지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 9.2.1 - Epic Healthcare System Administration Guide

Managing an Epic health care system Setting up synchronization with an Epic health care system Basic Data for managing an Epic health care system Epic Connection Epic EMP User Accounts Epic EMP template Epic EMP subtemplate Epic SER Items Epic SER Provider accounts Epic SER Blueprints Epic SER Template Security Matrix Configuration parameters for managing Epic health care system Default project template for Epic

Basic Data for managing an Epic health care system

To manage an Epic health care system environment in One Identity Manager, the following basic data is relevant.

Configuration parameters

Use configuration parameters to configure the behavior of the system's basic settings. One Identity Manager provides default settings for different configuration parameters. Check the configuration parameters and modify them as necessary to suit your requirements. Configuration parameters are defined in the One Identity Manager modules. Each One Identity Manager module can also install configuration parameters. You can find an overview of all configuration parameters in Base data | General | Configuration parameters in Designer.

For more information, see Configuration parameters for managing Epic health care system.

Account definitions

One Identity Manager has account definitions for automatically allocating Epic EMP user accounts and Epic SER provider accounts to identities. You can create account definitions for every target system. If an identity does not yet have an Epic EMP user account or Epic SER provider account in a target system, a new user account is created. This is done by assigning account definitions to an identity. For more information, see Account definition for Epic EMP user account and Epic SER provider account.

Password policies

One Identity Manager provides you with support for creating complex password policies, for example, for system user passwords, the identities' central password as well as passwords for individual target systems. Password polices apply not only when the user enters a password but also when random passwords are generated.

Predefined password policies are supplied with the default installation that you can user or customize if required. You can also define your own password policies.

For more information, see Password policies for Epic EMP user account.

Initial password for new user accounts

You have the different options for issuing an initial password for Epic EMP user accounts. The central password of the assigned identity can be aligned with the Epic EMP user account password, a predefined, fixed password can be used, or a randomly generated initial password can be issued.

For more information, see Initial password for Epic EMP user account.

NOTE: Password is applicable to only Epic EMP user accounts.

Email notifications about login data

When a new Epic EMP user account is created, the login data are sent to a specified recipient. In this case, two messages are sent with the username and the initial password. Mail templates are used to generate the messages. For more information, see Email notifications about login data.

Target system types

Target system types are required for configuring target system comparisons. Tables containing outstanding objects are maintained on target system types. For more information, see Post-processing outstanding objects.

Target system managers

A default application role exists for the target system manager in One Identity Manager. Assign the identities who are authorized to edit all tenants in One Identity Manager to this application role. Define additional application roles if you want to limit the edit permissions for target system managers to individual tenants. The application roles must be added under the default application role. For more information, see Target system managers.

Server

Servers must know your server functionality in order to handle Epic specific processes in One Identity Manager. For example, the synchronization server.

For more information, see Editing a server.

Account definition for Epic EMP user account and Epic SER provider account

One Identity Manager has account definitions for automatically allocating Epic EMP user accounts and Epic SER provider accounts to identities during working hours. You can create account definitions for every target system. If an identity does not yet have an Epic EMP user account or Epic SER provider account in a target system, a new user account is created. This is done by assigning account definitions to an identity.

The data for the user accounts in the respective target system comes from the basic identity data. The identities must have a central user and provider account. The assignment of the IT operating data to the identity’s account is controlled through the primary assignment of the identity to a location, a department, a cost center, or a business role (template processing). Processing is done through templates. There are predefined templates for determining the data required for user and provider accounts included in the default installation. You can customize templates as required. For detailed information about account definitions, see the One Identity Manager Target System Base Module Administration Guide.

The following steps are required to implement an account definition

  • Creating account definitions
  • Creating manage levels
  • Creating mapping rules for IT operating data
  • Entering IT operating data
  • Assigning account definitions to identities
  • Assigning account definitions to a target system

Creating Account Definitions - Master data for an Account Definition

To create a new account definition

1. In One Identity Manager, select Epic healthcare | Basic configuration data | Account definitions | Account definitions.

2. Select an account definition in the result list. Select Change master data.

- OR -

Click in the result list toolbar.

3. Enter the account definition's master data.

4. Save the changes

For more information, see Master data for an account definition.

Table 7: Master data for an account definition
Property Description
Account definition Account definition name.
User account table Table in the One Identity Manager schema that maps user accounts.
Target system Target system to which the account definition applies.
Required account definition Required account definitions. Define the dependencies between account definitions. When this account definition is requested or assigned, the required account definition is automatically requested or assigned with it.
Description Spare text box for additional explanation.
Manage level (initial) Manage level to use by default when you add new user accounts.
Risk index Value for evaluating the risk of account definition assignments to identities. Enter a value between 0 and 1. This input field is only visible if the configuration parameter QER | CalculateRiskIndex is activated. For more detailed information, see the One Identity Manager Risk Assessment Administration Guide.

Service item

Service item Service item through which you can request the account definition in the IT Shop. Assign an existing service item or add a new one.

IT Shop

Specifies whether the account definition can be requested through the IT Shop. The account definition can be ordered by an identity over the Web Portal and distributed using a defined approval process. The account definition can also be assigned directly to identities and roles outside of IT Shop.

Only for use in IT Shop

Specifies whether the account definition can only be requested through the IT Shop. The account definition can be ordered by an identity over the Web Portal and distributed using a defined approval process. This means, the account definition cannot be directly assigned to roles outside the IT Shop.

Automatic assignment to identities

Specifies whether the account definition is assigned automatically to all internal identities. The account definition is assigned to every identity not marked as external, on saving. New identities automatically obtain this account definition as soon as they are added.

IMPORTANT: Only set this option if you can ensure that all current internal identities in the database and all pending newly added internal identities obtain a user account in this target system. Disable this option to remove automatic assignment of the account definition to all identities. The account definition cannot be reassigned to identities from this point on. Existing account definition assignments remain intact.

Retain account definition if permanently disabled

Specifies the account definition assignment to permanently disabled identities. Option set: The account definition assignment remains in effect. The user account stays the same. Option not set: The account definition assignment is not in effect. The associated user account is deleted.

Retain account definition if temporarily disabled

Specifies the account definition assignment on deferred deletion of identities. Option set: The account definition assignment remains in effect. The user account stays the same. Option not set: The account definition assignment is not in effect. The associated user account is deleted.

Retain account definition on security risk

Specifies the account definition assignment to identities posing a security risk. Option set: The account definition assignment remains in effect. The user account stays the same. Option not set: The account definition assignment is not in effect. The associated user account is deleted.

Resource type

Resource type for grouping account definitions.

Spare field 01 - spare field 10

Additional company specific information. Use Designer to customize display names, formats and templates for the input fields

Creating manage level - Master data for manage level

Specify the manage level for an account definition for managing user accounts. The user

account’s manage level specifies the extent of the identity’s properties that are inherited

by the user account. This allows an identity to have several user accounts in one target

system, for example:

  • Default user account that inherits all properties from the identity
  • Administrative user account that is associated to an identity but should not inherit the properties from the identity.

One Identity Manager supplies a default configuration for manage levels

Unmanaged: User accounts with the Unmanaged manage level are linked to the identity but they do not inherit any further properties. When a new user account is added with this manage level and an identity is assigned, some of the identity's properties are transferred initially. If the identity properties are changed at a later date, the changes are not passed onto the user account.

Full managed: User accounts with the Full managed manage level inherit defined properties of the assigned identity. When a new user account is created with this manage level and an identity is assigned, the identity's properties are transferred in an initial state. If the identity properties are changed later, the changes are passed onto the user account.

NOTE: The Full managed and Unmanaged are analyzed in templates. You can define other manage levels depending on your requirements. You need to amend the templates to include manage level approaches.

Specify the effect of temporarily or permanently disabling, deleting or the security risk of an identity on its user accounts and group memberships for each manage level. For detailed information about manage levels, see the One Identity Manager Target System Base Module Administration Guide.

  • Identity user accounts can be locked when they are disabled, deleted or rated as a security risk so that permissions are immediately withdrawn. If the identity is reinstated later, the user accounts are also reactivated.
  • You can also define group membership inheritance. Inheritance can be discontinued if desired when, for example, the identity’s user accounts are disabled and therefore cannot be members in groups. During this time, no inheritance processes should be calculated for this identity. Existing group memberships are deleted!

To assign manage levels to an account definition

1. In One Identity Manager, select Epic healthcare | Basic configuration data | Account definitions | Account definitions.

2. Select an account definition in the result list.

3. Select Assign manage level.

4. Assign the manage levels in Add assignments.

- OR -

Delete the manage levels in Remove assignments.

5. Save the changes.

IMPORTANT: The Managed manage level is assigned automatically when you create an account definition and it cannot be removed.

To edit a manage level

1. Select Epic healthcare | Basic configuration data | Account definitions | Manage levels.

2. Select the manage level in the result list. Select Change master data.

- OR -

Click in the result list toolbar.

3. Edit the manage level's master data.

4. Save the changes.

Related Topics
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택