Skip to Main Content
NY.gov Portal State Agency Listing Search all of NY.gov
Ann Marie T. Sullivan, M.D., Acting Commissioner
Governor Andrew M. Cuomo

Security Management System
Reference Manual
New York State Office of Mental Health

View Adobe Acrobat Version | Download Adobe Acrobat Reader

Table of Contents

Security Management System – SMS

The NYS Office of Mental Health (OMH) is distributing this SMS/Security Management System Reference Manual to facility Security Managers to provide them with information about and instructions for accessing and using the OMH Security Management System (SMS).

Application Overview

The Security Management System (SMS) is a Web-based application that facilities will use to authorize staff members to access certain NYS Office of Mental Health (OMH) Web applications. At the present time, two applications are using SMS: the Patient Characteristics Survey (PCS) and Psychiatric Services and Clinical Knowledge Enhancement System (PSYCKES) Medicaid. SMS replaces paper “Request for Access” forms.

SMS will greatly improve the efficiency of adding and removing users and expanding or reducing users’ access to sensitive data. By appointing a responsible person to authorize data access, each facility in the public mental health system will be able to control access in a secure manner that offers the flexibility to accommodate staff turnover, reassignment or leave.

How does SMS work?

OMH sends an agency control ID to the Director of each facility. The Director appoints the Security Manager and entrusts him with the agency control ID. This ID is used to electronically self-register to use SMS. After OMH receives and approves the electronic self-registration request, the application will issue the Security manager a User ID and a SecurID token to log-on to SMS.

What is the role of the Security Manager?

The Security Manager is designated by the Facility Director to use SMS to grant staff persons from his facility access to certain OMH applications and the security groups within the applications. In the PCS application, the Security Manager also associates persons in the "Submitter" security group with selected units or sites. Multiple active Security Managers are allowed from each facility. A person may serve as Security Manager for two facilities, but must register separately for each facility–using each facility’s control ID–and will be assigned a separate User ID for each facility.

Help Center

To resolve questions or problems, you can contact the OMH Help Center, Sunday through Saturday from 7 a.m. to 8 p.m. at (518) 474-5554 or 1-800-435-7697 (1-800-HELP-NYS).

Note: Before contacting the OMH Help Center, please refer to the instructions provided in this guide.

System Requirements

SMS can be accessed only by using Internet Explorer 5.5 and above. The system may not work properly with other browser applications, e.g., Mozilla, Firefox or Netscape.

Note: Pop-Up Blockers must be turned off or uninstalled for the SMS application to function properly. Examples of pop-up blockers are: Yahoo Toolbar, Google Toolbar and MSN Toolbar. For help turning off pop-up blockers, please contact the OMH Help Desk.

Self-registration of Security Manager

For Self-registration, contact your director.

Token  Activation and Pin

To activate your own Token Using RSA Deployment Manager

After successfully registering as a Security Manager, you will receive an email with instructions to activate the SecurID token.

To assign and activate a token, you should click the link contained in the email;  e.g., https://dm.omh.state.ny.us/WXUserActivateToken.do?tnApprovalCode=12345678&tnUserId=SMUSERID

The following page will display.
Activate Token form

Enter the serial number imprinted on the back of the token in the "Token Serial Number" field, and then click "Next". (The token serial number is typically 8 or 9 digits long.)
Activate Token form

On the "Confirm Your Activate Token Information" page, make sure the User ID and the serial number are correct, and then click "Submit".
Confirm Your Activate Token Information page

The following screen should be displayed:
Token Activation Complete

On the "Token Activation Complete" page, you should click the "Logout" link on the top right side of the page. The following page will display:
Completion of Token Activation form
This completes the "Token Activation" process.

Create PIN

The next step is to create a Personal Identification Number (PIN). Each user must set his or her own PIN. To start the process, navigate to https://sms.omh.ny.gov, enter your User ID in the "Userid" field, and in the "Password or Passcode" field, enter only the 6-digit code displayed on the token.
New York State Office of Mental Health Login form

The following "ClearTrust ‘SecurID’ Login" page will be displayed:
Clear Trust Secure ID Login form

You can either enter a 4-digit Personal Identification Number you have selected, or select the option for the system to generate a PIN.  The PIN will be used for with the token to sign on to and access ClearTrust-protected OMH Web applications.  The following is an example of the screen you will see when you select your own 4-digit PIN.  After clicking the “Go” button, you will be prompted to wait for the number on the token to change, and then enter the new PIN followed by the refreshed token code.  If you choose your own PIN, you can skip the next two pages of instructions and proceed to “First-time Log-In.”
Clear Trust Secure id form filled in

If you choose to let the system generate a new PIN, click the “Create PIN” button and the following page will be displayed. You are given the option to proceed (the “Yes” option), or to return to the previous screen (the “No” option) to assign your own PIN.  To have the system generate the PIN, you should select option “Yes” and click the “Submit” button:
Option to have Clear Trust  generate PIN form

ClearTrust displays the system generated PIN on a page similar to the following screen print. You should write down or memorize your PIN. It will be needed to complete the activation process.
Clear Trust shows the auto generated pin number

First-time Log-In

After obtaining your self-selected or system generated PIN, the following ClearTrust Login page will be displayed:
The first Clear Trust login form

It is important to wait for the 6-digit code on the token to update before proceeding. After the token code changes, enter the new PIN in the Passcode field followed immediately (with no embedded spaces) by the 6-digit code displayed on the token:
Sample of Clear Trust enter passcode login form

After entering the new PIN and 6-digit token code in the Passcode field and clicking the "Go" button, the "User List" page will be displayed.

Congratulations! You have successfully logged-in with your SecureID Passcode.
Display of user list

Using SMS

Login Procedure for Security Manager

The Security Management System Homepage (http://www.omh.ny.gov/omhweb/sms/), provides a description of the application, the user manual, answers to Frequently-Asked Questions (FAQs), and links for self-registration and log-in to the application. The Security Manager follows the link to SMS, enters the User ID, and Passcode (consisting of the PIN and 6-digit token code).
The New York State Office of Mental Health Login Page

After logging in, the SMS Users page will appear. This page identifies all users for your facility (If no users are listed, the message "There are no users" is displayed. Once users are added, this message will no longer appear when entering SMS).

Users Page

After signing-on to SMS, the SMS "Users" page will be displayed. This page contains a scrollable list of all the User IDs assigned to your agency. Initially, the list may be empty (indicated by [Count: 0]), or if your agency has users of OMH applications such as Child and Adult Integrated Reporting System (CAIRS), New York State Incident Management and Reporting System (NIMRS), or New York Interagency Supported Employment Report (NYISER), their User IDs will be displayed. Any User IDs that you add should also appear in this list.
Display of user list

"User List" Section

The "User List" contains one row for each User ID defined for your agency. Each row contains the following columns:

In rare circumstances, it is possible for an individual to have an OMH User ID, but not appear on the User List. In this case, you can create the association between the existing User ID and your agency by using the "New User" function, described in Add New User. The SMS association will be established by entering the existing User ID on the "New User" page.

"New User" Button

A "New User" button is displayed immediately following the listed users. When you click this button, the "New User" page will be displayed. You must use the "New User" page to add a new User ID for your agency or to associate an existing User ID with your agency so it appears on the User List. See "Add New User".

"Search Criteria" Section

The “Search Criteria” section is located at the bottom of the “Users” page following the User List and New User button. The “Search Criteria” section is the mechanism Security Managers use to limit the User IDs displayed in the User list. It contains the following searchable fields: Application, User ID, Last Name, and First Name. In your search query you may select an OMH Application from the drop down list, enter a specific User ID, last name or first name, or you may enter just the first part of any of these fields. Then, when you click the “Search” button, these fields will be used to filter the search results and display only User IDs that match the criteria you selected. If you enter values in more than one of the fields, the search results displayed in the User list will include only User IDs that match all of the criteria selected.

For example, users with access to the PCS application can be searched by selecting the option ‘PCS’ in the drop down for the Application field and clicking the “Search” button.
Search Criteria form

The User list returns users with access only to particular application (in this case the PCS).

Specific users can be searched by User ID and/or first and last names.
Search Criteria form

"Go To" Link

In the SMS application, you can navigate to other SMS pages (e.g., Update My Mailing Address) by positioning the mouse pointer over the "Go To" link at the top left-hand side of the screen, and clicking on the drop down link of the desired page. (Go To choices at this time are limited to "User List", "New User", and "Update My Mailing Address".)

"Help" Link

The Help Link at the top right hand side of the screen will open the SMS User Manual.

"Logout" Link

You can sign-out and exit SMS from the SMS "Users" page, or from any other page in SMS, by clicking on the "Logout" link at the top right-hand side of the page.

Edit User Information

Accessing the "Edit User"

To edit the information for an individual at your agency, you will need to sign-on to SMS as described in Log-in Procedure for Security Manager. From the SMS "Users" page, you should access the "Edit User" page by clicking on the "pencil icon" in the "Edit" column on the row for the user in the "Users List" section. The "Edit User" page will be displayed with the user’s name, email address, date of birth, gender, and current application access.
Accessing the Edit User page form

Changing a User’s name, email address, date of birth or gender
You type over the textboxes with new or corrected information and then click the "Update" button to save the changes.

"New User" Button

Following "User Information", a "New User" button is displayed. You should click this button to add a new User ID for your agency or to associate an existing User ID with your agency so it appears on the list. When you click the "New User" button, the "New User" page will be displayed. Add New User describes how to use the "New User" page.

"Deactivate" Button

Click the "Deactivate" button to remove a user’s access to any OMH application. A warning message will appear explaining that the user will lose access to all OMH applications and ask if you wish to do this. Click the "OK" button in the message to deactivate the user’s access.
Deactivate dialog box

"Reset Password" Button

Click "Reset Password" to reset the user’s password. This system responds with the following message once the password is reset.
The reset button displays that the user password has been reset

"Users" Button

Click the "Users" button to return to the Users page.

On the bottom of the Edit User screen is a section where you may grant access to various applications, assign users to a security group within the application, and in the case of the PCS, associate users with specific units or sites. These processes will be described in the Application-specific sections.

Add New User

Adding User with Existing User ID

If a User already has an OMH User ID for access to another application (e.g., MHPD, CAIRS, NIMRS) please enter it in the User ID field.
Creating a new user form

Upon entering a current User ID in the field and exiting the field, the screen will respond with a message that the User ID is valid and will display the retrieved User information. You may close the window. A similar message will display if the User information was not found in the security database. You can edit the User’s email address and your edits will be stored in the SMS application. Fields denoted with an asterik (*) are required.

Adding a User who does not have a User ID

If the User does not have an existing ID, leave the User ID box blank. The Security Manager proceeds to complete the User information and select the "Create User" button. Fields denoted with an asterik (*) are required. A new User ID will be generated for the User. If a User by that name already exists for the agency, the system will show a message that a User with that name is among the “active” or “inactive” users. To check the inactive users, see the Search Criteria section of the User’s Page.

Click the "Users" button to return to the Users page.

On the bottom of the "Add New User" screen is a section where you may grant access to various applications, assign Users to a security group within the application, and in the case of the PCS, associate Users with specific units or sites. These processes will be described in the Application-specific sections.

Update the address used to mail tokens

To edit the address used to mail tokens, you will need to first sign-on to SMS as described in Log-in Procedure for Security Manager. On the SMS "Users" page, you should position the mouse pointer over the "Go To" label in the top left-hand side of the page and click the "Update My Mailing Address" link to display the "Update My Mailing Address" page. You can type over the address displayed with your correct mailing address, or you can click the round "radio button" next to "Use the Agency Address above as the mailing address for SecurID tokens". Click the "Update" button to save your changes.

Log-off

You can exit SMS from any page by clicking on the "Logout" link at the top right-hand side of the page. Be sure to save any changes by clicking on the "Update" button before exiting the system.

Applications Using the Security Management System

Patient Characteristics Survey (PCS)

How will SMS be used for the PCS web application?

In SMS, each facility's Security Manager will add and edit Users and determine each User's level of access to the PCS Web application by assigning the User to a security group. For example, the security manager may grant one user the ability to submit and view data for service recipients of one or more of the facility's units or sites, and another the supervisory authority to submit, view, unlock submissions, download client data and lock all the units at that facility.

Granting access to the PCS Application

After editing or adding users to the User Page, the Security Manager follows three steps to grant a person access to the PCS application:

  1. Assigns the User access to a PCS security group (Submitter or Supervisor)
  2. Associates Users in Submitter security group with specific program units and sites
  3. Clicks "Update" to save the User’s assigned access

Please note that each facility must have at least one Supervisor assigned to complete the PCS process. A facility may have additional Supervisors and Submitters as needed.

Assigning User to PCS Security Group

Below the User Information section of both the "Edit User" and "Add New User" screens, three modules are listed, first MHPD, then the PCS and finally the PSYCKES Medicaid application. To assign a User to a PCS security group, the Security Manager checks one of the two boxes: "Submitter" or "Supervisor". The definitions of PCS security groups are:

Note: A user can only be a Submitter Or Supervisor but cannot be both.

Patient Characteristics Survey form

Associating Submitters to Program Units and Sites

When a person is assigned as a Supervisor, all programs and sites in the facility are automatically selected because the Supervisor’s access, by definition, is facility-wide.

To assign someone as a Submitter: Click the Submitter check box and then select the Program/Sites for which this Submitter will be entering PCS information. This associates the Submitter with the selected programs/sites. The Security Manager must associate the Submitter with at least one program/site and up to all programs/sites. The complete list of program units currently listed in the Facility Survey (or PCS Web application) can be viewed on the list.
Deactivate dialog box

Once a User is associated with sites, the User will be able to enter and edit information in the PCS application for all clients in that site.

By default, program units are shown, but the list can be expanded into sites or collapsed into programs by clicking on the expand and collapse buttons:

Image of an expand button Expand Button – reveal sites associated with a program

Image of a collapse button Collapse Button – hides the site information

For the licensed program types in the table below, agencies are expected to report Patient Characteristics Survey data at the site-level. The Security Manager may grant site-level access; for example, grant one User access to some of the unit's sites and another User access to another set of sites. A Submitter can be associated with one site, or with the entire unit and all of its sites by checking the appropriate boxes.

Program Type Code Program Type Name
0020 State Psychiatric Center Inpatient
0200 Day Treatment
0800 Assertive Community Treatment
1310 Continuing Day Treatment
2200 Partial Hospitalization
6340 Comprehensive PROS with Clinical Treatment
7340 Comprehensive PROS without Clinical Treatment
8340 Limited License PROS
2100 Clinic Treatment
2320 Intensive Psychiatric Rehabilitation Treatment

To grant site-level access, the Security Manager expands the program unit listing and selects the desired sites.

Deactivate dialog box

To grant access to all sites within one unit, the Security Manager can simply select the unit, and all sites in that unit will automatically be selected. Similarly, if a Submitter needs access to all the units within the facility, by selecting the check box next to facility, the Security Manager grants access to the entire facility including all units and sites. This last feature is particularly useful for small facilities with a limited number of Submitters

Making Sure all Sites have Submitters

Facility, Unit, Site Name

The check box at the bottom of the PCS Access list allows the Security Manager to show a list of all units and sites not yet associated with any Submitter. This feature is particularly useful for large facilities, to ensure that each unit and site have been assigned to a Submitter, As a unit is associated with a Submitter, it drops off this list.

Note that a facility may choose not to have any Submitters, as a Supervisor can submit data.

What sites are Shown?

Information about the facility in the SMS application is drawn from the OMH master provider directory and may be updated by submitting corrections via the Mental Health Provider Data Exchange (MHPD). A description of MHPD is available at www.omh.ny.gov/omhweb/mhpd/. In preparation for the collection of PCS data, providers completed the facility survey found on MHPD’s Survey tab, correcting facility data and program unit data for all programs expected to report on the PCS.

For certain facilities, the SMS list of programs/sites may be so long that the User may have to scroll down to see all the programs/sites for that facility. 

In the SMS application, any list that you display on your screen may be printed in its entirety by right-clicking on the screen with the expanded list of programs and their corresponding sites and selecting the “print” option.

Save the User’s Assigned Access

Once the fields are populated and PCS access is assigned for the prospective User, click “update” to submit the request.

An email will be generated for the prospective PCS User, giving instructions. If the Security Manager registered the PCS User with an existing OMH User ID, the email will list the ID and instruct the User to use his or her existing password or token. If the User forgets his password, the OMH Help Center can reset it. If the User forgets his password, the Security Manager can reset it in SMS. If the PCS User was not registered with an existing User ID, a new ID is sent to the User's email address along with a notice to expect another email with a password and instructions. The second email will contain the new User password and instructions for use.

Upon finishing the request, the Security Manager should click the “Go To” button in the top left corner and click “Users” to exit the current request and return to the User Menu screen.
Security Management System logout and 
    	return to User menu screen form.

Security assignments are updated in the PCS database at 15 minutes after the hour.

Psyckes Medicaid

Authorized Access

Agencies are responsible for ensuring that staff have access only to those applications for which they are authorized. For example, at this time the OMH application PSYCKES Medicaid is being implemented only in agencies participating in the NYS OMH Quality Improvement Initiative. If your agency is not participating in this QI Initiative, your Security Manager should not use SMS to provide anyone at your agency with access to PSYCKES Medicaid.

Granting Access to the Psyckes Medicaid Application

To add a User to an application, you will need to sign-on to SMS as described in the Login Procedure for Security Manager section. From the SMS "Users" page, you should access the "Edit User" page by clicking on the "pencil icon" in the "Edit" column on the row for the User in the "Users List" section. The "Edit User" page will display the User’s information and current application access. The PSYCKES Medicaid application is listed below the Patient Characteristics Survey (PCS) section. You can add or remove a User’s access to the PSYCKES Medicaid application by clicking the checkbox next to the application in the "Application Access" section. A check in the box indicates the User has access. If there is no check in the box, the User will not have access.

Save the User’s Assigned Access

You must click the "Update" button in the "User Information" section to save your selection. An email will be generated for the prospective User, giving instructions.

Exiting the "Edit User"

You can return to the "User List" page by clicking the "Users" button, or by positioning the mouse pointer over the "Go To" label at the top left-hand side of the page, and clicking the "Users" link.

Mental Health Provider Data Exchange (MHPD) Module

In SMS the facility’s Security Manager can add, deactivate or edit Users, and assign a User’s level of access to MHPD.  Only a Security Manager will be able to update a User’s name, email address, title and phone number (formerly an option for MHPD Users in MHPD).

Granting access to the MHPD Application

After adding or editing Users on the User Page in SMS, the Security Manager grants the User access to MHPD.

For providers or counties, there are four roles in MHPD, each with their own specific levels of access and responsibility.

The Security Manager can grant a User only one role, for instance, a User with Provider access cannot also have County access.  The Security Manager can grant a User in a Provider role access only to the Security Manager’s Facility.  If the User needs access to a second Facility, the Security Manager or Director for the second Facility should contact the OMH Helpdesk to request the MHPD System Auditor to associate the User with the second Facility.

Assigning Roles

To assign a User a chosen role in MHPD, after logging in to SMS, the Security Manager next selects the User from the User List or creates a New User if the person does not already have a User ID.  To edit a User, the Security Manager clicks the “Edit” icon (the small pencil to the left of the UserID).  To create a New User, the Security Manager clicks the “New User” button and follows the steps indicated.

Security Manager clicks the New User button

User List

Once in the Edit User Screen, the Security Manager should first verify the User’s information, and then scroll down to the MHPD Module section of the screen.  If any of the required fields (marked with asterisks*) are blank, the Security Manager will be directed to enter information before being allowed to update. 

Edit User Screen

Edit User Screen

To assign MHPD access, the Security Manager selects the appropriate Group Name from the Group Name list.  Only one Group Name can be selected.

When finished with all edits, click the “Update” button above the MHPD section.  The following screen will appear.

Edit User Screen

Next, click the “Users” button to return to the User List, “Close” to return to this Edit User screen if necessary, or “Logout” at the top right hand corner of the screen to log out of SMS and quit the application.

Updating User Information

Formerly, each MHPD user could update his or her email address, title and phone number in MHPD.  Presently, the Security Manager must update this information. 

It is important to keep this information current so that MHPD Users receive email notifications of Change Requests, Administrative Actions and EZ PARs that they submit and so that they may be contacted by phone or email by OMH or county staff who are reviewing the requests. To update User information, the Security Manager will select the User from the User list by clicking the “Edit Icon” to the left of the UserID.  Once on the User Information Screen, the Security Manager simply corrects any information that needs updating, and then clicks the “Update” button.  When finished, the Security Manager can log out at the top right hand corner of the screen, or click the “Users” button to return to the User List and select a different User to edit.

Email Notification

Duplicate notification email is sent to the Security Manager’s and User’s email addresses whenever a new User is entered in the system and/or a new password is generated and when a User is granted access to an application, such as when an MHPD Group Name is assigned.  No email is sent when User information is updated.

New York Employment Services System (NYESS)

In SMS the facility’s Security Manager can manage user access to the New York Employment Services Systems (NYESS). See www.nyess.ny.gov for details about this program.

Three types of NYESS access are available: case management, provider-based reporting and cross-provider reporting. Within these categories, various roles are available.

Typically users of the NYESS Case Management system will require NYESS Case Management (NYESSCM) Business Services. This provides access needed to use the Case Management One-Stop Operating System (OSOS) system for delivery of employment services.

Additionally, office supervisors may require NYESSCM Supervisory access, which allows staff to manage service offerings for their office.

Additional case management roles may also be available to select organizations. Questions about these roles should be addressed via the NYESS Contact form.

NYESS Provider-Specific Reporting is available at four role levels. These are:

NYESS Cross-provider Reporting is available to oversight organizations, such as state and local jurisdictions and provides aggregated data based on locale and/or funding streams. Access to these roles will require review and approval by the NYESS business office.

Comments or questions about the information on this page can be directed to the OMH Helpdesk.