System administrator
System Maintenance
Scheduled Messages
Modify message
Create message
Scheduled messages
Message frequency options
Report selection
Email settings and troubleshooting
Send one-time message
T&A Web
UK & IRE time change instructions
T&A instructions for UK & IRE Time Change - October 2024
FES Instructions for UK & IRE Time Autumn Change – October 2024
Dashboard Maintenance
Profile maintenance
Tab maintenance
Dashboard maintenance
Reports widget
Widget maintenance
Widget public URLs
Themes and Dashboard
Modifying and deleting a created Theme
Dashboard background
Creating a Theme
Custom login logos
Active Themes
Progress Indicator
Theme
Calendar Maintenance
Create calendar
Calendar profiles
Calendar data types page
Calendar maintenance
Creating a Calendar data type
Payslip Management
Kiosk
Kiosk details
Kiosk Configuration
Modify action
Kiosk site planner
Kiosk log
Modify Kiosk preferences
Preparing to install Kiosk
Terminal Site Planner
Deactivate and Reactivate the terminal webpage
Upgrade Terminal Firmware on 900 series or Access Control Unit via Web Service
Terminal upgrades
Terminal Site Planner
Poller preferences
Terminal Actions
Job Scheduler
Poller log
SAML Authentication
Licensing
Licensing upload errors
Upload T&A 8 License Instructions
Temporary Licence
Version Number Mismatch
Licensing
Request a Licence
Upload a Licence
OneAdvanced Identity
Employee License
Messages Received
Enroller
Language Maintenance
Profile language
Importing and Exporting phrases
T&A Error phrases
Language maintenance
Culture maintenance
Advanced T&A Products Minimum IT Specifications
Configuring T&A for use with Microsoft Exchange Online
Support Knowledge Base
Clearing Anomalies - Start a New Period End
T&A 8 licence expiry and renewal
Adding and changing Users in WINTMS
Full Rights for New User
AutoID Badge designer
Delete a Finger Template
Need to Create a Report With a Date Prompt
T&A - European Working Time Directive Features
How to Change the Name Displayed on the Terminal
Client Install instructions
How to Download an Employee to the Terminals
Create New User
Changing the IP Address on a Mitrefinch 900 Series clock or Access control unit.
Employee in TMS but not in HR Manager
GPS clocking location from a mobile phone
Report That Shows if the Employee Has a Photo
Obtaining "500 internal server error" details
Spring Time Change - North America
How to Unlock a User
Data Assurance Module - Identifying and preventing the accidental deletion of data (TMS versions 8.33.0.0 and below)
.NET Framework 4.8 for TMS 8
'Use Only Once' Checkbox on Book Absence Screen
Changing the OT Threshold for OT Hours Calculation
Poller Keeps Going Down
Help with Australian ADP Export Coding
The Basics
Change Culture
Supervisor Basic Operations
Apply assumed clocks
Changes to hierarchical Security
Adding an additional day of credit
Invalid Login
T&A Entitlement Year End Procedure
Logging in and out as an Employee
Apache Log4j CVE-2021-44228 "Log4Shell" vulnerability
Employee basic operations
TMS Apps
Logging in: the Help button
Adding a keyed absence
Logging in as a Supervisor
Error tGlb.GetPkg
General navigation
COVID 19 - How to manage staff working from home
SAML Authentication in TMS 7
Accessibility Statement
Onsite Report – OneAdvanced’s Liability Statement
Supervisor
The Supervisor View
Employee <undefined>
The Supervisor dashboard
Supervisor toolbar
Selecting Employees
Selection options
Employee and Group functions as a Supervisor
Change Supervisor password
Supervisor Functions
Clocking In and Out
Clocking in and out as a Supervisor
Clocking TAS
Location mapping for Clockings
SMS Clocking with Esendex
Make a T&A clocking
Absences
Employee Security
Invalid Credentials
Locking and unlocking an employee's account
Changing an Employee's PIN
Self service password reset
Password Expiry for Employees
Employee passwords
Timesheets
Payslip Management
Calendars
Restart Employee
Employee Maintenance
Availability
Supervisor Group Functions
On-site List
On-site list profile maintenance
Maintain On-site list
On-site list (Supervisor)
Maintain current watches
Modify On-site list
On-site system preferences
On-site list options
Diary
Group Planner
Rosters
Copy periods action
Create named roster action
Copy period to action
Group planner preferences
Shift actions
Shift Lock To
Create personal rosters action
Group planner
Group Clock Card
Group Skills
Letters
Group Absence Profile
Find Cover
Job Planner
Group Messages
Hours Approval
Mass Change
Anomalies
Editing work records to correct Anomalies
Authorising in the Anomalies page
Review Anomalies as Supervisor
Group Badge List
Requests List
Adding Additional Payments
Budgeting
Reports
Reports overview
Supervisor Access to Reports
Default Reports
Report profiles
Creating a New Report
Adding additional columns to a Report
Report tasks
Reports employee selection
Bradford factor report
Running a Report
WinTMS User Guide
Employee
The Employee Dashboard
Employee Functions
Requests
Visitor Booking
On-site List
Employee Planner
Calendars
Clock Card
Clock card
Work record
Clockings Panel
Premium bands panel
Hours bands panel
Additional payments panel
Worked hours panel
Check Anomalies as Employee
Clocking T&A
Actual Lateness
Recent clockings
Employee Details
Timesheets
Reports
Payslips
Group Absence Profile
Availability
Availability
Availability details
Add Availability
Copy Availability
Delete availability
Availability errors
Absences
Employee Documents
Planned Shifts
Employee Messages
Skills
Employee Security
Release Notes
Upgrading TMS 8
TMS 8 Upgrade Guide
Requesting absence deletions fails when absence was booked before using TMS v8.27
Release Reports
T&A 8 8.36.8.1 General Release Report
T&A 8.36.10.0 Release Report
T&A 8.36.9.0 Release Report
T&A 8 8.36.7.0 Release Report
T&A 8 8.36.7.1 General Release Report
T&A 8 8.36.6.0 Release Report
T&A 8.37.0.0 Release Report
T&A 8 8.37.0.1 General Release Report
T&A 8 8.37.1.0 Controlled Release Report
T&A 8 8.37.2.0 Controlled Release Report
T&A 8 8.37.3.0 Controlled Release Report
T&A 8 8.37.4.0 Controlled Release Report
T&A 8 8.37.4.2 General Release Report
T&A 8 8.38.0.0 Controlled Release Report
T&A 8 8.38.1.0 Controlled Release Report
T&A 8 8.38.2.0 Controlled Release Report
T&A 8 8.38.3.0 Controlled Release Report
T&A 8 8.38.4.0 Controlled Release Report
T&A 8 8.38.4.1 Controlled Release Report
T&A 8 8.38.5.0 Controlled Release Report
T&A 8 8.38.5.1 General Release Report
T&A 8 8.38.5.2 Controlled Release Report
T&A 8 8.39.0.0 Controlled Release
T&A 8 8.39.0.1 Controlled Release Report
T&A 8 8.41.0.0 General Release
Contents
- All categories
- System administrator
- System Maintenance
- OneAdvanced Identity
- OneAdvanced Identity guidance
OneAdvanced Identity guidance
Updated
by Alpa Jagpal
Introduction
In T&A version 8.40.0.0 or higher we have provided a new login method for the T&A Web and Mobile application, which ensures secure access to your software applications, as well as, easier access to the applications you use.
This guidance is to assist Time and Attendance customers to enable OneAdvanced Identity authentication in their T&A Web and mobile applications. Specifically, this guidance is geared towards systems administrators.
Please note this guide will take you through the T&A onboarding process for OneAdvanced Identity and so may not provide like-for-like guidance for other applications.
What is OneAdvanced Identity?
OneAdvanced Identity(OAI) is a platform that centralises user authentication from across products and services provided by OneAdvanced, so users have a more secure and seamless authentication process between their different applications. It also allows for users to access their OneAdvanced applications using a single set of credentials, rather than having to rely on multiple usernames and passwords across products.
For administrators, there is a single location where you can control the authentication process into your OneAdvanced systems, allowing for easier user management as well as access to OneAdvanced’s most secure authentication tools, such as Multi-Factor Authentication (MFA) and integrating with existing Active Directory (AD) instances.
Getting started
You can contact either your Account Manager/Customer Success Manager to make your interest known in enabling OneAdvanced Identity in your T&A system.
Before enabling OneAdvanced Identity the following checklist should be considered to ensure that you and your users are prepared for the changes this will have on your system as well as ensuring your employee/user data is appropriate for syncing with Identity.
Check required data
- A pre-requisite for using OAI is that all Employee and User records in the system must have a unique email address, where an employee and user are linked they will share the same email address. The email address does not have to be an organisations email address.
- There is a new Email for SSO field on the User record, which is mandatory when Identity is enabled. This field must be populated for existing Users to be successfully migrated.
- Employees/Users cannot have duplicate email addresses, unless they are linked, as this will impact the synchronisation between OAI and T&A.
- An employee should not be linked to more than one users, as this will prevent all the users from being synced.
- Email addresses should be a valid format, not be fully upper-case or contain spaces otherwise this can cause errors during the synchronisation process, which will mean the user will not be able to access the web/mobile app.
Don't worry though, as the Identity Onboarding function in T&A will perform these email checks for you and let you know which employee/user records are affected. Details are covered in the Identity Onboarding in T&A section below. |
Understanding the changes
- Review the dedicated OneAdvanced Identity Service guidance available here, to understand more about the authentication features and functionality available.
- Users will be directed to the OneAdvanced Identity login page for your organisation, instead of a T&A login page.
- If you are upgrading then all current users will have a change in credentials when accessing the T&A web/mobile app.
- There is no change in the way employees/users are created in T&A. The integration between OAI and T&A works in the background, to sync them to their SSO accounts in Identity. Supervisors should review the User Management guidance notes available here.
- Switching between an employee and linked supervisor user will be much quicker and easier with Identity enabled, as you will be taken directly to the dashboard view, and will no longer be required to login again.
Managing your Identity Service
- As part OAI you will have access to a centralised application platform that is used by system administrators to manage your Identity service.
- You will need to nominate a System Administrator for OAI within your organisation. The administrator is required for onboarding to take place as they will be the first person to get access to your Identity Service platform and the administrator controls for your OneAdvanced Identity service.
- It is advisable to create additional administrators who will also be given access to your Identity Service platform and OAI administrator controls.
- Having reviewed the OneAdvanced Identity features, you should also consider how you want to configure your OAI Organisation as this will determine your security and login flow for T&A web/mobile app. You may find this Admins section helpful.
Enabling OneAdvanced Identity
This next section provides you with detailed information on how you can adopt Identity in T&A.
Requesting your Identity Service
Once you and your Customer Success/Account Manager are happy that you have covered the checklist and are ready to enable Identity in your new system or as part of your T&A upgrade to 8.40.0.0 or higher, then you can request for your organisations OneAdvanced Identity Service to be created. You will need to provide the following information
Customer Name | This is the name of your Organisation. |
System Administrator Name | Provide the first name and surname of the admin who will be overseeing the onboarding process |
System Administrators Email | Provide the email address of the admin who will be overseeing the onboarding process |
If an implementation consultant will be working with you to enable OAI, then the above System Administrator will be requested to create an OAI user account for this person. Details on creating and managing users in your Identity Service are available here.
Configuring your Identity Organisation
Before enabling OAI in the T&A system you must ensure that you have configured your Organisation within your Identity Service, to reflect how you would like T&A web/mobile app login authentication. This may involve setting up a Federated authentication, setting your Password Policy and turning on Multi-factor authentication all of which will impact the login flow for users.
Identity onboarding in T&A
You can access the Identity onboarding function in the T&A WINTMS app, using the following steps.
Wintms.exe -> System -> Maintain Users -> Login Options ->OneAdvanced Identity
If the OneAdvanced Identity tab is not available, then the feature will need to be switched on. This can be done through INIEDIT, by navigating to ADVSSO>ENABLEIDENTITY and setting the preference to true. |
- Identity onboarding is a simple process of configuring your Identity settings and then enabling Identity.
- We have included an optional step, to start the sync process before enabling the Identity login page, to give customers flexibility to sync employees/users before enabling the Identity login page.
Email summary
We have provided Email summary stats to give customers the assurance their email data meets the unique email address pre-requisite and will therefore be synchronised successfully once the sync process has started in step 2 or 3.
- The email checks exclude employees with a leave date in the past.
- The View Details link provides a list of the employees/users that do not have a unique email address.
- In the View Details screen, there is a right-click option to copy the grid data to the Clipboard.
- The Start Synchronisation/Enable Identity steps can still be performed even if the Email summary shows there are employees/users without a unique email address.
Configure your Identity details
Once your Identity service has been set-up you will receive your Identity Organisation Reference and a set of secure Client Credentials, this information plus the additional settings should be entered in the screen shown.
Synchronise employees and users
As mentioned above this step is optional, once the Start synchronisation button is selected the background integration process will be kicked off. This process will sync any existing employees/users with an email addresses, as well new records created once it's running, to their Identity SSO account.
This means you have the option of completing your upgrade and switching over to the Identity login page, at a later date, once you are happy that your employees/users have their SSO accounts ready for login to T&A.
Enable Identity
Once the Enable Identity option is checked/true
- the T&A web/mobile app login method will be switched from the current login method to using the Identity login page
- additionally, if the background synchronisation process is not already running then it will be started
Disabling Identity
Should you need to stop using the Identity login page on the web app, you can unset the Enable Identity option. The system will then use the login option configured.
Synchronisation Status
The synchronisation stats provide customers an overview of employee/users that have been successfully synced to their SSO account and those that have failed.
- Once the Enable Identity flag has been set to true, any employees/users that have failed synchronisation will not be able to login to the web/mobile app.
- You can use the View Details link to see why they failed to sync to Identity. The sync process will attempt to sync the employee/user again after the record is updated, to correct the issue.
Identity Welcome email
When Identity is enabled(Step 3) in T&A and a new SSO account is created the Identity service will automatically send a Welcome email to the user, which provides details on how they can set a password for their new SSO account. Once the user has completed this step they will be able to login to the T&A web/mobile app.
Note: Welcome emails are not sent out if you use the optional Synchronisation process (Step 2) to sync all employees/users before enabling Identity (Step 3). However, once you are happy that all the employees/users are synced, you can still send Identity Welcome emails by using the 'Sending welcome emails to multiple users' feature, use this link to access the help page for more instructions.
Logging into T&A using Identity
Once you have enabled Identity the login flow for T&A will be dictated by the authentication settings set in your Identity Organisation.
Find more information on the different login flows here.
Master user access to T&A web app
Windows apps do not use Identity and therefore you can use existing T&A passwords or set new passwords on the User record. However, once Identity is enabled the Master user can only be used by one SSO email account on the T&A web app. This is inline with your choice to enable Identity so that you have more secure access to your data via the web and better auditing, as multiple people can not use one account to make changes.
Should you need to use the Master user in the web app, follow the below steps
- In the Win TMS app, Go to System -> Maintain Users -> Users
- Select Master User and click modify
- Update the Email for SSO field with a valid email address, once the record is synced to Identity you will be able to login.
