Managing both Cache User Accounts & Delegated User Clinician Accounts

Question

Question

Roger Beeman · Mar 27, 2017

#Beginner #System Administration #Access control #HealthShare

Hi All -

Our environment has multiple instances of HealthShare installed and most are on separate VMs/servers. Does anyone have any ideas on how to efficiently manage user accounts across all of these multiple instances of HealthShare? As you can imagine, creating 10 separate Cache accounts on each instance during onboarding of new associates is cumbersome and tedious as is disabling them. We have yet to integrate with AD but we do have a Cyberark initiative under way but it is in the very early stages.

Additionally - I would eventually like to do some reporting based off of specific roles within HealthShare/Ensemble/Cache. Example:

Filtering user accounts for our entire system for accounts that have %All.

Any guidance on how I can slowly work towards this would be great. As of now, I'm simply querying each Security.Users (for Cache system accounts only there's a separate table for delegated users) table on each instance which isn't very productive for me.

Thanks!

Discussion (3)0

Log in or sign up to continue

Tom Spencer · May 10, 2017

For the first part of the question, the answer does depend somewhat on which HealthShare product is in use. If this is HealthConnect then all the authentication options are available to be used (OS Based, Kerberos, Cache logins, LDAP and delgated). LDAP (of which active directory is an example, but it does not have to be AD) is probably the best bet for sharing credentials between instances. In essence, setup the LDAP server, create your users in their and then configure Cache to use that. See the following documentation entry, which given default installation would be:

http://localhost:57772/csp/docbook/DocBook.UI.Page.cls?KEY=GCAS_LDAP (Adjust server/port as appropriate)

If the product is Information Exchange then HealthShare employs a delegated authentication approach. This means that HealthShare comes with a ZAUTHENTICATE routine, which allows you to write a security domain class that can do whatever! All login requests are routed to the registry for evaluation. If you want to combine both LDAP/AD and HealthShare then take a look at HS.Registry.Person.User.HSAuthLDAPSample! This sample could be modified to check the credentials on another HealthShare instance (just remember if you do this and use web services for the inter-HS calls to secure the traffic with SSL/TLS or similar!)

http://localhost:57772/csp/docbook/DocBook.UI.Page.cls?KEY=GCAS_LDAP

Once you have the accounts in one place, hopefully your analysis job becomes easier. Within Cache I would always look to DeepSee for analysis, but if you were using AD then maybe there are other tools I do not know about!

0 0

score 0 · Answer 1 · 2017-03-27T13:09:04-04:00

Maybe you can develop a COS script that you can reuse. This script should create the accounts and make some checks.

We have a project where combine this script with a OS level script (using any shell you want) able to execute the COS task in each instance. It's a lot of work to make it but once developed it saves a lot of time.

score 0 · Answer 2 · 2017-03-27T14:59:24-04:00

A Cache script also allows you to do other user management, like look for similar named users across all instances, construct interesting user tables for permissions, etc.

Should be fairly straightforward for simple user adds, for example.

Tom Fitzgibbon | 347-464-8531 | gototomAtG...l.com