Basic Data for managing an Epic health care system
To manage an Epic health care system environment in One Identity Manager, the following basic data is relevant.
Configuration parameters
Use configuration parameters to configure the behavior of the system's basic settings. One Identity Manager provides default settings for different configuration parameters. Check the configuration parameters and modify them as necessary to suit your requirements. Configuration parameters are defined in the One Identity Manager modules. Each One Identity Manager module can also install configuration parameters. You can find an overview of all configuration parameters in Base data | General | Configuration parameters in Designer.
For more information, see Configuration parameters for managing Epic health care system.
Account definitions
One Identity Manager has account definitions for automatically allocating user accounts to identities . You can create account definitions for every target system. If an identity does not yet have a user account in a target system, a new user account is created. This is done by assigning account definitions to an identity. For more information, see Account definition for Epic User Account.
Password policies
One Identity Manager provides you with support for creating complex password policies, for example, for system user passwords, the identities' central password as well as passwords for individual target systems. Password polices apply not only when the user enters a password but also when random passwords are generated.
Predefined password policies are supplied with the default installation that you can user or customize if required. You can also define your own password policies.
For more information, see Password policies for Epic User Account.
Initial password for new user accounts
You have the different options for issuing an initial password for user accounts. The central password of the assigned identity can be aligned with the user account password, a predefined, fixed password can be used, or a randomly generated initial password can be issued.
For more information, see Initial password for new Epic user accounts.
Email notifications about login data
When a new user account is created, the login data are sent to a specified recipient. In this case, two messages are sent with the username and the initial password. Mail templates are used to generate the messages. For more information, see Email notifications about login data.
Target system types
Target system types are required for configuring target system comparisons. Tables containing outstanding objects are maintained on target system types. For more information, see Post-processing outstanding objects.
Target system managers
A default application role exists for the target system manager in One Identity Manager. Assign the identities who are authorized to edit all tenants in One Identity Manager to this application role. Define additional application roles if you want to limit the edit permissions for target system managers to individual tenants. The application roles must be added under the default application role. For more information, see Target system managers.
Server
Servers must know your server functionality in order to handle Epic specific processes in One Identity Manager. For example, the synchronization server.
For more information, see Editing a server.
Account definition for Epic User Account
One Identity Manager has account definitions for automatically allocating user accounts to identities during working hours. You can create account definitions for every target system. If an identity does not yet have a user account in a target system, a new user account is created. This is done by assigning account definitions to an identity.
The data for the user accounts in the respective target system comes from the basic identity data. The identities must have a central user account. The assignment of the IT operating data to the identity’s user account is controlled through the primary assignment of the identity to a location, a department, a cost center, or a business role (template processing). Processing is done through templates. There are predefined templates for determining the data required for user accounts included in the default installation. You can customize templates as required. For detailed information about account definitions, see the One Identity Manager Target System Base Module Administration Guide.
The following steps are required to implement an account definition
- Creating account definitions
- Creating manage levels
- Creating mapping rules for IT operating data
- Entering IT operating data
- Assigning account definitions to identities
- Assigning account definitions to a target system
Creating Account Definitions - Master data for an Account Definition
To create a new account definition
1. In One Identity Manager, select Epic healthcare | Basic configuration data | Account definitions | Account definitions.
2. Select an account definition in the result list. Select Change master data.
- OR -
Click in the result list toolbar.
3. Enter the account definition's master data.
4. Save the changes
For more information, see Master data for an account definition.
Table 7: Master data for an account definition
Property |
Description |
Account definition |
Account definition name. |
User account table |
Table in the One Identity Manager schema that maps user accounts. |
Target system |
Target system to which the account definition applies. |
Required account definition |
Required account definitions. Define the dependencies between account definitions. When this account definition is requested or assigned, the required account definition is automatically requested or assigned with it. |
Description |
Spare text box for additional explanation. |
Manage level (initial) |
Manage level to use by default when you add new user accounts. |
Risk index |
Value for evaluating the risk of account definition assignments to identities. Enter a value between 0 and 1. This input field is only visible if the configuration parameter QER | CalculateRiskIndex is activated. For more detailed information, see the One Identity Manager Risk Assessment Administration Guide. |
Service item |
Service item Service item through which you can request the account definition in the IT Shop. Assign an existing service item or add a new one. |
IT Shop |
Specifies whether the account definition can be requested through the IT Shop. The account definition can be ordered by an identity over the Web Portal and distributed using a defined approval process. The account definition can also be assigned directly to identities and roles outside of IT Shop. |
Only for use in IT Shop |
Specifies whether the account definition can only be requested through the IT Shop. The account definition can be ordered by an identity over the Web Portal and distributed using a defined approval process. This means, the account definition cannot be directly assigned to roles outside the IT Shop. |
Automatic assignment to identities |
Specifies whether the account definition is assigned automatically to all internal identities. The account definition is assigned to every identity not marked as external, on saving. New identities automatically obtain this account definition as soon as they are added.
IMPORTANT: Only set this option if you can ensure that all current internal identities in the database and all pending newly added internal identities obtain a user account in this target system. Disable this option to remove automatic assignment of the account definition to all identities. The account definition cannot be reassigned to identities from this point on. Existing account definition assignments remain intact. |
Retain account definition if permanently disabled |
Specifies the account definition assignment to permanently disabled identities. Option set: The account definition assignment remains in effect. The user account stays the same. Option not set: The account definition assignment is not in effect. The associated user account is deleted. |
Retain account definition if temporarily disabled |
Specifies the account definition assignment on deferred deletion of identities. Option set: The account definition assignment remains in effect. The user account stays the same. Option not set: The account definition assignment is not in effect. The associated user account is deleted. |
Retain account definition on security risk |
Specifies the account definition assignment to identities posing a security risk. Option set: The account definition assignment remains in effect. The user account stays the same. Option not set: The account definition assignment is not in effect. The associated user account is deleted. |
Resource type |
Resource type for grouping account definitions. |
Spare field 01 - spare field 10 |
Additional company specific information. Use Designer to customize display names, formats and templates for the input fields |
Creating manage level - Master data for manage level
Specify the manage level for an account definition for managing user accounts. The user
account’s manage level specifies the extent of the identity’s properties that are inherited
by the user account. This allows an identity to have several user accounts in one target
system, for example:
- Default user account that inherits all properties from the identity
- Administrative user account that is associated to an identity but should not inherit the properties from the identity.
One Identity Manager supplies a default configuration for manage levels
• Unmanaged: User accounts with the Unmanaged manage level are linked to the identity but they do not inherit any further properties. When a new user account is added with this manage level and an identity is assigned, some of the identity's properties are transferred initially. If the identity properties are changed at a later date, the changes are not passed onto the user account.
• Full managed: User accounts with the Full managed manage level inherit defined properties of the assigned identity. When a new user account is created with this manage level and an identity is assigned, the identity's properties are transferred in an initial state. If the identity properties are changed later, the changes are passed onto the user account.
NOTE: The Full managed and Unmanaged are analyzed in templates. You can define other manage levels depending on your requirements. You need to amend the templates to include manage level approaches.
Specify the effect of temporarily or permanently disabling, deleting or the security risk of an identity on its user accounts and group memberships for each manage level. For detailed information about manage levels, see the One Identity Manager Target System Base Module Administration Guide.
- Identity user accounts can be locked when they are disabled, deleted or rated as a security risk so that permissions are immediately withdrawn. If the identity is reinstated later, the user accounts are also reactivated.
- You can also define group membership inheritance. Inheritance can be discontinued if desired when, for example, the identity’s user accounts are disabled and therefore cannot be members in groups. During this time, no inheritance processes should be calculated for this identity. Existing group memberships are deleted!
To assign manage levels to an account definition
1. In One Identity Manager, select Epic healthcare | Basic configuration data | Account definitions | Account definitions.
2. Select an account definition in the result list.
3. Select Assign manage level.
4. Assign the manage levels in Add assignments.
- OR -
Delete the manage levels in Remove assignments.
5. Save the changes.
IMPORTANT: The Managed manage level is assigned automatically when you create an account definition and it cannot be removed.
To edit a manage level
1. Select Epic healthcare | Basic configuration data | Account definitions | Manage levels.
2. Select the manage level in the result list. Select Change master data.
- OR -
Click in the result list toolbar.
3. Edit the manage level's master data.
4. Save the changes.
Related Topics