410 likes | 684 Views
SAM Manager A Guide to Understanding Access Control and Employee Data Integrity Responsibilities for Our Global Outsourced Partners. Access Change and Employee Data Management Scenarios.
E N D
SAM Manager A Guide to Understanding Access Control and Employee Data Integrity Responsibilities for Our Global Outsourced Partners
Access Change and Employee Data Management Scenarios This document describes the access control responsibilities of a person designated in SAM as the ‘SAM Manager’ for outsourced teammates located at a Partner site. It also outlines the access change uses cases where the SAM Manager is the responsible approver and the requestor. The following access change scenarios will be covered: • New Hire Process (onboarding new teammates and rehires) • Job Role Changes (ex. promotions) • Staff Group Changes • Termination (teammate at Partner location no longer working for eBay) • Recertification (corporate access must be re-approved every 90 days) • Specialized SAM system access for OS partners (Vendor Manager and Supervisor access roles) For each of scenario the following key information will be covered: • Process overview • Keys tasks within each process with task ownership identified
Overview - GSS Tools Access and Administration Team The GSS Tools Access and Administration Team • Grants access to CS Tools: • ASAC, Unify (Siebel & CCA), Agent Desktop, CSKB, NICE, Watchdog 2, Billing Hub • Modifies CS Tools Access upon notification of job change or staffgroup change • Ensures access is only given to active employees/contractors (defined by active/inactive status in SAM) with appropriate approval from SAM Manager • Ensures that access is terminated upon separation (defined by active/inactive status in SAM) • Troubleshoot issues involving CS Tools via TIP reports that the eWatch team assigns to us Key Processes we are involved in: • New Hire/Rehire Process – Getting CS Tools access setup • Follow New Hire Roster Process & Email Protocol • Job Change/Promotions – Changing access to reflect a new job role • Notify BU Manager/In-House Point of Contact of the job promotion and request they submit a TRACE ticket on your behalf. • Staffgroup Changes – updating a teammates access when they move to a new team • Update eWFM with new staffgroup and effective date. Must be updated on Friday before the effective change on a Monday • Termination where a teammate is not longer working for eBay – inactivate ASAC, Unify, NICE access • Teammate Off-boarded in SAM. This changes the SAM Status to Inactive for that Employee and results in CS Tools Access being Inactivated (most of this is automated).
Access Management Standard – SAM Manager The Global Information Security Team has outlined an Access Management Standard that applies to all eBay Marketplaces, Corporate and Adjacencies. It is available for review at: http://hubworks.corp.ebay.com/TeamSites/35188/Policy%20and%20Standards%20Wiki/Access%20Management%20Standard.aspx • All Outsourced Partner access to the eBay corporate network and eBay applications must be reviewed and approved by an Inhouse Supervisor or Manager. The responsible approver for ASAC is defined as the SAM Manager – this is always an “in house” employee. Key Access Control Responsibilities for SAM Managers as written in the Global Information Security Team’s Management Standard are: • Managers/Supervisors (access approvers) must: • Grant user access to information resources on a need to know basis. • Grant users access only to the resources they need to accomplish their job functions following the least privilege principle. • Managers or Supervisors are responsible for reviewing access granted to users at least annually to ensure access rights are current and accurate. • Managers and or Supervisors must modify SAM (contractors /AFW) or PIX (employees) n within two (2) business days of an employee termination, start of long-term (greater than 30 days) leave, or a contract person completing their assignment. If termination is for cause, notification must be made immediately upon or prior to termination action.
Employee Data Integrity in SAM for our OS Partners The SAM application is eBay Inc’s corporate solution for managing access to eBay’s corporate network and it is the source system of truth for OS partner employee data. CS applications and the reporting infrastructure for those CS applications all source OS partner employee data from SAM. The SAM Manager is responsible for ensuring that all employee data on SAM employee records in correct. The SAM Manager can delegate this task to persons at the OS partner location, but he must have an oversight program/strategy in place to ensure data integrity. What is the impact from a wrong partner (vendor) location value on an OS partner teammate’s SAM profile? • CS customer satisfaction data will be wrong/skewed for the partner location in question • Unify reports will show wrong/skewed data for the partner location in question • Supervisor assignments in NICE & Unify will be wrong that for that OS teammate which will prevent his leadership from doing QC cases for him in NICE • Vendor Manager might not be able to extend the teammate at 90 days so he’ll get accidentally exited = work stoppage for teammate What is the impact from a wrong cost center value on an OS partner teammate’s SAM profile? • Reporting/headcount challenges for the Finance & Analytics GCX Teams • Teammate won’t have a NICE profile created until cost center problem is fixed **See Appendix C for details on what metadata on the SAM record can be updated by the Vendor Manager
New Hire Process – Key Milestones & Tasks (1) 7+ DAYS PRIOR TO TRAINING START DATE • Trainer/Staffing Coordinator fills out the New_Hire_Template saves it in their site folder here: \\smf-xfs-01.tpa.ebay.com\External_Data_Exchange_TPA\New Hire **IMPT to use the latest ‘New_Hire_Template’ in the folder as updates are made ever couple months to the template • Trainer sends an email to their DL (or applicable stakeholders), GSS Tools Access & Admin Team, IDM & 3PP, SAM Manager, and WFM Team responsible for creating MDMS account to inform that a new roster has been uploaded. Some important DL’s provided in Appendix A. • SAM Manager approves NT/GOP creation by ‘replying to all’ to the email thread • 3PP Creates a remedy ticket for the NT/GOP account creation and assigns to Identity Management (IDM) ‘replying to all’ on the email thread with the ticket number • SLA for NT/GOP creation is 7 days from the date that the Remedy Ticket is created for IDM • IDM updates the New Hire roster and “replies all” to the email when NT/GOP accounts are created • NT Password provided in the New Hire roster • Citrix Icons & TPA webmail accounts should be setup at this point (email thread if there are issues) • Citrix Icon issues – 3PP • Webmail issues – Identity Management (IDM) • Once NT’s & QID’s are populated in roster by IDM, GSS Tools Access & Admin Team files a TRACE ticket on behalf of the SAM Manager for the new hire roster and sends email requesting approval for CS Tools setup (ASAC, Unify, and NICE) to the SAM Manager • SAM Manager approved TRACE ticket and CS Tools Access request • ASAC Accounts created by the GSS Tools Access & Administration Team TRAINING START DATE (Day 1) ** NT & ASAC logins are completely setup for the training class (dependent on ALL OF THE ABOVE STEPS and roster being submitted minimum 7 days prior to the training start date). ** Note TPA webmail accounts should also be setup – if there are issues email thread immediately stating that (IDM can fix this issue)
New Hire Process – Key Milestones & Tasks (2) First Week of Training (Day 1-5) • MDMS Accounts created by WFM team (if you see no response for these being created – email the thread and call that out) • If MDMS is NOT created – this will cause issues with taking actions in Agent Desktop, accessing Watchdog2, and proactive skills cannot be setup for teammates in Watchdog2 • Avaya ID are assigned by the GSS Tools Access Team (all teammates assigned despite if they work the phone or not) • Unify Production Accounts created by the GSS Tools Access Team • NICE Accounts created by GSS Tools Access Team (note they are actually automatically created based on costcenter and active SAM status) First Day of the 2nd WEEK OF TRAINING (DAY 7) ** Unify Production Accounts are ready for use **IMPT** Trainer/Staffing Coordinator or SAM Manager escalates to appropriate process owner if there are problems/delays with a particular step in the end-to-end flow. Appendix Contains: • Important Contacts – Email Addresses for Various Teams involved in the New Hire Process • New Hire Template Usage Instructions
New Hire Process – Key Callouts • Its crucial that correct Employee and CS Business Data (cost center, SAM Manager, CS Staff Group, teammate job role, etc) is provided in the new hire roster when it is first published. Missing or incorrect data causes delays for onboarding and can result in tools access and reporting problems later. Details provided in Appendix A. • There are many process owners in the end-to-end onboarding process with many tasks that must be completed. The timeline is therefore very tight for handoffs between the process owners. Delays in approvals by SAM Managers will cause timeline milestone dates to be missed which will negatively impact the training classes (time lost because trainees don’t have access to corporate system or CS tools when expected). • IDM and the GSS Tools Access & Admin Team have hundreds of new hire rosters to process each month and we have to balance our timeline milestone targets for all rosters at all times. Escalations generated from process owners not finishing tasks on time or CS owners (approvers and rosters submitters) not adhering to their timelines results in a ripple impact effect to the other pending rosters. We therefore must stick very closely to the end-to-end process timelines and will push out our deliverable dates when other teams miss their deadlines. • At all points in the process – the email thread that exist for the roster will be emailed when various steps are completed with the process owners ‘replying to all’ at each step. This includes: SAM Manager approval, Remedy ticket creation, NTs being created and populated in the roster, ASAC accounts creation, MDMS profiles being created, and Unify and NICE account creation. If you are not seeing that email from the process owner for that particular step, this can be your indicator to escalate where timelines are missed, etc. • GSS Tools Team uses a weekly batch process for Unify new hire provisioning to help us ensure accuracy and to lend efficiency to the provisioning work • the batch creation process was streamlined recently to allow us to deliver Unify production access by 1st day of training week 2 rather than during week 3 of training
Access Change Management Scenario #2: Job Role Changes (i.e. Promotions)
When employees change job roles and take on a new suite of job tasks, their access within ASAC, Unify, NICE, and Kronos needs to be evaluated in order to realign it to support their new job responsibilities. The primary example of job roles changes are promotions (teammate promoted to Coach or Quality Analyst, Coach promoted to Supervisor, etc). Below is a summary of the access and account set up/configuration changes that are applicable for each application along with ownership of each task. Realigning access within CS tools when employees change job roles
SAM Managers must review and approve all access changes needed to facilitate a job role change. OS partners cannot access TRACE so cannot file TRACE tickets. The SAM Manager must file job change tickets for them. • A TRACE ticket is required to notify GSS Tools Team that a person is changing jobs. Type TRACE into your intranet browser to go the site (http://trace.vip.ebay.com). You log in with your NT (GOP) ID and Password.If you have not logged in before you must create an account (The link to do so is directly below the User ID field, it says Create a new trace account). • Once you login to TRACE, from the All Services Tab you choose: • Category: Access • Service: ASAC/Unify/NICE/Kronos Access • Description: ASAC Access, Unify/NICE/Kronos – Access • (Hit the Launch Service Button) Job Changes - TRACE Ticket Instructions
Type: choose Employee Job Change/Employee Reactivation Subtype: choose Employee Job Change Attach spreadsheet of changes with the “Add” button or put info in the “details” field Ticket must include: Employee ASAC ID’s or NT logins, lines of business they will be supporting in their new roles, effective start date of when employees move to their new job roles Job Changes- TRACE Ticket Instructions – cont.
Realigning access within CS tools when teammates change Staff Groups When CS teammates move between teams to work within a new Staff Group, their access within ASAC, Unify, and NICE needs to be evaluated in order to realign it to support the workflow needs of the teammate’s new team. Below is a summary of the access and account set up/configuration changes that are applicable for each application along with ownership of each task.
Weekly Staff Group Change Management – Key Points • When team mates move to a new Staff Group, there are resourcing, scheduling, and CS tools access tasks that need to happen for a streamlined transition. Timing of those tasks is critical; tool access, skills, and Staff Group assignments in Unify must be changed during team mate down time as they are transitioning from 1 team to another in order to allow the team mate to continue to work on his/her original team and be ready with adjusted access for his/her 1st day on his new team. Weekly Changes – Timing Considerations • Team transfer effective date should be planned for Mondays • If transfer training is required, it should be scheduled to start on a Monday • Notification to In-house WFM of transfers must happen in the week before the transfer effective date to allow both WFM and GSS Tools Team opportunity to appropriately time all the needed access and system configuration changes
Access Change Management Scenario #4:Termination (OS teammate no longer working for eBay)
Termination – Revoking Access to CS Applications As per the Information Security’s corporate Access Management Standard Policy: Managers and or Supervisors must modify SAM (contractors /AWF) or PIX (employees) within two (2) business days of an employee termination, start of long-term (greater than 30 days) leave, or a contract person completing their assignment. If termination is for cause, notification must be made immediately upon or prior to termination action. Also as part of this Information Security policy, the CS Tools Access & Administration Team must revoke ASAC access within 2 business days of when a person is terminated in SAM or in PIX. Important callouts for People Managers responsible for properly offboarding employees when they leave the company: When properly terminated in SAM (contractors/AWF) or PIX (employees), ASAC access will automatically be revoked within 48 hours. People managers don’t need to manually notify the CS Tools Access & Administration Team of terminations because ASAC, Unify, and NICE (project to be booked) all have direct data feeds from SAM/PIX that enable automatic revocation of access. For AWF (Outsourced) persons, the SAM Manager is responsible for offboarding of all AWF’s that report to him in SAM (Secure Account Management application). The SAM Manager can also delegate this responsibility to a designated and trained person at the AWF (OS) location through Vendor Manager access that can be granted in SAM. The SAM Manager must have an oversight program/strategy in place to ensure compliance with this corporate policy if he does choose to delegate access. Failure to process terminations will lead to higher licensing costs for eBay, and may create risk for our customers.
Below is a summary of the access and account configuration changes that are applicable for each application along with ownership of each task. Termination – Revoking Access to CS Applications **NOTE: GSS Tools Team also recycles Avaya ID’s when teammates are term’d on behalf of the IT Telecom Team.
As per the Global Information Security Team’s Access Management Standard: • Any non-employee account must be established with an expiration date that will restrict access on that date. The expiration date will be the contract expiration date or 90 days from the activation date, whichever is less. • Every 90 days, eBay Inc. corporate access for the OS partners must be extended after the SAM Manager validates that the OS partner employee in question is actually still working for eBay and still needs his eBay Inc. corporate access. The SAM Manager can also delegate this responsibility to a designated and trained person at the AWF (OS) location through Vendor Manager access that can be granted in SAM. • If recertification task in SAM application is not completed within 90 days, OS partner will be automatically exited (offboarded) and he/she will lose all access to eBay Inc. corporate access and all access in ASAC and Unify will also be automatically revoked. • ***Recertification task is crucial for business continuity at our OS partner locations as there is SIGNIFICANT negative impact to teammates and then to eBay customers when teammates can’t work • When an OS teammate is exited accidentally when the recertification task is missed, the entire New Hire Process must be followed • A new hire roster can be published calling out partner employee is actually a rehire • Or, SAM Manager can reactivate the SAM profile himself – SAM Manager must then also contact 3PP separately and file a TRACE ticket to GSS Tools Access Team separately SAM Recertification for OS Partner Teammates
Access Change Management Scenario #6:Specialized SAM system access for OS partners (Vendor Manager and Supervisor access roles)
To assist with meeting the Global Information Security Team’s Access Management Standard, a SAM Manager can appoint 1 or more persons at the OS partner location to perform the following tasks: • Recertify (extend) access in SAM every 90 days for people at the same Vendor location as the Vendor Manager • Offboard (exit) OS partner teammates in SAM within 2 business days of their last day of work • Vendor Managers should also be held responsible for assisting in keeping OS partner employee data in SAM correct, i.e. cost center, partner location name, who the OS teammate’s Supervisor is • Vendor Managers can update most of the employee data points themselves for SAM records where they are the Vendor Manager. • If they can’t correct a data point, they should escalate to their SAM Manager • SAM Managers are responsible for ensuring that the OS partner employees that will have Vendor Manager access in SAM are properly trained on the above tasks. SAM Managers are also responsible for ensuring that the designated OS persons have the SAM access in question. • A GETIT ticket must be filed by the SAM Manager to request that an OS person be granted the Vendor Manager access role in SAM. The IDM team will then process the GETIT ticket. • The SAM Manager is also responsible for filing a GETIT ticket if Vendor Manager access is no longer needed by an OS person (who is not exited). • The SAM Manager must have an oversight program/strategy in place to ensure compliance with this corporate policy if he does choose to delegate access. Vendor Manager access in SAM for OS Partners
The following training materials are available regarding offboarding and extensions: • https://sam.corp.ebay.com/idm/flash/mgr_offboard_help.html - Exiting and disabling access to ebay systems • https://sam.corp.ebay.com/idm/flash/mgr_suspend_help.html - Immediate suspension • https://sam.corp.ebay.com/idm/flash/vm_recertify_help.html - Recertification • Below are some troubleshooting tips for Vendor Managers if they run into problems with managing employee records in SAM: • If the Vendor Manager can find the employee then the SAM_Preferred_Vendor field in SAM is not correct. The Sam Manager can fix • If the SAM Manager can’t see the employee – contact 3pp and ask for assistance locating the record and identifying the status (active or Inactive) • If the record is set to inactive – SAM Manager can rehire(reactivate). SAM Manager should also file a trace ticket to have CS tools reactivated (Nice, Unify, ASAC, etc) • If the record can’t be located by anyone (3pp included), ensure the account was submitted on a new hire roster and the roster has been processed. • A Vendor Manager will not be able to Recertify their own record – this MUST be done by the In-House SAM Manager. Vendor Manager access in SAM for OS Partners (cont.)
Supervisor access in SAM for OS Partners For both in-house and outsourced teams of CS teammates, Unify & NICE Team Rosters are automatically kept current when reporting relationships change in Pix (in-house) or SAM (outsource). When the OS partners keep their team rosters correct in SAM, they will also automatically have a correct team roster in Unify & NICE! Within 48 hours of the effective date of a Supervisor change for an teammate, the Unify Dashboards will reflect the correct Supervisor for that teammate. NICE will automatically be updated with correct Supervisor assignments once a week on Tuesdays. The CS Tools Access & Admin Team will not make any manual Supervisor assignment corrections in Unify or NICE, the correct process for getting a reporting relationship update made in Unify/NICE is for the OS partner to update the Supervisor assignment themselves directly in the SAM application.
Below are a few key callouts regarding Team Roster management in SAM – note this is applicable to OS partners only: • People Managers (Supervisors and above ) must have Supervisor Access Role in SAM in order to agents to be rolled up to them. The SAM Manager for that OS Supervisor must write to Identity Management (identitymgmt@ebay.com to request that Supervisor Access Role be granted because the SAM Manager is the approver for this access. • The SAM Manager is responsible for ensuring that all People Managers at the OS partner location have the SAM Supervisor access role. The SAM Manager should ensure that there is a clear ownership at the OS location for making weekly updates to reporting relationships in SAM. That clear owner at the OS location should also be responsible for telling the SAM Manager when someone new needs to be granted the Supervisor access role. • Any OS partner employee with the Supervisor access role can log into the SAM application and change a Supervisor assignment for anyone at his same OS location (no other employee data changes can be made). • Only outsourced employees can make updates to Team Rosters in SAM (inhouse employees don’t have access to do so) • **See Appendix B for instructions on how to troubleshoot SAM & Unify Team Roster problems and how to escalate a problem report for assistance if needed Supervisor access in SAM for OS Partners (cont.)
Appendix A DL’s for New Hire ProcessInstructions for filling out New Hire Rosters
New Hire Template Usage Instructions • Trainer/Staffing Coordinator must fill out New_Hire_Template 100% • Must specify new hire start date and date that new hires will start working in the production Unify environment – NOTE: production Unify accounts will be ready by the 1st day of the 2nd week of training if all process milestone dates are adhered to • Populate Staff Group name, channels and skills so that Unify & NICE access can be fully provisioned • Specify if agent is a rehire or New employee – this needs to be correct so that IDM can properly reactivate old employee records in SAM rather than creating unnecessary new profiles in eBay’s employee databases. Put “Rehire” or “New” in the Status column in the New Hire Template • Check all CS applications that agents will need access to • Whoever is listed in the “Manager” field will be set up by IDM as the IH SAM Manager within SAM for OS agents. • Use a separate New Hire Roster for each training class • A separate TRACE ticket is needed for each roster • If employees in a single training class are spread across multiple Staff Groups or will have different roles (some agents, some are leaders for ex) then different rosters are needed by role or by Staff Group
Appendix B: Outsource Team Rosters – Supervisor Access in SAMAccess Request and Problem Report Management Guide This Appendix outlines both the request and escalation paths for the top access change and problem management scenarios that are relevant to the OS Team Roster Updates flows in SAM.
New Supervisor Access Role in SAM Access Request Scenario #1: “I can’t see the new Supervisor Actions when I log into SAM” In order to have access to the new Supervisor Actions shown the below screenshot, your SAM user account must be granted either the new Supervisor Access Role or the existing Vendor Manager Role. If you do not see the Supervisor Actions menu on the SAM home page and need access to these functions to make updates to your team roster, follow below directions for requesting access: eBay In-house Manager approval is required for the New Supervisor Access Role to be granted in SAM. Please contact the appropriate eBay Manager and ask they he/she write to the Identity Management Team and ask for Supervisor Access on your behalf. The eBay Manager can write to Identity Management using this distribution list: DL-eBay-ITS-IdentityMgmt
New Supervisor Access Role in SAM Access Request Scenario #2: “I can’t see the correct Supervisor to assign in the Supervisor Update flow” When changing the Supervisor for a user in SAM, you must select the new Supervisor from the Supervisor drop down menu (illustrated in the Change Request flow screenshot below). Clicking the supervisor drop down button will show you a list of available supervisors for this users. NOTE: The list of Supervisors shown in the drop down list consists of persons at your same vendor location that have been given Supervisor Access within the SAM tool. If a supervisor is missing, that supervisor will need to follow the below directions for requesting access: eBay In-house Manager approval is required for the New Supervisor Access Role to be granted in SAM. Please contact the appropriate eBay Manager and ask they he/she write to the Identity Management Team and ask for Supervisor Access on your behalf. The eBay Manager can write to Identity Management using this distribution list: DL-eBay-ITS-IdentityMgmt
New Supervisor Access Role in SAM Project Management Scenario #1: “I can’t see a SAM profile for a team member I’d like to assign to a new Supervisor” • For the new Supervisor Actions, you will only be able to see and update users with the classification of outsourced vendor, who are at the same location, and who work for the same vendor as you. If a correction to a user’s profile is needed for outsourced vendor or outsourced location fields, follow the below resolution path: • 1) Contact the identified Point of Contact (POC) for the SAM supervisor update process at your same location for assistance. • 2) The POC will then escalate to the eBay Manager who can make the correction in SAM. The eBay Manager will then either update/correct the vendor or location data in SAM for the user in question, or they will contact the Identity Management Team to request an update. • If there is a user that fits this criteria for visibility (classified as outsourced vendor in SAM, same location & vendor as you), but you’re unable to see his/her SAM profile, follow the below directions for resolution: • Make sure you’re logged into Citrix, and contact 3PP Assist Chat by visiting http://3ppchat/index.asp Click on the Live Chat button the right side of the screen and add into the “How can we help you today” field a description of your problem.
Unify Dashboards – Team Rosters Problem Management Scenario #1: “My Team Roster in Unify isn’t correct, not all my agents show as reporting to me” “I updated my team roster in SAM, but it is still incorrect in the Unify Dashboards” • In order for you to see all of your direct reports when you run a Unify Dashboard with your name in the L1 Manager field, your direct team members must be assigned to you within SAM. • Please follow the below troubleshooting steps: • Validate that all the agents in question have your NTLogin as the Supervisor in SAM and that the effective date of that Supervisor setting is valid. If the effective date hasn’t been met yet, then Unify Dashboards won’t reflect the agent as reporting to you until AFTER the effective date. • Consider when the change was made effective in SAM. Unify Team Rosters are automatically updated to reflect the change in the Unify Dashboards within 48 hours of the change being effective in SAM. • If the above troubleshooting steps don’t resolve the issue, please submit a TIP report.
Appendix C: Metadata Vendor Manager can update This Appendix outlines the SAM employee data that a Vendor Manager can update themselves.
SAM – Change/Transfer Option Login to SAM Select Change/Transfer Select the record you want to edit
SAM – Metadata That Can Be Updated • As a Vendor Manager you will want to be concerned about the follow metadata which you will be able to update yourself in SAM • First, Last, Preferred First Name • Costcenter • Site Location (this should already be correct though and correspond to the vendor and location that you are at) • SAM Manager can update the remaining employee data, most importantly this includes: • Vendor Name • SAM Manager (transfer user to report to another person)