210 likes | 365 Views
Client for Contractors C4C. Floorwalker Slidepack. Introduction. The Shell Client for Contractors service has been designed to enable Shell contractors to make use of their own hardware and software when accessing Shell resources both via the internet and whilst inside Shell offices
E N D
Client for ContractorsC4C Floorwalker Slidepack
Introduction • The Shell Client for Contractors service has been designed to enable Shell contractors to make use of their own hardware and software when accessing Shell resources both via the internet and whilst inside Shell offices • The service provides a web based mechanism using SSL/VPN technology to contractors accessing applications and supporting Shell from non-GI platforms • This web based access will allow contractors to access and run Shell web and Win 32 applications that do not require a Shell internal IP address to be issued. • Service operationalised 1st April 2009. Project team to resolving service readiness gaps to complete end August 2009.
C4C vs GI-D for Contractors - 1 What is different from a service standpoint? • Contractors will access the Shell environment via their own contractor provided PC. • Shell will not provide the client hardware. • Shell helpdesk support will cover access technology (including the token), network printers and fileshares. • Initially, helpdesk support will be in English only. • Only Shell custom applications are supported by Shell and this will be carried out via the existing support desks; e.g. Livelink; etc. • Pre-arranged by the Businesses that request access • Licensing for Commercial off the shelf (COTS) software is the responsibility of the contractor/contractor’s company to procure. • Users are not provided with storage or mailbox within the Shell environment.
C4C vs GI-D for Contractors - 2 • What is different from a technical standpoint? • Contractors will not get the Shell desktop image (GI-D) • Some users may see a Secure Virtual Workspace (SVW); • This will depend on the type of contract agreed. • ‘Fully Trusted’ Third Parties will not require SVW • Contractors will connect to a web portal over the internet via standard browsers either: • externally via a local ISP or their corporate LAN • internally via Shell wireless LAN, restricted VLAN or Shell LAN (subject to Shell security approval) • Authentication is done via one time password (OTP) from a Digipass token. • Contractors name format in the GAL will be: • surname (c), firstname initials shellco-shellloc • e.g. Aleck (C), Robert SITI-ITIPEA • this to make it easier to identify the user as a contractor with an external email address, but to allow them to fit in to their normal role (with normal company/reference indicator)
C4C vs GI-D for Contractors - 3 • What is different from a technical standpoint? cont’d • “Untrusted” third parties will have access only to the specific Shell Win32/Web resources that they require • “Trusted” third parties have unrestricted SWW/network access • Shell bespoke Win32 applications will be delivered over the portal and Contractors must use their own IT support for installation of these applications. • Information on configuring the applications for use with Shell will be made available through the web • COTS Win32 applications that provide access to Shell data must be installed and supported by the contractors’ company (e.g. MS Office). Shell will provide configuration information for these. • Contractors should be able to use Shell network printers
Hardware and Operating Systems • The C4C service will allow hardware (desktop or laptop) with the following supported operating systems, to access the Shell resources:
Software Requirements - 1 • The software components required for this service on the contractor’s PC : • Internet browsers; • Up to date copies of AntiVirus and AntiSpyware; • Personal Firewall; • Any standard or customized Win32 applications; • Java • Contractors will be asked to login from a sign-in page before being granted access to their Shell resources. • C4C users require local admin account on their PC • The following Internet browsers are supported. • Internet Explorer 7.0, 6.0 • Firefox 2.0 • Links to Shell web applications will be available via a web portal.
Software Requirements - 2 • Win32 applications that are required, such as Peregrine E2E ServiceCenter, must be installed on the PC before the customer accesses the SSL/VPN appliance. • It is the responsibility of the contractor /contractor’s company to procure, install and support any commercial off the shelf (COTS) software required. • Shell, via the C4C portal, will only provide access to the installer of customized Shell software.
Single Sign on for Applications • Single Sign On has been enabled for Shell applications that require authentication. • However, due to technical limitations, the application remediation team will undertake to resolve those issues. • If a Website prompts for a username and password, it is the equivalent if Internet Explorer popping up and means that the site owner hasn’t granted the user access to the site.
Full Documentation C4C Getting Started with C4C This section tells Focal Points how to get started using C4C. First, it goes through the things that you need to read to understand the various components that make up the service, then it explains the procedures that you must follow to actually use the service components. To download a complete copy of this documentation
Processes of C4C Step 1 : Understand the users of C4C Step 2 : Identify the resources required for the contractors Step 3 : Register the contractors company (Assignment by Business TPA Focal Point) Step 4 : Register resources for contractors Step 5 : Build an archetype Step 6 : Creation of C4C user accounts Step 7 : Procurement of C4C Token Step 8 : C4C Helpdesk Information
A. Ineligible users • It is important to note that the following are not eligible for registration on this service: • Shell Employees • People in or nationals of GEC (General Embargoed Countries) or HRC (Highly Restricted Countries) • Those who need to access data classified above “confidential” • Users where the service is prohibited by law (for example, where use of encryption is not allowed) • People who need access to Shell GI-D network for “business critical” operations. This includes extensive operational support personnel from contractor. Eg. Firewall team that requires AD and server access and Software Programmers/Developers that require access to various Shell databases and servers. • B. Eligible users • Any Shell Contractor is eligible, subject to constraints listed above and elsewhere on these pages. All Shell contractors have to be legally binded before subscribing to C4C service. • A Shell contractor company that is legally binded has: • Signed up to the C4C specific contractual clauses (available elsewhere on these pages which can be found on the company registration page of the C4C service website: • http://sww.shell.com/it/consumer/desktop/products_services/optional/remote_access/client_for_contractors/companies.html • Provided their sponsor company (the contract holder in Shell) with a satisfactory level of assurance that they’re adhering to the contractual clause. Shell Global Information Security determines what level of assurance satisfactory. • Currently the service is designed to only support trusted (company that has legally binded agreement with Shell) users. Users of C4C
Area Support for Contractors Network Shell will provide support and service guarantees only for the private Shell owned and managed network as long as users have the access permission . C4C users are required to ensure that they have internet access to establish the connection. Physical client Shell will not support the contractors’ clients. They will need to have their own patch management and software upgrade management mechanisms, and ensure that their clients are installed with anti-spyware, anti-virus and Personal firewall with the latest updated definition that is governed by Juniper ESAP version. Connection Shell will support users connecting to the SSL/VPN gateway, including the OTP token provided that the contractor machine is installed with Windows 2000 SP4, Windows XP32-Bit SP2 or Windows Vista 32-Bit SP1 OS. Application Support for COTS[1] applications Shell will not provide & support any COTS (Common Off the Shelf) applications accessed through the service. For example, we would not support C4C users’ word processor software. Application Support for Shell custom applications Support of the Application is subject to the arrangement with the Shell Application owner by the Shell Application Remediation team. This Shell Application remediation team is appointed by the business. COTS application licensing Contractor companies using their own machines are required to ensure that they have appropriate software, converter files and licenses for COTS software required to run locally on the client, such as Microsoft Office, Access, Outlook etc. COTS application configuration If so requested by contractor company, Shell will endeavor to provide configuration information to enable Contractor companies to configure COTS applications to connect to Shell resources provided that the business has obtained approval from the application owner. Shell custom application licensing Shell will provide licenses for Shell in-house developed applications to the contractor companies to allow them using the application provided that the business has obtained approval from the application license owner. Application remediation team will provide the license to the contractor. User accounts Administer of Contractors’ accounts will be supported Telephone number C4C users will call a dedicated helpdesk number, supported 24x7 in English only. Identify the resources required for the contractors
Register the contractors company (Assignment by Business TPA Focal Point) • A. Ensuring that the contractor companies with staff accessing the service have signed an appropriate contract: • A template contract addendum will be provided by the Service • It is a customer responsibility to ensure that these contract amendments are put in place • Customer must never allow users to access through the service (including allowing them to have an active or registered account) unless all contracts are valid • B. Service will not validate contracts, but will trust Customer in this regard by ensuring that requests are only accepted from the TPA Admin Focal Point role holder in the business. Service cannot be used if this holder role is not registered with the existing STO TPA service. • Customer must update the TPA Admin or GI-D Access Focal Point with accurate information relating to relevant changes in the contract, including but not limited to cancellation, renewal or extension of the contract, in a timely manner. • C. Please refer to this link for more information on how to register a contractor’s company • D. Once legal confirmation has been obtained, TPA Focal Point has to raise SHL-C4C-00001 - Company Registrationfor creation of the contractor company • E. All other related bundles in administrating the contractors company can be found here • Please take note the setting up and creation of a contractor company on C4C service is the responsibility of a TPA Focal Point (assigned by Business).
Register resources for contractors (1/2) • A. GI-D Access Focal Points are required to request for DRA C4C access • 1. Browse to this link http://sww-ask-gi.shell.com/frameset.asp?url=http://sww-ask-gi.shell.com/operational_info/Tools/DRA/main.htm • ` • 2. Download the "DRA request form“ • 3. Complete section 1b to change your DRA access details. • 4. Email completed form with approval from your line manager or OU GI-D manager to the DRA functional mailbox GI-D Ops DRA SITI-ITIBDO14 • * It should also be the business responsibility to request for delete access if the staff/focal point is leaving his/her current role. In this case, they should fill up the form section 5 for deleting access • B. There are four types of resource – Win32, file, printer and website – accessible to users depending on their trust level. • C. GI-D Access Focal Point are responsible for creation of resource for Fileshare, printer and website bookmark via DRA. Kindly refer to How to manage archetype & Resources • D. For setting up file sharing for C4C user account by GI-D Access Focal Point • 1. Go to http://sww-ask-gi.shell.com/frameset.asp?url=http://sww-ask-gi.shell.com/operational_info/Tools/DRA/main.htm • 2. Download the DRA web console user guide from the link "How do i use DRA?“ • 3. Browse to section "7.3.6.4 Adding or Removing users from other domains" and follow the steps listed there. • E. For setting up Win32 Application across to C4C, kindly refer to OneRM : C4C Win32 Resource Registration
Register resources for contractors (2/2) • F. For setting up File share / network printer, there is 2 ways to do it. • 1. GI-D Access Focal to create the resource via DRA C4C functionality. (This will appear in the C4C Portal as Bookmark • 2. C4C End User to set it up themselves (if they know the file share location and network printer name). To set up, kindly refer to the link below: • i. File share Set Up • ` • ii. Network Printer Set Up • G. For setting up Web Application resources, it is done via DRA. Kindly refer to How to Set Up Resource link. • 1. Please take note that Business Sponsor are required to obtain approval from Application Support team in order to fully utilize the web application across to C4C. Failure to do so, would result in application not being supported by Application Support Team assigned • H. For setting up File share resources, it is done via DRA. Kindly refer to How to Set Up Fileshare Resource link (Item D) • 1. Please take note that File share access, you are required to obtain permission from file share owner to set up for Vsat domain user (Location of the C4C user account in Active Directory).
Build an Archetype • An Archetype is a unique collection of resource access requirements associated with performing a specific business role or function – for example, a driller in EP. • The mechanics of this functionality are transparent to the end user and the Focal Point. FP’s simply indicate which roles a specific user performs by allocating them to an Archetype. Throughout this document, therefore, the term Archetype is used to refer to the role and resources granted, not the underlying technical methods. • To create an archetype via DRA, kindly refer to How to build an archetype • Note : GI-D Access Focal in-charge are accountable and responsible for : • 1. Creation of Archetype specific to the Contractor’s company • 2. Assigning the Resource to the Archetype • 3. Assigning the Archetype to the C4C user that requires the resources.
Creation of C4C User Accounts A. Contractors accessing the service will be provisioned through the creation of a Contractor Account. B. This is an adaption of three existing account types, the standard GI account, the external (shellexternal.com) account, and the non-GI (WDS) account. It provides a way for non-Shell users to authenticate to Shell services in exactly the same way that Shell GI and WDS users can be. C. A contractor account cannot be used to log on locally to Shell equipment (desktops, laptops, thin client via MOP etc). D. Creation of C4C user account via DRA can be found here E. Deletion of C4C user account via DRA can be found here F. Managing of C4C user account (Restoring C4C account due to expiration) Can be found here G. C4C user account created are given 7 days to register their account. Failure to do so will result in password reset. H. Requestor of the C4C account will received an email stating the created C4C account. He/She will be required to forward the email to the C4C user to proceed with C4C registration. * Note : 1. Password reset function is designated to Helpdesk. Any request for password reset must be forwarded to Helpdesk for assistance. 2. Password reset counter is designated to GI-D Access Focal Point. This is required when the reset password has reach 3 times in a week/day. 3. GI-D Access Focal Point are accountable and responsible for the administrating the C4C user
Procurement of C4C Account A. Contractors accessing the service will require a Vasco Token in order to logon to C4C portal B. Procurement of Vasco Token, is done via GI-D Access Focal Point through OneRM : SHL-SV-00180 - One Time Password (OTP) Token Only C. Note that C4C tokens are physically identical to MOP tokens, but not interchangeable. It is only meant to be used only for C4C access. D. A package of Vasco Token delivered to user will be attached with a brief registration step for C4C user to get on the connect.shell.com for registration. E. Late delivery of Vasco Token would mean C4C user are unable to proceed with registration within the 7 days period. He/She is required to request from Helpdesk for password to gain a new password and proceed with registration of his C4C account and Token.
C4C Helpdesk • A. C4C users will call a dedicated helpdesk number, supported 24x7 in English only. • B. Contact Numbers • C. Kindly refer to this site for C4C End User FAQ • D. Functional C4C Support Mailbox : SITI Global C4C Support SITI-ITSS-EUC is created to assist End User / GI-D Access Focal Point. • E. C4C Helpdesk are also in-charge of Machine Registration administration. • If C4C User are having problem registring a Trusted machine onto C4C, they are required to forward their issue to C4C helpdesk.