One Identity Manager Epic health care system module provides the ability to connect to Epic health care systems and help manage the health care system identities and their access policies from One Identity Manager. Identity and Access Governance processes such as attesting, Identity Audit, user account management and system entitlements, IT Shop, or report subscriptions can be used for Epic health care systems. The integration provides a one stop shop for managing Epic health care identities, their access policies and ensures a strong identity governance.
One Identity Manager provides company employees with the necessary user accounts. You can use different mechanisms to connect employees to their user accounts. You can also manage user accounts independently of employees.
To access Epic health care system data, the Epic health care system connector is installed on a synchronization server. The synchronization server ensures that the data is compared between the One Identity Manager database and Epic health care system. The Epic health care system connector uses the Epic web services for accessing Epic health care system data.
At a high level, the Epic health care module provides the following two features leveraging the Epic web services
- Provisioning: Provision Epic EMP user accounts along with their entitlements (EMPTemplate and SubTemplate) created in One Identity Manager on to the target Epic health care system.
- Synchronization: Synchronize Epic EMP user accounts along with their entitlements including Epic EMPTemplates and SubTemplates into One Identity Manager.
The following users are used in Epic health care system administration.
Table 1: Users used in Epic health care system administration
Users |
Task |
Target system administrators |
Target system administrators must be assigned to the Target systems | Administrators application role.
Users with this application role
- Administrate application roles for individual target systems types
- Specify the target system manager
- Set up other application roles for target system managers if required
- Specify which application roles are conflicting for target system managers
- Authorize other employee to be target system administrators
- Do not assume any administrative tasks within the target system
|
Target system managers |
Target system managers must be assigned to Target systems | Epic or a sub-application role.
Users with this application role
- Assume administrative tasks for the target system
- Create, change or delete target system objects, like user accounts
- Edit password policies for the target system
- Prepare EMPTemplate and SubTemplate for adding to the IT Shop
- Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager
- Edit the synchronization's target system types and outstanding objects
- Authorize other employees within their area of responsibility as target system managers and create child application roles if required
|
One Identity Manager administrators |
- Create customized permissions groups for application roles for role-based login to administration tools in Designer as required
- Create system users and permissions groups for nonrole- based login to administration tools in Designer as required
- Enable or disable additional configuration parameters in Designer as required
- Create custom processes in Designer as required
- Create and configures schedules as required
- Create and configure password policies as required
|
Administrators for the IT Shop |
Administrators must be assigned to the Request & Fulfillment | IT Shop | Administrators application role.
Users with this application role
- Assign to IT Shop structures
|
Product owner for the IT Shop |
Product owners must be assigned to the Request & Fulfillment | IT Shop | Product owner application role or a child application role.
Users with this application role
- Approve through requests
- Edit service items and service categories under their management
|
Administrators for Organizations |
Administrators must be assigned to the application role Identity Management | Organizations | Administrators.
Users with this application role
- Assign to departments, cost centers and locations
|
Business roles administrators |
Administrators must be assigned to the application role Identity Management | Business roles | Administrators.
Users with this application role
|
Epic health care system prerequisites
The following are the Epic health care system prerequisites
Epic version supported: May 2019, August 2020, May 2020, February 2020, November 2020, Feb 2021, May 2021, August 2021.
NOTE: Prior Epic versions should also be supported but not officially tested against those versions.
Epic web services: Epic’s SOAP 1.1 version of web services should be enabled and accessible. Epic system’s Personnel management and demographics (user) web services should be enabled for access
Epic web services credentials: Valid credentials that has access to the Epic web services
Client ID: Valid Epic Client ID that has access to the Epic’s personnel management and demographics (user) web services. One Identity's Production and Non-Production Epic Client IDs can be used if they are enabled for accessing the Epic web services. One Identity's Epic Client IDs can be found in the EPCEpicConfig.xml file in One Identity Manager workstation.
EMP User, EMPTemplate and SubTemplate reports: The master list of all EMP users, EMPTemplates and SubTemplates need to be exported from Epic in to separate CSV files and provided to Epic connector. Please contact Epic on how to automate the report generation process.
Epic EMP Items need to be un-locked: Epic EMP user attributes that need to be managed from One Identity Manager need to be un-locked by Epic’s Data Courier team. The list of attributes along with the EMP item number are provided in the section Epic EMP User Accounts. Un-lock the EMP user items that you want serviced from One Identity Manager.
For more information about report format, see
To load One Epic EMP users, EMPTemplates and SubTemplates into the One Identity Manager database for the first time
- Make sure Epic health care system prerequisites are met
- The One Identity Manager components for managing Epic health care system are available if the TargetSystem | Epic configuration parameter is set.
- Check whether the configuration parameter is set in the Designer. Otherwise, set the configuration parameter and compile the database.
- Check the configuration parameters and modify them as necessary to suit your requirements.
- Install and configure a synchronization server and declare the server as Job server in One Identity Manager.
NOTE: Ensure that the Job server has the machine role of Epic and job server function of Epic connector.
- Create a synchronization project with the Synchronization Editor.
For more information, see