Cerner OrganizationGroup Workaround For SailPoint IIQ

Cerner is an administrative digital solution in healthcare which helps alleviate the complexity, inefficiency and the risk of human error in patient care. In general, Cerner’s solution helps data sharing among physicians, nurses and other authorized users across an entire healthcare organization. The Cerner Enterprise Provisioning Service allows the Cerner Millennium provisioning mechanism to handle external requests and responses using the SPML standard provisioning language. The service allows external provisioning solutions to create and maintain Cerner Millennium users, but it also provides Cerner clients the capability to build and maintain users in a tool external to Cerner Millennium and concurrently write the user records to one or more Cerner Millennium domains.

Integrating Cerner with SailPoint IIQ

To integrate the Cerner application with SailPoint follow the admin connector admin config guide provided by sailpoint referring the link below: https://community.sailpoint.com/docs/DOC-7806 . In order to understand the Cerner out-of-the-box connectors refer to the SailPoint document as elaborated in DOC-8033: https://community.sailpoint.com/docs/DOC-8013

An Issue With Cerner’s GroupAttribute In SailPoint IIQ

A logical collection of organizations makes up an organization group. Users are associated with an organization group to determine whether they can view a patient’s encounter. The system checks to see whether the user is associated with the organization that the encounter is tied to. When a personnel record is assigned to an organization group, all organizations in the group will also be assigned to the personnel record. Likewise, when a personnel record is unassigned from an organization group, all organizations in the group will also be unassigned from the personnel record, unless they are associated to another organization group that is still assigned to the personnel. It will be treated as the read-only multi-valued field for an account(DOC-8013).  Based on SailPoint documentation, organizationGroup was treated as multi-valued field however it couldn’t provision multi-value.


Case No: Case Operation Result Remarks
I. Assigned organizationGroup attribute as list type Add List first elements or [0] index valued provisioned. All the values can be seen in Plan.
II. Assigned organizationGroup attribute as list type changing the index value of list Add List first elements or [0] index valued provisioned All the values can be seen in Plan.
III. Assigned organizationGroup attribute as String type (multiple times) Add First String provisioned All the values can be seen in Plan.
IV. Assigned organizationGroup first String (set) / Assigned rest of organizationGroup String (Add) Set/Add First value provsisioned All the values can be seen in Plan.

In all above cases: values were seen in the plan object as well as in the entitlement catalog. In entitlement catalog first value was provisioned, but rest of the values were pending. Aggregation was done to see whether all the organizationGroup were provisioned in cerner application or not, but only the single value which is at the top of the list or the first-string value got provisioned.

OrganizationGroup Attribute Workaround

Step 1: Single value was sent to the first provisioning plan.

Step 2:. Provisioning Status was checked after Provisioning Step to be committed.

Step 3: Wait=”1” was added at the after-provisioning step to get the nativeIdentity. (Note: If first wait wasn’t added it wasn’t able to find the native Identity.)

Step 4:  Added rest of the OrganizationGroup by a rule of Workflow type. (Success to add the multi-value for organizationGroup)

Rules For Adding OrganizationGroup


NOTE: As with all tips and tricks, use at your own risk.  We do not guarantee this will work in every environment and make no warranties.

Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.

Leave a Reply

Your email address will not be published. Required fields are marked *