Roger Beeman · Mar 27, 2017

Managing both Cache User Accounts & Delegated User Clinician Accounts

Hi All -

Our environment has multiple instances of HealthShare installed and most are on separate VMs/servers. Does anyone have any ideas on how to efficiently manage user accounts across all of these multiple instances of HealthShare? As you can imagine, creating 10 separate Cache accounts on each instance during onboarding of new associates is cumbersome and tedious as is disabling them. We have yet to integrate with AD but we do have a Cyberark initiative under way but it is in the very early stages.


Additionally - I would eventually like to do some reporting based off of specific roles within HealthShare/Ensemble/Cache. Example:

Filtering user accounts for our entire system for accounts that have %All.

Any guidance on how I can slowly work towards this would be great. As of now, I'm simply querying each Security.Users (for Cache system accounts only there's a separate table for delegated users) table on each instance which isn't very productive for me.


0 621
Discussion (3)1
Log in or sign up to continue

Maybe you can develop a COS script that you can reuse. This script should create the accounts and make some checks.

We have a project where combine this script with a OS level script (using any shell you want) able to execute the COS task in each instance. It's a lot of work to make it but once developed it saves a lot of time. 

A Cache script also allows you to do other user management, like look for similar named users across all instances, construct interesting user tables for permissions, etc.

Should be fairly straightforward for simple user adds, for example.

Tom Fitzgibbon | 347-464-8531 |

For the first part of the question, the answer does depend somewhat on which HealthShare product is in use. If this is HealthConnect then all the authentication options are available to be used (OS Based, Kerberos, Cache logins, LDAP and delgated). LDAP (of which active directory is an example, but it does not have to be AD) is probably the best bet for sharing credentials between instances. In essence, setup the LDAP server, create your users in their and then configure Cache to use that. See the following documentation entry, which given default installation would be:

http://localhost:57772/csp/docbook/DocBook.UI.Page.cls?KEY=GCAS_LDAP (Adjust server/port as appropriate)

If the product is Information Exchange then HealthShare employs a delegated authentication approach. This means that HealthShare comes with a ZAUTHENTICATE routine, which allows you to write a security domain class that can do whatever! All login requests are routed to the registry for evaluation. If you want to combine both LDAP/AD and HealthShare then take a look at HS.Registry.Person.User.HSAuthLDAPSample! This sample could be modified to check the credentials on another HealthShare instance (just remember if you do this and use web services for the inter-HS calls to secure the traffic with SSL/TLS or similar!)


Once you have the accounts in one place, hopefully your analysis job becomes easier. Within Cache I would always look to DeepSee for analysis, but if you were using AD then maybe there are other tools I do not know about!