
manage groups that have been assign
ID Provisioning
Current challenges
• Local IT is required to fill-up 25 fields Active
Directory.
• Active Directory it is not capable of
managing certain field format (e.g. mobile)
Improvement
• Empower local IT to create mail account
• Less AD fields is required to be fill-up
• Data quality improved with data checks
Active
Directory
© DKSHPage 5
ID Provisioning building blocks
Platform
Microsoft Active
Directory
SAP
SAP HRPremise
SQL Server
Microsoft Identity
Management Microsoft O365
Cloud
Exchange server
(CN & VN only)
Premise
© DKSHPage 6
ID Provisioning process
• SAP HR extract 30,000
record & inject into the
SQL database
(incremental) on a daily
basis
• Active Directory ID will
be created within 3
hours
• Local IT will need to
login to the ID
provisioning application
for AD ID & email
submission
• Email will be created
within 3 hours
• Local IT to configure
outlook client for users.
Employee
information in SQL
Local IT ID
creation
Batch
processing 2
Local team
configure
outlook
client
Batch
processing 1
© DKSHPage 7
DescriptionsActive directory
attributesSAP HR IT
1 Windows Logon samaccountname Yes
2 Email Logon Userprincipalname Yes
3 First Name Givenname Yes
4 Last Name Sn Yes
5 Display Name on outlook Displayname Yes
6 Job Title Title Yes
7 Corporate Email Mail Yes
8 Office Direct Phone Telephonenumber Yes
9Fax Number Facsimiletelephonenu
mber
Yes
10 Mobile Mobile Yes
11 Legal Entity Company Yes
12 Department Department Yes
13 Division Division Yes
14 BU Name businesscategory Yes
Data custodian
© DKSHPage 8
DescriptionsActive directory
attributesSAP HR IT
15 Bu Code employeeID Yes
16 Cost Center Code departmentnumber Yes
17 Company Code employeetype Yes
18 Employee Number employeenumber Yes
19 Street Address streetaddress Yes
20 Post Code postalcode Yes
21 City l Yes
22 Country co Yes
23 Country Code c Yes
24Office Location physicaldeliveryofficen
ame
Yes
Data custodian (continued)
Mandatory Optional
Capabilities
© DKSHPage 10
Functions Descriptions
1 Active directory ID creation • Automated populate email address base on first name and last name
• ID can be created on the OU that have been assign by creator during
submission
• White space filtering
• Checking for duplication of name globally
• Once ID is created, an email will be send to the respective personnel
• IT personnel can search for the user using employee number for creation
2 Email ID creation • Email licence can be selected during AD directory ID creation or after
• Once AD ID is created, country IT can assign a license for email
• Once email have been assign with license, an email will be send to the
respective personnel
3 Phone number • IT personnel can search for employee using employee number of email
for information update
• Ensure only number is enter to the system only
• Country code will be append to the numbers
• Information will be populated in active directory
4 SAP HR attributes • Only the following SAP HR attribute will be replicated to Active directory.
Refer to page 7 for more information
5 ActiveSync Enable activesync feature for users.
6 Disabling ID IT personnel can disabled employees access on active directory with a
single click and it will take immediate effect
Capabilities
© DKSHPage 11
Areas Descriptions
1 Provisioning • Active directory user will be created with all the necessary attribute from
SAP HR
• Active directory without SAP HR information can be tag with user type
• Exchange mailbox provisioning
• Ensuring Telephone number, mobile and fax contain number only
2 Disabling • Active directory user can be disable on the spot with a timestamping on
the active directory attribute
• Users with a mail forwarding requirement will be tag in active directory for
record
3 Update • Users can update telephone number, mobile and fax as an when
• Administrator can disable or enable active sync for users
• Administrator can enforce change password for users
• Administrator can set account expiration
Summary of the capabilities
How do I access?
© DKSHPage 13
Step 1:
Launch Internet Explorer web browser
Step 2:
Enter the URL https://directory-management.dksh.com in the address bar and press Enter
Step 3:
Click on sign in and enter your DKSH email address and password to sign in.
Step 4:
There is a Help section on self service portal to assists IT administrator to use the system
How do I access ID provisioning self service?
ID creation for employees
© DKSHPage 15
• Step 1: Click on Existing employee and search for the employee by input either one of the following
information ( First name, last name or employee number)
• Step 2: Click on the result as per below
Active Directory creation
© DKSHPage 16
Step 3: On General tab, it will display the necessary information about employees. The grey out box
information can’t be change as it is from SAP HR. Local IT is require to ensure the first name, middle
name, last name and display name is correct before click on the next button
Active Directory creation (continued)
© DKSHPage 17
Step 4: On Office location tab, it will display the necessary information about where the employee base.
The grey out box information can’t be change as it is from SAP HR. Local IT is not require to do anything
on this screen, click next to proceed.
Active Directory creation (continued)
© DKSHPage 18
Step 5: On Contact tab, it will display the necessary information about employee contact. Local IT is
require to fill-up telephone number field only at this point of time. Click Next to proceed.
Active Directory creation (continued)
© DKSHPage 19
Step 6: Click on Administration tab , select Provision active directory account and select Change.
Active Directory creation (continued)
© DKSHPage 20
Step 7: Select on the domain and click submit
Step 8: Select on the domain and click submit
Active Directory creation (continued)
© DKSHPage 21
Step 9: Click Submit to proceed.
Active Directory creation (continued)
© DKSHPage 22
Step 10: Click on OK to proceed.
Step 11: The status of the account creation. You will be receiving an email notification once the ID have
been created.
Active Directory creation (continued)
© DKSHPage 23
Step 12: Once the ID have been created, you will get an email with the following information.
Active Directory creation (continued)
© DKSHPage 24
Step 13: ID provisioning self service will mark the users with the following status. “An Active Directory for
“Test Dummy” exists”.
Active Directory creation (continued)
Enable email account
© DKSHPage 26
Step 1: Click on Existing employee and search for the employee by input either one of the following
information ( First name, last name or employeenumber)
Step 2: Click on the result as per below
Enable email account
© DKSHPage 27
Step 3: Click on the Administration tab, and select provision email. By default, only Office 365 is
available as an option. While for other countries (e.g. China & Vietnam) will have more option as there is a
present of exchange server.
Enable email account (continued)
© DKSHPage 28
Step 4: Click on OK to proceed.
• Step 5: The status of the account creation. You will be receiving an email notification once the ID have
been activated.
Enable email account (continued)
© DKSHPage 29
Step 6: Once the ID have been created, you will get an email with the following information.
Enable email account (continued)
Active Directory user ID and email creation for external
© DKSHPage 31
Step 1: Click on Other accounts for account creation
ID creation
© DKSHPage 32
Step 2: The following attribute as per highlight below it is a mandatory fields for external ID creation. With
the same capabilities you can create AD account and enable email. Do ensure you choose the right user
type, as this will be serve as an differentiator of the user accounts.
ID creation (continued)
© DKSHPage 33
Step 3: For the user type selection, do ensure that during the ID provisioning. The right user type is
selected
− Service : use for service account, temporary account
− External : use for third party or external account. The account have been further classified as per
below
− Client
− Consultant
− Contractor
− company
− Pending_SAP_HR : for DKSH employee who does not have employee number
ID creation (continued)
© DKSHPage 34
Step 3: On the Office location tab, ensure the respective country field is selected
ID creation (continued)
© DKSHPage 35
Step 4: Click on Contact to enter the telephone number for the respective users. Alphabet and symbol will
be prohibited from entering the system. Once this is done, click Next to proceed.
ID creation (continued)
© DKSHPage 36
Step 5: Click on Administration tab, select the options for provisioning. Once the process have
completed, you will be notified via email. Click submit to proceed.
ID creation (continued)
© DKSHPage 37
Step 6: Click on OK to proceed.
Step 7: The status of the account creation. You will be receiving an email notification once the ID have
been created.
ID creation (continued)
Enable ActiveSync
© DKSHPage 39
Step 1: Click on Existing employee or other accounts and search for the employee with one of the
following criteria ( First name, last name or employeenumber, email address)
Step 2: Click on the result as per below
Enable Active Sync
© DKSHPage 40
Step 3: Click on Administration tab, there is an option of ActiveSync and select Enable ActiveSync.
The system will take few seconds to process.
Enable ActiveSync (continued)
Change password on next logon
© DKSHPage 42
Step 1: Click on Existing employee or other accounts and search for the employee with one of the
following criteria ( First name, last name or employeenumber, email address)
Step 2: Click on the result as per below
Password change enforcement
© DKSHPage 43
Step 3: Click on Administration tab and click enforce the user to change password on next logon
Password change enforcement (continued)
© DKSHPage 44
Step 4: A message will appear, once the change password on next logon have been enforce. You need to
advise the user to change password via the following method:
User in office
• Change password via the normal way by using Control + Alt + Delete
• The prerequisite of the following is the laptop or desktop must be part of DKSH Global Active Directory
User not in office
• Password can be change via a password reset portal at https://passwordreset.dksh.com
Password change enforcement (continued)
Account expiration
© DKSHPage 46
Step 1: Click on Existing employee or other accounts and search for the employee with one of the
following criteria ( First name, last name or employeenumber, email address)
Step 2: Click on the result as per below
Account expiration
© DKSHPage 47
Step 3: Click on Administration tab and click on “End of” to set the account expiration.
Account expiration (continued)
© DKSHPage 48
Step 4: Click on the date to set the expiration date and save to execute the settings.
Account expiration (continued)
Phone number update
© DKSHPage 50
Step 1: Click on Existing employee or other accounts and search for the employee with one of the
following criteria ( First name, last name or employeenumber, email address)
Step 2: Click on the result as per below
Phone number update
© DKSHPage 51
Step 3: Click on Contact tab, update the respective fields with the correct number and click Next to
proceed.
Step 4: On the Administration tab, click update to save the changes. The changes will be reflect to active
directory attribute once the batch job trigger
Phone number update (continued)
Revoke Active Directory user ID and email
© DKSHPage 53
Step 1: Click on Existing employee or other accounts and search for the employee with one of the
following criteria ( First name, last name or employeenumber, email address)
Step 2: Click on the result as per below
Revoke access
© DKSHPage 54
Step 3: Click on Administration tab, click on Disabled AD.
Step 4: Select one of the options to proceed:
Disabled user account
• To user account will be disabled
• The date of the activities will be recorded in active directory extension attribute
Disabled user account and enable mail forwarding
• The user account will be disabled
• The date of the activities will be recorded in active directory extension attribute
• Local IT required to log a support ticket to enable mail forwarding
Revoke access (continued)
© DKSHPage 55
Step 5: To proceed to raise a service request, click on the link as per below
Revoke access (continued)
Questions and answers
© DKSHPage 57
Questions Answers
1 Who can use the system? Only country IT admin can use the system
2 What is the process of enabling
country IT to use the self service
portal?
Country IT must require to log a service request to CSSC windows team with
the following information
• Active Directory domain that they are allow to use
• Employee information from SAP HR that they are allow to use for
ID creating
3 What is the process of removing
country IT from using the self
service portal?
Country IT must log a service request to CSSC to remove the respective
country IT
Quesions and answers
© DKSHPage 58
Questions Answers
1 What is the pre-requisite to
create an AD account using self
service portal?
Employee number
2 If employee number is yet to be
created, can I still create AD
account for DKSH employees?
Yes, use the external tab for ID creation and select the user type of
“Incomplete”
3 Once the ID have been
submitted for creation, when do I
expect the ID will be created?
The batch processing will execute each request within 3 hours, once the ID
is created. You will be notified via email
4 If I select the options of creating
AD account and O365 access,
does the processing will be still
3 hours?
No, the processing of AD creation will be completed within 3 hours and the
subsequent batch job will run for email activation. Once the process is
complete, you will receive 2 email notification
5 How do I check the status of the
ID that have been submitted and
what should I do if the ID does
not create after a certain period
of time
• You can check the status from the portal it self by searching for the
employees.
• If you do not get an email notification after the ID have been submitted
after 8 hours ago, do raise a service request to CSSC windows team.
Quesions and answers (continued)
© DKSHPage 59
Questions Answers
1 What are the attribute that I can
update after I create the
account?
Phone number, fax and mobile phone.
2 Will be more attribute is going to
be open for update in next
revision.
At this point of time, there is no plan to open up other attribute for update.
We shall review this again in next future
3 If there is an employee complain
about job title or some other
information is not correct, what
should I do?
• You may refer to page 7 on the list of attribute that IT is taking care off.
• If there is wrong information projected in active directory, you must check
employee information and search in the portal. If the information in the
portal it is not correct, this would mean SAP HR information is not correct
• If there is no record found during the search, that would mean, the active
directory user does not have an employee number. You need to obtain the
employee number and update on active directory, the information will be
flow in when the batch job run.
4 What if the self service portal
have the wrong information due
to the wrong matching or wrong
information in active directory
Escalate to CSSC windows team
Quesions and answers (continued)
© DKSHPage 60
Questions Answers
1 What are the functionality of the
disable button in the self service
portal?
• It will disable the account straight away
2 What is the difference of Yes
and No options when ID is
disabled using self service portal
• Yes : the account will be disable, the disable time will record in one of the
attribute in active directory. Country IT is required to raise a service
request to MNC team for mail forwarding
• No : the account will be disable
3 Automated ID clean-up base on
status
At this point of time, the feature is not ready. Once this is ready, they will be
a communication to country IT
Quesions and answers (continued)
© DKSH
Thank you for your attention
© DKSHPage 62
Disclaimer
Due care has been used in preparation of this presentation and DKSH makes every effort to
provide accurate and up-to-date information. Nevertheless, this presentation may be subject
to technical inaccuracies, information that is not up-to-date or typographical errors.
DKSH does not assume liability for relevance, accuracy and completeness of the information
provided. DKSH reserves the right to change, supplement, or delete some or all of the
information on this presentation without notice.
The layout, graphics and other contents in this presentation are protected by copyright law
and should not be reproduced or used without DKSH’s written permission.