Identity Manager 8.1.2 - Administration Guide for connecting to Epic

One Identity Manager Healthcare Integration module for Epic provides the ability to connect to Epic Healthcare systems and helps manage the Healthcare system identities and their access policies from One Identity Manager. Identity and Access Governance processes such as attesting, Identity Audit, user account management and system entitlements, IT Shop, or report subscriptions can be used for Epic Healthcare systems. The integration provides a one stop shop for managing Epic Healthcare identities, their access policies and ensures a strong identity governance.

One Identity Manager provides company employees with the necessary user accounts. You can use different mechanisms to connect employees to their user accounts. You can also manage user accounts independently of employees.

Architecture overview

To access Epic Healthcare system data, the Epic Healthcare system connector is installed on a synchronization server. The synchronization server ensures that the data is compared between the One Identity Manager database and Epic Healthcare system. The Epic Healthcare system connector uses the Epic web services for accessing Epic Healthcare system data.

At a high level, the Healthcare Integration Module for Epic provides the following two features leveraging the Epic web services

Provisioning: Provision Epic EMP user accounts along with their entitlements (EMPTemplate and SubTemplate) created in One Identity Manager on to the target Epic Healthcare system.
Synchronization: Synchronize Epic EMP user accounts along with their entitlements including Epic EMPTemplates and SubTemplates into One Identity Manager.

One Identity Manager users for managing an Epic Healthcare system

The following users are used in Epic Healthcare system administration.

Table 1: Users used in Epic Healthcare system administration
Users	Task
Target system administrators	Target system administrators must be assigned to the Target systems \| Administrators application role. Users with this application role Administrate application roles for individual target systems types Specify the target system manager Set up other application roles for target system managers if required Specify which application roles are conflicting for target system managers Authorize other employee to be target system administrators Do not assume any administrative tasks within the target system
Target system managers	Target system managers must be assigned to Target systems \| Epic or a sub-application role. Users with this application role Assume administrative tasks for the target system Create, change or delete target system objects, like user accounts Edit password policies for the target system Prepare EMPTemplate and SubTemplate for adding to the IT Shop Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager Edit the synchronization's target system types and outstanding objects Authorize other employees within their area of responsibility as target system managers and create child application roles if required
One Identity Manager administrators	Create customized permissions groups for application roles for role-based login to administration tools in Designer as required Create system users and permissions groups for nonrole- based login to administration tools in Designer as required Enable or disable additional configuration parameters in Designer as required Create custom processes in Designer as required Create and configures schedules as required Create and configure password policies as required
Administrators for the IT Shop	Administrators must be assigned to the Request & Fulfillment \| IT Shop \| Administrators application role. Users with this application role Assign to IT Shop structures
Product owner for the IT Shop	Product owners must be assigned to the Request & Fulfillment \| IT Shop \| Product owner application role or a child application role. Users with this application role Approve through requests Edit service items and service categories under their management
Administrators for Organizations	Administrators must be assigned to the application role Identity Management \| Organizations \| Administrators. Users with this application role Assign to departments, cost centers and locations
Business roles administrators	Administrators must be assigned to the application role Identity Management \| Business roles \| Administrators. Users with this application role Assign to business roles

Setting up synchronization with an Epic Healthcare system

One Identity Manager prerequisites

User accounts are mapped incorrectly to Employee if the matching criteria field contains NULL values. The KB article https://support.oneidentity.com/identity-manager/kb/328284 provides the fix for this issue. Follow the instructions in the KB article and install the fix.

Epic Healthcare system prerequisites

The following are the Epic Healthcare system prerequisites

Epic version supported: May 2019, August 2020, May 2020, February 2020

NOTE: Prior Epic versions should also be supported but not officially tested against those versions.

Epic web services: Epic’s SOAP 1.1 version of web services should be enabled and accessible. Epic system’s Personnel management and demographics (user) web services should be enabled for access

Epic web services credentials: Valid credentials that has access to the Epic web services

Client ID: Valid Epic Client ID that has access to the Epic’s personnel management and demographics (user) web services. One Identity's Production and Non-Production Epic Client IDs can be used if they are enabled for accessing the Epic web services. One Identity's Epic Client IDs can be found in the EPCEpicConfig.xml file in One Identity Manager workstation.

EMP User, EMPTemplate and SubTemplate reports: The master list of all EMP users, EMPTemplates and SubTemplates need to be exported from Epic in to separate CSV files and provided to Epic connector. Please contact Epic on how to automate the report generation process.

Epic EMP Items need to be un-locked: Epic EMP user attributes that need to be managed from One Identity Manager need to be un-locked by Epic’s Data Courier team. The list of attributes along with the EMP item number are provided in the section Epic EMP User Accounts. Un-lock the EMP user items that you want serviced from One Identity Manager.

For more information about report format, see

To load One Epic EMP users, EMPTemplates and SubTemplates into the One Identity Manager database for the first time

Make sure Epic Healthcare system prerequisites are met
The One Identity Manager components for managing Epic Healthcare system are available if the TargetSystem | Epic configuration parameter is set.
- Check whether the configuration parameter is set in the Designer. Otherwise, set the configuration parameter and compile the database.
- Check the configuration parameters and modify them as necessary to suit your requirements.
Install and configure a synchronization server and declare the server as Job server in One Identity Manager.

NOTE: Ensure that the Job server has the machine role of Epic and job server function of Epic connector.
Create a synchronization project with the Synchronization Editor.

For more information, see

Self Service Tools: Knowledge Base; Notifications & Alerts; Product Support; Software Downloads; Technical Documentation; User Forums; Video Tutorials; RSS Feed

Contact Us: Licensing Assistance; Technical Support; View All

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem