Cerner OrganizationGroup Workaround For SailPoint IIQ

Cerner is an administrative digital solution in healthcare which helps alleviate the complexity, inefficiency and the risk of human error in patient care. In general, Cerner’s solution helps data sharing among physicians, nurses and other authorized users across an entire healthcare organization. The Cerner Enterprise Provisioning Service allows the Cerner Millennium provisioning mechanism to handle external requests and responses using the SPML standard provisioning language. The service allows external provisioning solutions to create and maintain Cerner Millennium users, but it also provides Cerner clients the capability to build and maintain users in a tool external to Cerner Millennium and concurrently write the user records to one or more Cerner Millennium domains.

Integrating Cerner with SailPoint IIQ

To integrate the Cerner application with SailPoint follow the admin connector admin config guide provided by sailpoint referring this link. In order to understand the Cerner out-of-the-box connectors refer to the SailPoint document as elaborated in DOC-8033: https://community.sailpoint.com/docs/DOC-8013

An Issue With Cerner’s GroupAttribute In SailPoint IIQ

A logical collection of organizations makes up an organization group. Users are associated with an organization group to determine whether they can view a patient’s encounter. The system checks to see whether the user is associated with the organization that the encounter is tied to. When a personnel record is assigned to an organization group, all organizations in the group will also be assigned to the personnel record. Likewise, when a personnel record is unassigned from an organization group, all organizations in the group will also be unassigned from the personnel record, unless they are associated to another organization group that is still assigned to the personnel. It will be treated as the read-only multi-valued field for an account(DOC-8013).  Based on SailPoint documentation, organizationGroup was treated as multi-valued field however it couldn’t provision multi-value.

Observations

Case No: Case Operation Result Remarks
I. Assigned organizationGroup attribute as list type Add List first elements or [0] index valued provisioned. All the values can be seen in Plan.
II. Assigned organizationGroup attribute as list type changing the index value of list Add List first elements or [0] index valued provisioned All the values can be seen in Plan.
III. Assigned organizationGroup attribute as String type (multiple times) Add First String provisioned All the values can be seen in Plan.
IV. Assigned organizationGroup first String (set) / Assigned rest of organizationGroup String (Add) Set/Add First value provsisioned All the values can be seen in Plan.

In all above cases: values were seen in the plan object as well as in the entitlement catalog. In entitlement catalog first value was provisioned, but rest of the values were pending. Aggregation was done to see whether all the organizationGroup were provisioned in cerner application or not, but only the single value which is at the top of the list or the first-string value got provisioned.

OrganizationGroup Attribute Workaround

Step 1: Single value was sent to the first provisioning plan.

Step 2:. Provisioning Status was checked after Provisioning Step to be committed.

Step 3: Wait=”1” was added at the after-provisioning step to get the nativeIdentity. (Note: If first wait wasn’t added it wasn’t able to find the native Identity.)

Step 4:  Added rest of the OrganizationGroup by a rule of Workflow type. (Success to add the multi-value for organizationGroup)

Rules For Adding OrganizationGroup

  public static ProvisioningPlan CustomUpdateOrganizationGroupProvisioningPlan(){
		
  Identity identity = context.getObjectByName(Identity.class, identityName);
   
    String OrganizationGroup1 ="getOrganizationGroup1";
	String OrganizationGroup2= "getOrganizationGroup2";
    
String nativeIdentity;
    
IdentityService serv=new IdentityService(context);
      Application application=context.getObjectByName(Application.class,"YourCernerAppName");
     List links=serv.getLinks(identity,application);
	 
			if(!links.isEmpty())
      {
        Link link=links.get(0);
       nativeIdentity =link.getNativeIdentity();
      }
ProvisioningPlan plan = new ProvisioningPlan();
AccountRequest accountRequest = new AccountRequest();

System.out.println("nativeIdentity"+nativeIdentity);
plan.setIdentity(identity);
accountRequest.setApplication("YourCernerAppName");
accountRequest.setNativeIdentity(nativeIdentity);

if(OrganizationGroup1 !=null)
{
accountRequest.add(new AttributeRequest("OrganizationGroup", ProvisioningPlan.Operation.Add, OrganizationGroup1));
}
if(OrganizationGroup2 !=null)
{
accountRequest.add(new AttributeRequest("OrganizationGroup", ProvisioningPlan.Operation.Add, OrganizationGroup2));
}


List accreqList = new ArrayList();
accreqList.add(accountRequest);
plan.setAccountRequests(accreqList);

		plan.setIdentity(identity); 
		
		
    
    return plan;
}
	
  
ProvisioningPlan plan=CustomUpdateOrganizationGroupProvisioningPlan();
Provisioner provisioner = new Provisioner(context);
provisioner.execute(plan);

NOTE: As with all tips and tricks, use at your own risk.  We do not guarantee this will work in every environment and make no warranties.