One Identity Manager Epic health care system module provides the ability to connect to Epic health care systems and help manage the health care system identities and their access policies from One Identity Manager. Identity and Access Governance processes such as attesting, Identity Audit, user account management and system entitlements, IT Shop, or report subscriptions can be used for Epic health care systems. The integration provides a one stop shop for managing Epic health care identities, their access policies and ensures a strong identity governance.
One Identity Manager provides company identities with the necessary user accounts that include Epic EMP user accounts and Epic SER provider accounts. You can use different mechanisms to connect identities to their user accounts. You can also manage user accounts independently of identities.
 
    
To access Epic health care system data, the Epic health care system connector is installed on a synchronization server. The synchronization server ensures that the data is compared between the One Identity Manager database and Epic health care system. The Epic health care system connector uses the Epic web services and csv reports for accessing Epic health care system data.
At a high level, the Epic health care module provides the following two features leveraging the Epic web services and csv reports.
- Provisioning 
- Provision Epic EMP user accounts along with their entitlements (Epic EMP template and Epic Epic EMP subtemplate) created in One Identity Manager on to the target Epic health care system. 
- Provision Epic SER provider accounts created in One Identity Manager on to the target Epic health care system 
 
- Synchronization 
- 
Synchronize Epic EMP user accounts along with their entitlements including Epic EMP templates and Epic EMP subtemplates into One Identity Manager. 
- 
Synchronize Epic SER provider accounts, Epic SER blueprints, Epic SER templates and category list into One Identity Manager. 
 
 
    
The following users are used in Epic health care system administration.
Table 1: Users used in Epic health care system administration
| Users | Task | 
| Target system administrators | Target system administrators must be assigned to the Target systems | Administrators application role.  Users with this application role 
Administrate application roles for individual target systems types 
Specify the target system manager 
Set up other application roles for target system managers if required 
Specify which application roles are conflicting for target system managers 
Authorize other identity to be target system administrators 
Do not assume any administrative tasks within the target system  | 
| Target system managers | Target system managers must be assigned to Target systems | Epic or a sub-application role.  Users with this application role 
Assume administrative tasks for the target system 
Create, change or delete target system objects, like user accounts (Epic EMP user accounts and Epic SER provider accounts) 
Edit password policies for the target system 
Prepare Epic EMP template and Epic EMP subtemplate for adding to the IT Shop 
Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager 
Edit the synchronization's target system types and outstanding objects 
Authorize other identities within their area of responsibility as target system managers and create child application roles if required  | 
| One Identity Manager administrators | 
Create customized permissions groups for application roles for role-based login to administration tools in Designer as required 
Create system users and permissions groups for nonrole- based login to administration tools in Designer as required 
Enable or disable additional configuration parameters in Designer as required 
Create custom processes in Designer as required 
Create and configures schedules as required 
Create and configure password policies as required  | 
| Administrators for the IT Shop | Administrators must be assigned to the Request & Fulfillment | IT Shop | Administrators application role.  Users with this application role  
Assign to IT Shop structures  | 
| Product owner for the IT Shop | Product owners must be assigned to the Request & Fulfillment | IT Shop | Product owner application role or a child application role.  Users with this application role  
Approve through requests 
Edit service items and service categories under their management  | 
| Administrators for Organizations | Administrators must be assigned to the application role Identity Management | Organizations | Administrators.  Users with this application role 
Assign to departments, cost centers and locations  | 
| Business roles administrators | Administrators must be assigned to the application role Identity Management | Business roles | Administrators.  Users with this application role  | 
 
    
Epic health care system prerequisites
The following are the Epic health care system EMP connection prerequisites
Epic version supported: May 2019, August 2020, May 2020, February 2020, November 2020, February 2021, May 2021, August 2021, November 2021, February 2022, May 2022, November 2022, February 2023, May 2023, August 2023, November 2023, February 2024, May 2024 and August 2024.
NOTE: Prior Epic versions should also be supported but not officially tested against those versions.
 
Epic web services: Epic’s SOAP 1.1 version of web services should be enabled and accessible. Epic system’s Personnel management and demographics (user) web services should be enabled for access
Epic web services credentials: Valid credentials that has access to the Epic web services
Client ID: Valid Epic Client ID that has access to the Epic’s personnel management and demographics (user) web services. One Identity's Production and Non-Production Epic Client IDs can be used if they are enabled for accessing the Epic web services. One Identity's Epic Client IDs can be found in the EPCEpicConfig.xml file in One Identity Manager workstation.
Epic EMP user, Epic EMP template, Epic EMP subtemplate reports: The master list of all Epic EMP user, Epic EMP template and Epic EMP subtemplate need to be exported from Epic in to separate CSV files and provided to Epic connector. Please contact Epic on how to automate the report generation process.
Epic EMP Items need to be un-locked: Epic EMP user attributes that need to be managed from One Identity Manager need to be un-locked by Epic’s Data Courier team. The list of attributes along with the EMP item number are provided in the section Epic EMP User Accounts. Un-lock the EMP user items that you want serviced from One Identity Manager.
The following are the Epic health care system SER connection prerequisites - 
Epic SER provider, Epic SER blueprint, Epic SER template, and Epic SER item reports.
- 
Epic SER blueprint report: Epic SER blueprints are like templates from which Epic SER provider record could be built. If you want to build Epic SER provider records from an Epic SER blueprint, a CSV report needs to be generated and provided to Epic connector. Please contact Epic on how to automate the report generation process. 
- 
Epic SER template and Epic SER item reports: The Epic SER template provides a custom way to build an Epic SER provider record. The report is modeled like Epic SER blueprint. The EPC module’s Miscellaneous folder contains an example Epic SER template report. The Epic SER item contains the list of Epic SER items managed from One Identity Manager. The EPC module’s Miscellaneous folder contains an example Epic SER items report. Make sure the item number and field number present in the file matches your Epic installation. 
- 
Epic SER categories report: In the One Identity Manager designer’s SERProvider schema, SER columns can be optionally designated as being populated from a limited set of values by checking the defined list of values option. For the columns that has been designated as limited set of values, the actual values could be optionally synchronized from external files. The categories report must be generated for the same and provided to Epic connector. The EPC module’s Miscellaneous folder contains categories for all supported Epic SER items. These categories can be used if it satisfies the requirement or contact Epic to automate the report generation process. 
For more information about report format, see
To load One Epic EMP users, Epic EMP templates, Epic Sub templates, Epic SER providers, Epic SER blueprints, Epic SER templates and Epic SER items into the One Identity Manager database for the first time
- Make sure Epic health care system prerequisites are met 
- The One Identity Manager components for managing Epic health care system are available if the TargetSystem | Epic configuration parameter is set. 
- Check whether the configuration parameter is set in the Designer. Otherwise, set the configuration parameter and compile the database. 
- Check the configuration parameters and modify them as necessary to suit your requirements.
 
- Install and configure a synchronization server and declare the server as Job server in One Identity Manager. 
NOTE: Ensure that the Job server has the machine role of Epic and job server function of Epic connector. 
 
- Create a synchronization project with the Synchronization Editor. 
For more information, see