Security Management System
New York State Office of Mental Health
Table of Contents
- Security Management System – SMS
- Self-registration of Security Manager
- Token Activation and personal identification number (PIN)
- Using SMS
- Login Procedure for Security Manager
- Users Page
- Edit User Information
- Add New User
- Update the address used to mail tokens
- Applications Using the Security Management System
- Patient Characteristics Survey (PCS)
- Psyckes Medicaid
- Mental Health Provider Data Exchange (MHPD) Module
- New York Employment Services System (NYESS)
The NYS Office of Mental Health (OMH) is distributing this SMS/Security Management System Reference Manual to facility Security Managers to provide them with information about and instructions for accessing and using the OMH Security Management System (SMS).
The Security Management System (SMS) is a Web-based application that facilities will use to authorize staff members to access certain NYS Office of Mental Health (OMH) Web applications. At the present time, two applications are using SMS: the Patient Characteristics Survey (PCS) and Psychiatric Services and Clinical Knowledge Enhancement System (PSYCKES) Medicaid. SMS replaces paper “Request for Access” forms.
SMS will greatly improve the efficiency of adding and removing users and expanding or reducing users’ access to sensitive data. By appointing a responsible person to authorize data access, each facility in the public mental health system will be able to control access in a secure manner that offers the flexibility to accommodate staff turnover, reassignment or leave.
OMH sends an agency control ID to the Director of each facility. The Director appoints the Security Manager and entrusts him with the agency control ID. This ID is used to electronically self-register to use SMS. After OMH receives and approves the electronic self-registration request, the application will issue the Security manager a User ID and a SecurID token to log-on to SMS.
The Security Manager is designated by the Facility Director to use SMS to grant staff persons from his facility access to certain OMH applications and the security groups within the applications. In the PCS application, the Security Manager also associates persons in the "Submitter" security group with selected units or sites. Multiple active Security Managers are allowed from each facility. A person may serve as Security Manager for two facilities, but must register separately for each facility–using each facility’s control ID–and will be assigned a separate User ID for each facility.
To resolve questions or problems, you can contact the OMH Help Center, Sunday through Saturday from 7 a.m. to 8 p.m. at (518) 474-5554 or 1-800-435-7697 (1-800-HELP-NYS).
Note: Before contacting the OMH Help Center, please refer to the instructions provided in this guide.
SMS can be accessed only by using Internet Explorer 5.5 and above. The system may not work properly with other browser applications, e.g., Mozilla, Firefox or Netscape.
Note: Pop-Up Blockers must be turned off or uninstalled for the SMS application to function properly. Examples of pop-up blockers are: Yahoo Toolbar, Google Toolbar and MSN Toolbar. For help turning off pop-up blockers, please contact the OMH Help Desk.
For Self-registration, contact your director.
After successfully registering as a Security Manager, you will receive an email with instructions to activate the SecurID token.
To assign and activate a token, you should click the link contained in the email; e.g., https://dm.omh.state.ny.us/WXUserActivateToken.do?tnApprovalCode=12345678&tnUserId=SMUSERID
The following page will display.
Enter the serial number imprinted on the back of the token in the "Token Serial Number" field, and then click "Next". (The token serial number is typically 8 or 9 digits long.)
On the "Confirm Your Activate Token Information" page, make sure the User ID and the serial number are correct, and then click "Submit".
The following screen should be displayed:
On the "Token Activation Complete" page, you should click the "Logout" link on the top right side of the page. The following page will display:
This completes the "Token Activation" process.
The next step is to create a Personal Identification Number (PIN). Each user must set his or her own PIN. To start the process, navigate to https://sms.omh.ny.gov, enter your User ID in the "Userid" field, and in the "Password or Passcode" field, enter only the 6-digit code displayed on the token.
The following "ClearTrust ‘SecurID’ Login" page will be displayed:
You can either enter a 4-digit Personal Identification Number you have selected, or select the option for the system to generate a PIN. The PIN will be used for with the token to sign on to and access ClearTrust-protected OMH Web applications. The following is an example of the screen you will see when you select your own 4-digit PIN. After clicking the “Go” button, you will be prompted to wait for the number on the token to change, and then enter the new PIN followed by the refreshed token code. If you choose your own PIN, you can skip the next two pages of instructions and proceed to “First-time Log-In.”
If you choose to let the system generate a new PIN, click the “Create PIN” button and the following page will be displayed. You are given the option to proceed (the “Yes” option), or to return to the previous screen (the “No” option) to assign your own PIN. To have the system generate the PIN, you should select option “Yes” and click the “Submit” button:
ClearTrust displays the system generated PIN on a page similar to the following screen print. You should write down or memorize your PIN. It will be needed to complete the activation process.
After obtaining your self-selected or system generated PIN, the following ClearTrust Login page will be displayed:
It is important to wait for the 6-digit code on the token to update before proceeding. After the token code changes, enter the new PIN in the Passcode field followed immediately (with no embedded spaces) by the 6-digit code displayed on the token:
After entering the new PIN and 6-digit token code in the Passcode field and clicking the "Go" button, the "User List" page will be displayed.
Congratulations! You have successfully logged-in with your SecureID Passcode.
The Security Management System Homepage (http://www.omh.ny.gov/omhweb/sms/), provides a description of the application, the user manual, answers to Frequently-Asked Questions (FAQs), and links for self-registration and log-in to the application. The Security Manager follows the link to SMS, enters the User ID, and Passcode (consisting of the PIN and 6-digit token code).
After logging in, the SMS Users page will appear. This page identifies all users for your facility (If no users are listed, the message "There are no users" is displayed. Once users are added, this message will no longer appear when entering SMS).
After signing-on to SMS, the SMS "Users" page will be displayed. This page contains a scrollable list of all the User IDs assigned to your agency. Initially, the list may be empty (indicated by [Count: 0]), or if your agency has users of OMH applications such as Child and Adult Integrated Reporting System (CAIRS), New York State Incident Management and Reporting System (NIMRS), or New York Interagency Supported Employment Report (NYISER), their User IDs will be displayed. Any User IDs that you add should also appear in this list.
The "User List" contains one row for each User ID defined for your agency. Each row contains the following columns:
- Edit (this icon is a picture of a small pencil). You click this icon to edit the user record. This is one of two ways you will grant access to OMH applications. This process is described in the PCS and PSYCKES Medicaid sections of this document.
- User ID. This is the OMH identifier for the user. This identifier is used to sign-on to OMH applications.
- Name. This field displays the user’s last name, followed by the user’s first name and middle initial.
- Token Assigned. While some OMH applications may be accessed with a password, others (e.g., PSYCKES Medicaid), require a SecurID token. This column allows the Security Manager to track token status. The possible values are:
- "Yes" (the user has a SecurID token)
- "No" (the user does not have a SecurID token)
- "Expired" (the user has a SecurID token, however it has expired)
- "Requested-mm/dd/yy" (a token has been requested for this user on the date specified)
- "Sent-mm/dd/yy" (a token was sent to this user on the date specified)
In rare circumstances, it is possible for an individual to have an OMH User ID, but not appear on the User List. In this case, you can create the association between the existing User ID and your agency by using the "New User" function, described in Add New User. The SMS association will be established by entering the existing User ID on the "New User" page.
A "New User" button is displayed immediately following the listed users. When you click this button, the "New User" page will be displayed. You must use the "New User" page to add a new User ID for your agency or to associate an existing User ID with your agency so it appears on the User List. See "Add New User".
The “Search Criteria” section is located at the bottom of the “Users” page following the User List and New User button. The “Search Criteria” section is the mechanism Security Managers use to limit the User IDs displayed in the User list. It contains the following searchable fields: Application, User ID, Last Name, and First Name. In your search query you may select an OMH Application from the drop down list, enter a specific User ID, last name or first name, or you may enter just the first part of any of these fields. Then, when you click the “Search” button, these fields will be used to filter the search results and display only User IDs that match the criteria you selected. If you enter values in more than one of the fields, the search results displayed in the User list will include only User IDs that match all of the criteria selected.
For example, users with access to the PCS application can be searched by selecting the option ‘PCS’ in the drop down for the Application field and clicking the “Search” button.
The User list returns users with access only to particular application (in this case the PCS).
Specific users can be searched by User ID and/or first and last names.
In the SMS application, you can navigate to other SMS pages (e.g., Update My Mailing Address) by positioning the mouse pointer over the "Go To" link at the top left-hand side of the screen, and clicking on the drop down link of the desired page. (Go To choices at this time are limited to "User List", "New User", and "Update My Mailing Address".)
The Help Link at the top right hand side of the screen will open the SMS User Manual.
You can sign-out and exit SMS from the SMS "Users" page, or from any other page in SMS, by clicking on the "Logout" link at the top right-hand side of the page.
Accessing the "Edit User"
To edit the information for an individual at your agency, you will need to sign-on to SMS as described in Log-in Procedure for Security Manager. From the SMS "Users" page, you should access the "Edit User" page by clicking on the "pencil icon" in the "Edit" column on the row for the user in the "Users List" section. The "Edit User" page will be displayed with the user’s name, email address, date of birth, gender, and current application access.
Changing a User’s name, email address, date of birth or gender
You type over the textboxes with new or corrected information and then click the "Update" button to save the changes.
Following "User Information", a "New User" button is displayed. You should click this button to add a new User ID for your agency or to associate an existing User ID with your agency so it appears on the list. When you click the "New User" button, the "New User" page will be displayed. Add New User describes how to use the "New User" page.
Click the "Deactivate" button to remove a user’s access to any OMH application. A warning message will appear explaining that the user will lose access to all OMH applications and ask if you wish to do this. Click the "OK" button in the message to deactivate the user’s access.
Click "Reset Password" to reset the user’s password. This system responds with the following message once the password is reset.
Click the "Users" button to return to the Users page.
On the bottom of the Edit User screen is a section where you may grant access to various applications, assign users to a security group within the application, and in the case of the PCS, associate users with specific units or sites. These processes will be described in the Application-specific sections.
If a User already has an OMH User ID for access to another application (e.g., MHPD, CAIRS, NIMRS) please enter it in the User ID field.
Upon entering a current User ID in the field and exiting the field, the screen will respond with a message that the User ID is valid and will display the retrieved User information. You may close the window. A similar message will display if the User information was not found in the security database. You can edit the User’s email address and your edits will be stored in the SMS application. Fields denoted with an asterik (*) are required.
If the User does not have an existing ID, leave the User ID box blank. The Security Manager proceeds to complete the User information and select the "Create User" button. Fields denoted with an asterik (*) are required. A new User ID will be generated for the User. If a User by that name already exists for the agency, the system will show a message that a User with that name is among the “active” or “inactive” users. To check the inactive users, see the Search Criteria section of the User’s Page.
Click the "Users" button to return to the Users page.
On the bottom of the "Add New User" screen is a section where you may grant access to various applications, assign Users to a security group within the application, and in the case of the PCS, associate Users with specific units or sites. These processes will be described in the Application-specific sections.
To edit the address used to mail tokens, you will need to first sign-on to SMS as described in Log-in Procedure for Security Manager. On the SMS "Users" page, you should position the mouse pointer over the "Go To" label in the top left-hand side of the page and click the "Update My Mailing Address" link to display the "Update My Mailing Address" page. You can type over the address displayed with your correct mailing address, or you can click the round "radio button" next to "Use the Agency Address above as the mailing address for SecurID tokens". Click the "Update" button to save your changes.
You can exit SMS from any page by clicking on the "Logout" link at the top right-hand side of the page. Be sure to save any changes by clicking on the "Update" button before exiting the system.
In SMS, each facility's Security Manager will add and edit Users and determine each User's level of access to the PCS Web application by assigning the User to a security group. For example, the security manager may grant one user the ability to submit and view data for service recipients of one or more of the facility's units or sites, and another the supervisory authority to submit, view, unlock submissions, download client data and lock all the units at that facility.
After editing or adding users to the User Page, the Security Manager follows three steps to grant a person access to the PCS application:
- Assigns the User access to a PCS security group (Submitter or Supervisor)
- Associates Users in Submitter security group with specific program units and sites
- Clicks "Update" to save the User’s assigned access
Please note that each facility must have at least one Supervisor assigned to complete the PCS process. A facility may have additional Supervisors and Submitters as needed.
Below the User Information section of both the "Edit User" and "Add New User" screens, three modules are listed, first MHPD, then the PCS and finally the PSYCKES Medicaid application. To assign a User to a PCS security group, the Security Manager checks one of the two boxes: "Submitter" or "Supervisor". The definitions of PCS security groups are:
- Submitter – A person assigned by the Security Manager to enter/ edit data and view/print reports in the PCS Web application for the units or sites with which that User is associated.
- Supervisor – The Supervisor may upload the facility's data into the PCS application, perform all of the functions of a Submitter for every unit throughout the facility, may unlock submissions and may also download the facility's data file in Microsoft Excel. The Supervisor also indicates when the individual programs are finished with their data entry by locking the programs in the PCS, and will have access to reports about facility specific data when the PCS is over.
Note: A user can only be a Submitter Or Supervisor but cannot be both.
When a person is assigned as a Supervisor, all programs and sites in the facility are automatically selected because the Supervisor’s access, by definition, is facility-wide.
To assign someone as a Submitter: Click the Submitter check box and then select the
Program/Sites for which this Submitter will be entering
PCS information. This associates
the Submitter with the selected programs/sites. The Security Manager must associate the
Submitter with at least one program/site and up to all programs/sites. The complete list
of program units currently listed in the Facility Survey (or
PCS Web application) can be viewed
on the list.
Once a User is associated with sites, the User will be able to enter and edit information in the PCS application for all clients in that site.
By default, program units are shown, but the list can be expanded into sites or collapsed into programs by clicking on the expand and collapse buttons:
Expand Button – reveal sites associated with a program
Collapse Button – hides the site information
For the licensed program types in the table below, agencies are expected to report Patient Characteristics Survey data at the site-level. The Security Manager may grant site-level access; for example, grant one User access to some of the unit's sites and another User access to another set of sites. A Submitter can be associated with one site, or with the entire unit and all of its sites by checking the appropriate boxes.
|Program Type Code||Program Type Name|
|0020||State Psychiatric Center Inpatient|
|0800||Assertive Community Treatment|
|1310||Continuing Day Treatment|
|6340||Comprehensive PROS with Clinical Treatment|
|7340||Comprehensive PROS without Clinical Treatment|
|8340||Limited License PROS|
|2320||Intensive Psychiatric Rehabilitation Treatment|
To grant site-level access, the Security Manager expands the program unit listing and selects the desired sites.
To grant access to all sites within one unit, the Security Manager can simply select the unit, and all sites in that unit will automatically be selected. Similarly, if a Submitter needs access to all the units within the facility, by selecting the check box next to facility, the Security Manager grants access to the entire facility including all units and sites. This last feature is particularly useful for small facilities with a limited number of Submitters
The check box at the bottom of the PCS Access list allows the Security Manager to show a list of all units and sites not yet associated with any Submitter. This feature is particularly useful for large facilities, to ensure that each unit and site have been assigned to a Submitter, As a unit is associated with a Submitter, it drops off this list.
Note that a facility may choose not to have any Submitters, as a Supervisor can submit data.
Information about the facility in the SMS application is drawn from the OMH master provider directory and may be updated by submitting corrections via the Mental Health Provider Data Exchange (MHPD). A description of MHPD is available at www.omh.ny.gov/omhweb/mhpd/. In preparation for the collection of PCS data, providers completed the facility survey found on MHPD’s Survey tab, correcting facility data and program unit data for all programs expected to report on the PCS.
For certain facilities, the SMS list of programs/sites may be so long that the User may have to scroll down to see all the programs/sites for that facility.
In the SMS application, any list that you display on your screen may be printed in its entirety by right-clicking on the screen with the expanded list of programs and their corresponding sites and selecting the “print” option.
Once the fields are populated and PCS access is assigned for the prospective User, click “update” to submit the request.
An email will be generated for the prospective PCS User, giving instructions. If the Security Manager registered the PCS User with an existing OMH User ID, the email will list the ID and instruct the User to use his or her existing password or token. If the User forgets his password, the OMH Help Center can reset it. If the User forgets his password, the Security Manager can reset it in SMS. If the PCS User was not registered with an existing User ID, a new ID is sent to the User's email address along with a notice to expect another email with a password and instructions. The second email will contain the new User password and instructions for use.
Upon finishing the request, the Security Manager should click the “Go To”
button in the top left corner and click “Users” to exit the current request
and return to the User Menu screen.
Security assignments are updated in the PCS database at 15 minutes after the hour.
Agencies are responsible for ensuring that staff have access only to those applications for which they are authorized. For example, at this time the OMH application PSYCKES Medicaid is being implemented only in agencies participating in the NYS OMH Quality Improvement Initiative. If your agency is not participating in this QI Initiative, your Security Manager should not use SMS to provide anyone at your agency with access to PSYCKES Medicaid.
To add a User to an application, you will need to sign-on to SMS as described in the Login Procedure for Security Manager section. From the SMS "Users" page, you should access the "Edit User" page by clicking on the "pencil icon" in the "Edit" column on the row for the User in the "Users List" section. The "Edit User" page will display the User’s information and current application access. The PSYCKES Medicaid application is listed below the Patient Characteristics Survey (PCS) section. You can add or remove a User’s access to the PSYCKES Medicaid application by clicking the checkbox next to the application in the "Application Access" section. A check in the box indicates the User has access. If there is no check in the box, the User will not have access.
You must click the "Update" button in the "User Information" section to save your selection. An email will be generated for the prospective User, giving instructions.
You can return to the "User List" page by clicking the "Users" button, or by positioning the mouse pointer over the "Go To" label at the top left-hand side of the page, and clicking the "Users" link.
In SMS the facility’s Security Manager can add, deactivate or edit Users, and assign a User’s level of access to MHPD. Only a Security Manager will be able to update a User’s name, email address, title and phone number (formerly an option for MHPD Users in MHPD).
After adding or editing Users on the User Page in SMS, the Security Manager grants the User access to MHPD.
For providers or counties, there are four roles in MHPD, each with their own specific levels of access and responsibility.
- Provider User – a User at an individual Facility who can access all the information currently available for that Facility in MHPD. A User with Provider access can submit Change Requests, Administrative Actions and EZ Prior Approval Review (PAR)s to add, update or close programs.
- Provider Admin – a User at an individual Facility who has all the Provider User functionality and can edit the facility information as well. Additionally, a User with a Provider Admin role can edit the facility maintenance page and assign persons to receive facility notifications sent out by OMH via email.
- County User – A County or New York City Mental Health Department User can search, view and request updates to Programs and Sites located in the county. They can view change requests and can request the opening or closing of existing unlicensed programs. They can view but cannot submit Administrative Actions and EZ PARs.
- County Admin – a User at a local government unit who has the same access as a County User, and has all the functionality of the Provider Admin for the County Department of Mental Health and each Facility located in the county.
The Security Manager can grant a User only one role, for instance, a User with Provider access cannot also have County access. The Security Manager can grant a User in a Provider role access only to the Security Manager’s Facility. If the User needs access to a second Facility, the Security Manager or Director for the second Facility should contact the OMH Helpdesk to request the MHPD System Auditor to associate the User with the second Facility.
To assign a User a chosen role in MHPD, after logging in to SMS, the Security Manager next selects the User from the User List or creates a New User if the person does not already have a User ID. To edit a User, the Security Manager clicks the “Edit” icon (the small pencil to the left of the UserID). To create a New User, the Security Manager clicks the “New User” button and follows the steps indicated.
Once in the Edit User Screen, the Security Manager should first verify the User’s information, and then scroll down to the MHPD Module section of the screen. If any of the required fields (marked with asterisks*) are blank, the Security Manager will be directed to enter information before being allowed to update.
To assign MHPD access, the Security Manager selects the appropriate Group Name from the Group Name list. Only one Group Name can be selected.
When finished with all edits, click the “Update” button above the MHPD section. The following screen will appear.
Next, click the “Users” button to return to the User List, “Close” to return to this Edit User screen if necessary, or “Logout” at the top right hand corner of the screen to log out of SMS and quit the application.
Formerly, each MHPD user could update his or her email address, title and phone number in MHPD. Presently, the Security Manager must update this information.
It is important to keep this information current so that MHPD Users receive email notifications of Change Requests, Administrative Actions and EZ PARs that they submit and so that they may be contacted by phone or email by OMH or county staff who are reviewing the requests. To update User information, the Security Manager will select the User from the User list by clicking the “Edit Icon” to the left of the UserID. Once on the User Information Screen, the Security Manager simply corrects any information that needs updating, and then clicks the “Update” button. When finished, the Security Manager can log out at the top right hand corner of the screen, or click the “Users” button to return to the User List and select a different User to edit.
Duplicate notification email is sent to the Security Manager’s and User’s email addresses whenever a new User is entered in the system and/or a new password is generated and when a User is granted access to an application, such as when an MHPD Group Name is assigned. No email is sent when User information is updated.
In SMS the facility’s Security Manager can manage user access to the New York Employment Services Systems (NYESS). See www.nyess.ny.gov for details about this program.
Three types of NYESS access are available: case management, provider-based reporting and cross-provider reporting. Within these categories, various roles are available.
Typically users of the NYESS Case Management system will require NYESS Case Management (NYESSCM) Business Services. This provides access needed to use the Case Management One-Stop Operating System (OSOS) system for delivery of employment services.
Additionally, office supervisors may require NYESSCM Supervisory access, which allows staff to manage service offerings for their office.
Additional case management roles may also be available to select organizations. Questions about these roles should be addressed via the NYESS Contact form.
- Directly supported Seekers. This provides report access to job seekers for whom you are providing case management support directly. This is essentially reporting of the information you have entered in the case management (OSOS) system.
- Supervisor. This provides you access to not only individuals for which you are providing direct case-management support, but also those job seekers who are being supported by staff you supervise.
- Office Administrator. This role provides report access to all job seekers supported by your selected office(s).
- Provider/Organization. This role grants access to reports for all job seekers handled by all offices within your organization.
NYESS Cross-provider Reporting is available to oversight organizations, such as state and local jurisdictions and provides aggregated data based on locale and/or funding streams. Access to these roles will require review and approval by the NYESS business office.
Comments or questions about the information on this page can be directed to the OMH Helpdesk.