A mapping must be established between the Person Identity attributes and the SubTemplate security matrix attributes, in order to group the SubTemplate with one or more attributes of the Identity. Refer to the section Configuring SecurityMatrix for SubTemplate for configuration details.
Related Topics
The Security Matrix for SubTemplate once imported could be viewed using One Identity Manager. Refer to the section Viewing the SubTemplate Security Matrix for details.
Related Topics
SubTemplate assigned to an Epic EMP user must have a priority (also called index). The default SubTemplate priority for different OneIM organizations and business roles can be configured. When an user receives a SubTemplate through base tree based inheritance, the configured SubTemplate priority for the organization is automatically applied.
To configure the SubTemplateIndex settings follow the below mentioned steps:
- In One Identity Manager, select the appropriate Epic connection that has been created.
- In the Tasks section, select the link Configure settings for SubTemplateIndex.
- Update the SubTemplate Index for the organization or business role
- Save the settings.
Related Topics
Epic EMP user accounts can be managed from One Identity.
User Report
The master list of Epic EMP user accounts that should be managed from One Identity Manager should be exported from Epic and provided in a CSV file. The name of the CSV file should be Users.csv. This is called the user report and the generated report should be copied to the configured CSV import directory (The CSV import directory was configured when you created the synchronization project).
NOTE:
- Contact Epic regarding on how to automate the user report generation and dropping the report generated to the CSV import directory.
If the CSV import directory is a local folder on the job server and One Identity Manager workstation, make sure to copy the user report to both the job server’s and One Identity Manager workstation’s local folder
If the CSV import directory is a network share, make sure it is accessible from both the job server and One Identity Manager workstation.
The Users.csv report has a specific format. It should contain the following fields and the order should be maintained.
- User Number (Local ID or External ID): The Epic Emp user’s External ID.
- System Login: The Epic Emp user’s System Login ID.
- UserName: The Epic Emp user’s name.
- User Record Status: The Epic Emp user’s status (Active / InActive).
IMPORTANT:
- The first line in the Users.csv report should be the header row with the fields specified above.
- Field ordering in the Users.csv report should be maintained.
- The user number provided should be the Epic EMP user’s External ID.
- If any of the field has a comma it should be escaped properly with double quotes.
- The user report should contain only the list of EMP user accounts that need to be managed from One Identity Manager. EMP user accounts such as service user accounts or In-Active accounts or any other user accounts that does not need to be managed from One Identity Manager should not be there in the user’s report and these users can be filtered out when the report is generated in Epic.
User Report customization
Epic connector uses the user report to get the master list of Epic EMP user accounts. Sometimes additional customization might need to be done to the user report generated. For example, we might want to remove certain Epic EMP user accounts such as contractors from the user report, which could have not been possible when the report is generated in Epic. To address these use cases, Epic connector provides the ability to perform additional customization to the user report generated from Epic. The Epic report customization is done in a PowerShell script named EPCUserReportFilterScript.ps1.
The Epic connector now uses the Epic EMP user data returned by the EPCUserReportFilterScript.ps1 PowerShell script as the master list of Epic EMP users and does not use the user data from the Users.csv file.
To perform additional user report customization
- In the synchronization project choose advance settings
- Select the option Use Custom PowerShell Script for User Import. Save the synchronization project changes.
- Copy the EPCUserReportFilterScript.ps1 PowerShell script from installer’s EPC Module dvd/Addon folder to the configured CSV import directory in synchronization project .
NOTE: If the CSV import directory is configured as a local folder then the PowerShell script must be copied to the local folder in job server and OneIM workstation.
- The Epic connector calls the PowerShell script’s Get-OneIMEpicUsers function to get the list of Epic EMP users. Customize the function according to the requirements.
IMPORTANT: The data must be returned in the format as documented in the function.
Testing the changes
Once the PowerShell script has been customized it must be tested.
- Update the Test-Get-OneIMEpicUsers function in the PowerShell script and run the script. This is a test function that validates the data returned by the Get-OneIMEpicUsers function. Make sure the data is returned is correct
NOTE: The PowerShell script can be run from the OneIM workstation.
- Open the synchronization project and navigate to the start up configuration. Run a simulation. Make sure the data returned is correct. This test makes sure that the Epic connector can invoke the PowerShell script and load the data returned by the PowerShell script.
Epic EMP user account attribute un-locking
Epic EMP user account attributes need to be un-locked in Epic in order to manage them from One Identity. The following table provides the list of Epic EMP attributes along with the EMP item number. Contact the Epic data courier team and un-lock attributes that you want to manage from One Identity.
Table 24: Epic EMP attributes
EMP item number |
EMP attribute name |
Comments |
.1 |
User Number |
|
.2 |
UserName |
|
23 |
Contact Comment |
|
35 |
User Name |
|
36 |
User Name Over Time |
|
45 |
System Login |
|
50 |
Status |
|
55 |
User Login Blocked |
|
180 |
User Alias |
|
720 |
Effective From Date |
|
730 |
Effective To Date |
|
14100 |
Notes |
|
14700 |
Sex |
|
20414 |
Primary Manager |
|
198 |
Applied Linkable Template |
|
.198 |
Applied Linkable Template Record Name |
|
1101 |
Default Linkable Template |
|
.1101 |
Default Linkable Template Record Name |
|
40 |
Password |
Applicable only if Native authentication has been enabled in Epic |
20415 |
Additional Managers |
|
1110 |
Linkable Templates |
|
1111 |
Linkable Templates Effective from Date |
|
1112 |
Linkable Templates Effective to Date |
|
1115 |
Linkable Templates Login Types |
|
9205 |
Linked Subtemplates |
|
20701 |
User MPI ID |
|
20700 |
User MPI ID Type |
|
2401 |
Type of External ID |
|
2402 |
External User ID |
|
2405 |
External ID Active |
|
14150 |
Employee Demographic 1 |
|
14151 |
Employee Demographic 2 |
|
14152 |
Employee Demographic 3 |
|
100 |
Address |
|
110 |
City/Locality |
|
112 |
County |
|
135 |
Country |
|
120 |
State/Province |
|
130 |
Zip Code |
|
140 |
Phone Number |
|
150 |
Email Address |
|
114 |
District |
|
102 |
House Number |
|
17500 |
LinkedProviderID |
|