Client for Contractors
C4C
Floorwalker Slidepack
One IT
Introduction
• The Shell Client for Contractors service has been designed to enable
Shell contractors to make use of their own hardware and software
when accessing Shell resources both via the internet and whilst inside
Shell offices
• The service provides a web based mechanism using SSL/VPN
technology to contractors accessing applications and supporting Shell
from non-GI platforms
• This web based access will allow contractors to access and run Shell
web and Win 32 applications that do not require a Shell internal IP
address to be issued.
• Service operationalised 1st April 2009. Project team to resolving service
readiness gaps to complete end August 2009.
oneIT
C4C vs GI-D for Contractors
What is different from a service standpoint?
• Contractors will access the Shell environment via their own
contractor provided PC.
• Shell will not provide the client hardware.
• Shell helpdesk support will cover access technology (including the
token), network printers and fileshares.
• Initially, helpdesk support will be in English only.
• Only Shell custom applications are supported by Shell and this will be
carried out via the existing support desks; e.g. Livelink; etc.
• Pre-arranged by the Businesses that request access
• Licensing for Commercial off the shelf (COTS) software is the
responsibility of the contractor/contractor’s company to procure.
• Users are not provided with storage or mailbox within the Shell
environment.
oneIT
C4C vs GI-D for Contractors Cont’d
What is different from a technical standpoint?
1. Contractors will not get the Shell desktop image (GI-D)
2. Some users may see a Secure Virtual Workspace (SVW)
a. This will depend on the type of contract agreed.
b. ‘Fully Trusted’ Third Parties will not require SVW
3. Contractors will connect to a web portal over the internet via standard browsers
either:
a. externally via a local ISP or their corporate LAN
b. internally via Shell wireless LAN, restricted VLAN or Shell LAN (subject to Shell
security approval)
4. Authentication is done via one time password (OTP) from a Digipass token.
5. Contractors name format in the GAL will be:
a. surname (c), firstname initials shellco-shellloc, e.g. Aleck (C), Robert SITI-ITIPEA
b. This is to identify the user is a contractor with an external email address, but to
allow them to fit in to their normal role (with normal company/reference
indicator)
oneIT
C4C vs GI-D for Contractors
Cont’d
What is different from a technical standpoint? cont’d
1. “Untrusted” third parties have access to the specific Shell Win32/Web
resources.
2. “Trusted” third parties have unrestricted SWW/network access.
3. Shell bespoke Win32 applications will be delivered over the portal and
contractors must use their own IT support for installation of these
applications.
a. Information on configuring the applications for use with Shell will
be made available through the web
4. COTS Win32 applications that provide access to Shell data must be
installed and supported by the contractors’ company (e.g. MS Office).
Shell will provide configuration information for these.
5. Contractors should be able to use Shell network printers
oneIT
Hardware and Operating Systems
The C4C service will allow hardware (desktop or laptop) with
the following supported operating systems, to access the
Shell resources:
Windows 7
• 32 bits
• 64 bits
oneIT
Windows
Vista
• 32 bits
• 64 bits
Windows XP
Pro
Windows 2000
Pro
• Service Pack 2
(SP2)
• Service Pack 4
(SP4)
Software Requirements
1. The software components required for this service on the
contractor’s PC :
a.
b.
c.
d.
e.
Internet browsers;
Up to date copies of AntiVirus and AntiSpyware;
Personal Firewall;
Any standard or customized Win32 applications;
Java
2. Contractors will be asked to login from a sign-in page before
being granted access to their Shell resources.
3. C4C users require local admin account on their PC
4. The following Internet browsers are supported.
a. Internet Explorer version 9, 8 and 7
b. Firefox version 15 and above
5. Links to Shell web applications will be available via a web
portal.
oneIT
Software Requirements cont’d
1. Win32 applications that are required, such as Peregrine E2E
ServiceCenter, must be installed on the PC before the
customer accesses the SSL/VPN appliance.
2. It is the responsibility of the contractor /contractor’s
company to procure, install and support any commercial off
the shelf (COTS) software required.
3. Shell, via the C4C portal, will only provide access to the
installer of customized Shell software.
oneIT
Single Sign on for Applications
• Single Sign On has been enabled for Shell applications that
require authentication.
• However, due to technical limitations, the application
remediation team will undertake to resolve those issues.
• If a Website prompts for a username and password, it is the
equivalent if Internet Explorer popping up and means that
the site owner hasn’t granted the user access to the site.
oneIT
Full Documentation C4C
Getting Started with C4C
This section will show and guide the Focal Points how to get
started to using C4C,
1.An introduction to C4C Service
2.Hardware and software component that make up the services
3.A Guide of how to use the service.
To download a complete copy of this documentation
oneIT
C4C Processes
C4C - Overview
start
Business Identify
Contractor
Company for C4C
service
Business request
via TPA FP to
request legal
arrangment
DD Create
Company (Master
& Child)
TPA FP request
for Contract
End
Access FP
request for Token
for User
Token forwarded
to user
Business Gather
Contractor
resources
Access FP check
resources match
in DRA
Exist ?
Yes
User given comms
on what to do with
token
Access FP
Creates User
Account
No
User register and
access C4C
User receive
Password from
DRA (automated)
Access FP
Creates User New
Resources
Access FP create
archetype with
resource
Access FP
Request
permission for
resources
Assign Archetype
to User
oneIT
Email to User on
C4C account ID
C4C Processes
Step 1 : Understand the users of C4C
Step 2 : Identify the resources required for the contractors
Step 3 : Register the contractors company (Assignment by Business TPA
Focal Point)
Step 4 : Register resources for contractors
Step 5 : Build an archetype
Step 6 : Creation of C4C user accounts
Step 7 : Procurement of C4C Token
Step 8 : C4C Helpdesk Information
oneIT
C4C Users
1. Ineligible users
It is important to note that the following are not eligible for registration on this service:
a.
b.
c.
d.
e.
Shell Employees
People in or nationals of GEC (General Embargoed Countries) or HRC (Highly Restricted Countries)
Those who need to access data classified above “confidential”
Users where the service is prohibited by law (for example, where use of encryption is not allowed)
People who need access to Shell GI-D network for “business critical” operations. This includes extensive
operational support personnel from contractor. Eg. Firewall team that requires AD and server access and
Software Programmers/Developers that require access to various Shell databases and servers.
2. Eligible users
Any Shell Contractor is eligible. All Shell contractors have to be legally binded before subscribing to C4C
service.
A Shell contractor company that is legally binded has:
a.Signed up to the C4C specific contractual clauses (which can be found on the company registration page of
the C4C service website:
http://sww.shell.com/it/consumer/desktop/products_services/optional/remote_access/client_for_contractor
s/companies.html
b.Provided their sponsor company (the contract holder in Shell) with a satisfactory level of assurance that
they’re adhering to the contractual clause. Shell Global Information Security determines what level of
assurance satisfactory.
c.Currently the service is designed to only support trusted (company that has legally binded agreement with
Shell) users.
oneIT
Identify the resources required for the contractors
Area
Support for Contractors
Network
Shell will provide support and service guarantees only for the private Shell owned and managed
network as long as users have the access permission . C4C users are required to ensure that they
have internet access to establish the connection.
Physical client
Shell will not support the contractors’ clients. They will need to have their own patch management and
software upgrade management mechanisms, and ensure that their clients are installed with antispyware, anti-virus and Personal firewall with the latest updated definition that is governed by Juniper
ESAP version.
Shell will support users connecting to the SSL/VPN gateway, including the OTP token provided that the
contractor machine is installed with Windows 2000 SP4, Windows XP32-Bit SP2 or Windows Vista 32Bit SP1 OS.
Connection
Application Support for
COTS[1] applications
Shell will not provide & support any COTS (Common Off the Shelf) applications accessed through the
service. For example, we would not support C4C users’ word processor software.
Application Support for
Shell custom applications
Support of the Application is subject to the arrangement with the Shell Application owner by the Shell
Application Remediation team. This Shell Application remediation team is appointed by the business.
COTS application licensing
Contractor companies using their own machines are required to ensure that they have appropriate
software, converter files and licenses for COTS software required to run locally on the client, such as
Microsoft Office, Access, Outlook etc.
COTS application
configuration
If so requested by contractor company, Shell will endeavor to provide configuration information to
enable Contractor companies to configure COTS applications to connect to Shell resources provided
that the business has obtained approval from the application owner.
Shell custom application
licensing
Shell will provide licenses for Shell in-house developed applications to the contractor companies to
allow them using the application provided that the business has obtained approval from the application
license owner. Application remediation team will provide the license to the contractor.
User accounts
Administer of Contractors’ accounts will be supported
Telephone number
C4C users will call a dedicated helpdesk number, supported 24x7 in English only.
oneIT
Register the contractors company (Assignment by
Business TPA Focal Point)
A. Ensuring that the contractor companies with staff accessing the service have signed an appropriate
contract:
•A template contract addendum will be provided by the Service
•It is a customer responsibility to ensure that these contract amendments are put in place
•Customer must never allow users to access through the service (including allowing them to have
active or registered account) unless all contracts are valid
an
B. Service will not validate contracts, but will trust Customer in this regard by ensuring that requests are
only accepted from the TPA Admin Focal Point role holder in the business. Service cannot be used if this
holder role is not registered with the existing STO TPA service.
Customer must update the TPA Admin or GI-D Access Focal Point with accurate information relating to
relevant changes in the contract, including but not limited to cancellation, renewal or extension of the
contract, in a timely manner.
C. Please refer to this link for more information on how to register a contractor’s company
D. Once legal confirmation has been obtained, TPA Focal Point has to raise SHL-C4C-00001 - Company
Registration for creation of the contractor company
E. All other related bundles in administrating the contractors company can be found here
Please take note the setting up and creation of a contractor company on C4C service is the responsibility
of a TPA Focal Point (assigned by Business).
oneIT
Register resources for contractors (1/2)
A. GI-D Access Focal Points are required to request for DRA C4C access
1. Browse to this link http://sww-ask-gi.shell.com/frameset.asp?url=http://sww-askgi.shell.com/operational_info/Tools/DRA/main.htm
`
2. Download the "DRA request form“
3. Complete section 1b to change your DRA access details.
4. Email completed form with approval from your line manager or OU GI-D manager to the DRA
functional mailbox GI-D Ops DRA SITI-ITIBDO14
* It should also be the business responsibility to request for delete access if the staff/focal point is
leaving his/her current role. In this case, they should fill up the form section 5 for deleting access
B. There are four types of resource – Win32, file, printer and website – accessible to users depending on
their trust level.
C. GI-D Access Focal Point are responsible for creation of resource for Fileshare, printer and website
bookmark via DRA. Kindly refer to How to manage archetype & Resources
D. For setting up file sharing for C4C user account by GI-D Access Focal Point
1. Go to http://sww-ask-gi.shell.com/frameset.asp?url=http://sww-askgi.shell.com/operational_info/Tools/DRA/main.htm
2. Download the DRA web console user guide from the link "How do i use DRA?“
3. Browse to section "7.3.6.4 Adding or Removing users from other domains" and follow the steps
listed there.
E. For setting up Win32 Application across to C4C, kindly refer to OneRM : C4C Win32 Resource
Registration
oneIT
Register resources for contractors (2/2)
F. For setting up File share / network printer, there is 2 ways to do it.
1. GI-D Access Focal to create the resource via DRA C4C functionality. (This will appear in the C4C
Portal as Bookmark
2. C4C End User to set it up themselves (if they know the file share location and network printer
name). To set up, kindly refer to the link below:
i. File share Set Up
`
ii. Network Printer Set Up
G. For setting up Web Application resources, it is done via DRA. Kindly refer to How to Set Up Resource
link.
*** Please take note that Business Sponsor are required to obtain approval from Application Support
team in order to fully utilize the web application across to C4C. Failure to do so, would result in
application not being supported by Application Support Team assigned
H. For setting up File share resources, it is done via DRA. Kindly refer to How to Set Up Fileshare
Resource link (Item D)
*** Please take note that File share access, you are required to obtain permission from file share owner to
set up for Vsat domain user (Location of the C4C user account in Active Directory).
oneIT
Build an Archetype
A.
An Archetype is a unique collection of resource access requirements associated with performing a
specific business role or function – for example, a driller in EP.
B.
The mechanics of this functionality are transparent to the end user and the Focal Point. FP’s
simply indicate which roles a specific user performs by allocating them to an Archetype.
Throughout this document, therefore, the term Archetype is used to refer to the role and resources
granted, not the underlying technical methods.
C.
To create an archetype via DRA, kindly refer to How to build an archetype
Note : GI-D Access Focal in-charge are accountable and responsible for :
oneIT
1.
Creation of Archetype specific to the Contractor’s company
2.
Assigning the Resource to the Archetype
3.
Assigning the Archetype to the C4C user that requires the resources.
Creation of C4C User Accounts
A. Contractors accessing the service will be provisioned through the creation of a Contractor Account.
B. This is an adaption of three existing account types, the standard GI account, the external
(shellexternal.com) account, and the non-GI (WDS) account. It provides a way for non-Shell users to
authenticate to Shell services in exactly the same way that Shell GI and WDS users can be.
C. A contractor account cannot be used to log on locally to Shell equipment (desktops, laptops, thin
client via MOP etc).
D. Creation of C4C user account via DRA can be found here
E. Deletion of C4C user account via DRA can be found here
F. Managing of C4C user account (Restoring C4C account due to expiration) Can be found here
G. C4C user account created are given 7 days to register their account. Failure to do so will result in
password reset.
H. Requestor of the C4C account will received an email stating the created C4C account. He/She will be
required to forward the email to the C4C user to proceed with C4C registration.
* Note :
1. Password reset function is designated to Helpdesk. Any request for password reset must be
forwarded to Helpdesk for assistance.
2. Password reset counter is designated to GI-D Access Focal Point. This is required when the reset
password has reach 3 times in a week/day.
3. GI-D Access Focal Point are accountable and responsible for the administrating the C4C user
oneIT
Procurement of C4C Account
A. Contractors accessing the service will require a Vasco Token in order to logon to C4C portal
B. Procurement of Vasco Token, is done via GI-D Access Focal Point through OneRM : SHL-SV-00180 One Time Password (OTP) Token Only
C. Note that C4C tokens are physically identical to MOP tokens, but not interchangeable. It is only meant
to be used only for C4C access.
D. A package of Vasco Token delivered to user will be attached with a brief registration step for C4C user
to get on the connect.shell.com for registration.
E. Late delivery of Vasco Token would mean C4C user are unable to proceed with registration within the 7
days period. He/She is required to request from Helpdesk for password to gain a new password and
proceed with registration of his C4C account and Token.
oneIT
C4C Helpdesk
A. C4C users will call a dedicated helpdesk number, supported 24x7 in English only.
B. Contact Numbers
Kazakhstan: +88005550079
Malaysia: 1-800-88-1507
Netherlands: 0800 0292059
Russia: +8800 700 9918
United Kingdom:0800 0284350
USA: +1 800 309 8352
For other countries toll free, refer "Shell C4C Helpdesk" contents by clicking on the links below,
http://www.shell.com/home/content/c4c_v2/helpdesk
C. Kindly refer to this site for C4C End User FAQ :
(http://sww.shell.com/it/consumer/desktop/products_services/optional/remote_access/client
_for_contractors/end_user.html)
D. Functional C4C Support Mailbox : SITI Global C4C Support SITI-ITSS-EUC is created to assist
End User / GI-D Access Focal Point.
E. C4C Helpdesk are also in-charge of Machine Registration administration.
F.
oneIT
If C4C User are having problem registring a Trusted machine onto C4C, they are required to
forward their issue to C4C helpdesk.